Protecting your privacy is very important to us. We carry out all data processing procedures (such as collection, processing and transmission) in accordance with European and German data protection law.
This Policy provides an overview of what data is requested by our website, in what way this data is used and transferred, how you can request information about the data provided to us and what security measures we use to protect your data.
1. Who is your contact (controller) for data protection issues?
The controller in terms of data protection law for all data processing procedures which take place via our website is:
Kümmel & Co. GmbH
Telephone: +49 9321 38 78 0
Fax: +49 9321 38 78 33
Data Protection Officer:
Data Protection Officer c/o Kümmel & Co. GmbH, Lochweg 19, 97318 Kitzingen, Germany
Please send any questions regarding data protection and asserting your rights (see below) to the above address for the attention of the Data Protection Officer.
2. What data do we require from you in order to use our website? What data is collected and stored during use?
Personal data is all information which relates to an identified or identifiable natural person (“data subject”), such as your name, address, telephone number, date of birth, bank details and IP address.
We only collect and use the personal data of our users to the extent this is required to provide a functional website and the content and services of our website. Personal data of our users is only collected and used with the user’s consent. An exception is made in cases where it is not possible to obtain prior consent for factual reasons and the data processing is permitted by law.
The following data is logged solely for internal system-related and statistical purposes (usage data) when using our website:
1. Information about the browser type and the version used
2. The user's operating system
3. The user's Internet Service Provider
4. The user's IP address
5. Date and time of the request
6. The website visited before our website
7. The websites that the user's system entered via our website.
The data is stored in our system as log files. This data is not stored together with other personal data of the user.
The legal basis for the temporary storage of data and log files is Article 6 (1) (f) General Data Protection Regulation (GDPR).
It is necessary for the system to temporarily store the IP address to enable the website to be displayed on the user's computer. To do so the user’s IP address must remain stored for the duration of the session.
Log files are stored to ensure the functionality of the website. In addition the data serves to optimise the website and ensures the security of our IT systems. The data is not evaluated for marketing purposes.
These purposes also form the basis of our legitimate interest for data processing in accordance with Article 6 (1) (f) GDPR.
Data is erased when it is no longer required to fulfil the purpose for which it was collected. If data has been collected to display the website this is the case at the end of the respective session.
If data has been stored in log files it is erased after seven days at the latest. Further storage is possible. In this case the user’s IP address is erased or distorted so that assigning the requesting client is no longer possible.
Collecting data to display the website and storing data in log files is absolutely necessary to operate the website. The user may not object to such processing.
Users are able to provide personal data in order to register on our website. Data is entered in the entry fields and transmitted to and stored by us. This data is not forwarded to third parties. The following data is processed as part of the registration process:
• First name and surname
• Email address
• Telephone number (optional)
• Full address
• The user's school (only Phorms)
The following data is stored when you register:
• Date and time of registration
• The user's IP address
The legal basis for the processing of data with the user’s consent is Article 6 (1) (a) GDPR.
If registration is carried out for the performance of a contract entered into with the user or to take steps prior to entering into a contract the additional legal basis for processing is Article 6 (1) (b) GDPR.
Registration by a user is necessary for the performance of a contract entered into with the user or to take steps prior to entering into a contract.
Data is erased when it is no longer required to fulfil the purpose for which it was collected.
For the registration process to perform a contract or to take steps prior to entering into a contract, this is the case when the data is no longer required for the performance of the contract. After the conclusion of the contract it may be necessary to store the personal data of the contractual partner in order to comply with contractual or legal obligations.
Users may de-register at any time by sending an email to firstname.lastname@example.org requesting this. You may make changes to the data saved about yourself at any time.
If data is necessary for the performance of a contract or to take steps prior to entering into a contract it is only possible to erase data prematurely if there are no contractual or legal obligations which oppose such an erasure.
3. How and for what purpose is my data used and, if applicable, disclosed to third parties?
Your personal data provided by yourself is used to answer your queries, process your orders in our online shop and for the technical administration of our website.
