(version 1.0 of 04.06.2018)
As of 25th May 2018, the regulations of the General Data Protection (GDPR) become valid throughout the EU: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Table of contents
1.1. Name and contact of the controller as well as the data protection officer
2. Purposes of processing personal data, legal justifications and legitimate interests of Thomas Spang or third parties as well as categories of recipients