Your personal data is only disclosed, sold or otherwise transferred to third parties if such disclosure is required for the purpose of processing the contract, for accounting purposes or to collect payment, (for example shipping companies and payment providers) or you have given your express consent. In addition we are entitled to disclose personal data for debt collection purposes and reserve the right to exchange data with credit information agencies (e.g. Schufa); this is only carried out if the legal requirements for such an action have been met.
The legal basis for the disclosure of data to third parties for the purpose of processing the contract or for accounting purposes is Article 6 (1) (b) GDPR.
Payment processing by Payone
To process payments in our online shop we use the payment system of an external payment provider, PAYONE GmbH, Fraunhoferstraße 2-4, 24118 Kiel, Germany (hereinafter referred to as “PAYONE”). If you wish to pay by credit card, a technical interface will automatically establish a connection to the online payment system of PAYONE. The payment details entered by you are transmitted over an encrypted connection to PAYONE solely for the purpose of processing the payment and are stored and processed there. Data is likewise solely processed for the aforementioned purpose of processing the payment for your order where the payment details must be forwarded from PAYONE, if applicable, to the bank specified by you in your order to initiate and authorise the payment transaction.
Payment by immediate bank transfer
We are able to offer payment by immediate bank transfer (the “SOFORT” option) in conjunction with SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany. During your order the personal data you provided as part of the order will be transmitted to SOFORT GmbH via a technical interface for the purpose of processing the payment. After the offer has been submitted you will automatically be forwarded to SOFORT GmbH’s payment page. The further processing of the transaction with your bank will take place via SOFORT GmbH. SOFORT GmbH is acting as a technical service provider here, who encrypts and transmits the data you entered on the secure payment page to your bank. Further information about data protection relating to immediate bank transfers can be found on the website of SOFORT GmbH here.
Payment Processing by paydirekt
In our online shop you can also pay using the payment service paydirekt. If you decide to use paydirekt as your payment method the payment is processed by the payment service provider paydirekt GmbH, Hamburger Allee 26-28, 60486 Frankfurt am Main, Germany. When paying by paydirekt the payment data (e.g. payment amount, information about the recipient of the payment) as well as confirmation from the user whether the payment data is correct will be collected and processed by paydirekt GmbH to process the paydirekt payment and transferred to the bank.
paydirekt GmbH collects and stores the transaction data for paydirekt payments. The transaction data includes the transaction reference and the transaction ID as well as information about the basket paydirekt GmbH received from the retailer, provided this is supported. Transaction data is transferred from paydirekt GmbH to the bank to process refunds. Data is also only processed for the aforementioned purpose of processing the payment for your order.
Disclosure prescribed by law
Please note that in individual cases we are permitted to disclose data upon request by the responsible public bodies provided it is required for the purpose of law enforcement, hazard prevention by the police authorities of the state, to fulfil the statutory tasks of federal and state authorities in defence of the constitution, the Federal Intelligence Agency or military counter intelligence, or to enforce intellectual property rights.
4. What security measures have been taken to protect your data?
We have implemented many security measures in order to adequately protect your personal data to a reasonable extent.
Our web pages use the industry-standard SSL encryption technology when collecting and transferring data. Personal data transferred as part of the order process is transferred using SSL encryption which can be recognised by the padlock symbol in your browser and the prefix “https://” on the web address.
Your password to access our website must never be shared with third parties and it should be changed regularly. Furthermore you should not choose the same password to access our website that you use to access other password protected websites (email account, online banking etc.). When you leave our website you should log out and close your browser in order to avoid unauthorised users gaining access to your user account.
We cannot guarantee the complete security of data sent by email.
We use transient cookies on our websites.
Transient cookies are automatically deleted when the browser is closed. These include, in particular, session cookies. These save a so-called session ID which assigns the various requests of your browser to the collective session. This allows your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close your browser.
We use transient cookies to improve the user-friendliness of our website. Some elements of our website require that your browser is able to be identified even after changing pages. The following data is stored and transmitted in cookies:
1. Language settings
2. Items in your basket
4. Session ID of the user
5. Most recently viewed categories and products
6. Wish list
7. Compared products
The data is not stored together with other personal data of the user.
You can decide yourself whether to accept cookies. By changing your browser settings you can choose to accept cookies, to be notified when cookies are placed or to reject cookies (this can normally be found under “Options” or “Settings” in the browser’s menu). Cookies that have already been stored may be erased at any time. This can also happen automatically. If cookies are deactivated for our website this may mean that you are no longer able to fully use all the functions of the website.
The legal basis for processing personal data using technically necessary transient cookies is Article 6 (1) (f) General Data Protection Regulation (GDPR).
The user data collected by transient cookies is not used to create user profiles.
Persistent cookies, in particular analysis cookies, are used for the purpose of improving the quality of our website and its contents. These analysis cookies show us how the website is used and therefore allow us to continually optimise the services we provide. These purposes also form the basis of our legitimate interest for processing personal data in accordance with Article 6 (1) (f) GDPR.
6. Use of services for marketing and analysis purposes
We do not use any services for marketing and analysis purposes in addition to the technically necessary session cookies.
7. You receive email marketing (e.g. an email newsletter) from us. What does this mean for you?
We use the email marketing service Sendinblue provided by Sendinblue GmbH (formerly Newsletter2Go GmbH), Köpenicker Str. 126, 10179 Berlin, Germany (“Sendinblue”) to send email messages to our customers. The data stated below is processed by Sendinblue on our behalf and stored on the Sendinblue's servers in Germany for this purpose. Sendinblue solely uses your data to send and analyse email marketing.
The following data entered into the respective entry fields is used to send marketing emails.
- Email address
When you purchase goods or services on our website and in doing so provide us with your email address, this may be subsequently used by us to send marketing emails via our service provider Sendinblue. In this case only direct marketing promoting our similar goods or services will be sent via these marketing emails.
The legal basis for processing data by Sendinblue after registering for marketing emails is your consent granted by you in accordance with Article 6 (1) (a) in conjunction with Article 7 GDPR.
The legal basis for sending marketing emails as a result of purchasing goods or services is Article 7 (3) German Competition Act (UWG).
The data is erased when it is no longer required to fulfil the purpose for which it was collected. The user’s data collected to send emails is therefore stored for as long as your subscription to marketing emails is active, with the exception of your email address, which will be added to our blacklist after you unsubscribe from marketing emails. In this case processing your email address is justified under Article 6 (1) (f) GDPR and the legitimate interest for this processing is based on protecting your interest in no longer receiving any further marketing emails from us. Your email address is therefore not erased, but rather its processing is restricted in accordance with Article 18 GDPR.
Further information (only available in German) is available at: https://de.sendinblue.com/informationen-newsletter-empfaenger/
Withdrawal of Consent
The subscription for marketing emails may be cancelled by the user at any time. There is a corresponding link for this in every email which can be used to cancel the subscription.
Withdrawing consent does not affect the lawfulness of any data processing activities based on your consent before its withdrawal.
8. Rights of the data subject
If your personal data is processed you are a data subject in terms of the General Data Protection Regulation and you have the following rights against the controller:
Access, rectification, restriction of processing and erasure
You have the right to access your personal data saved by us free of charge at any time, to be informed of the origin and recipients, and the purpose for which your data is processed via our website. In addition you have the right to require the rectification, erasure and restriction of processing of your personal data if the legal requirements for such an action have been met.
Right to data portability
You have the right to receive the personal data concerning yourself that you have provided to us as the controller in a structured, commonly used and machine-readable format. We can comply with this right by providing you with a csv export of your processed customer data.
Right to information
If you have exercised your right to rectification, erasure or restriction of processing against the controller, the controller is obligated to inform all recipients to whom your personal data was disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or would involve disproportionate expenditure.
You have the right to be informed of these recipients by the controller.
Right of withdrawal
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is carried out on the basis of Article 6 (1) (e) or (f) GDPR.
The controller will no longer process your personal data, unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
If your personal data is processed for the purposes of direct marketing you have the right to object at any time to the processing of your personal data for the purpose of such marketing.
If you object to processing for the purpose of direct marketing your personal data will no longer be processed for this purpose.
Withdrawing Declarations of Consent Given Under Data Protection Law
You also may also withdraw your previously given consent with effect for the future at any time by contacting us using the contact details below. Withdrawing consent does not affect the lawfulness of any data processing activities based on your consent before its withdrawal.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the EU General Data Protection Regulation.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
As at June 2020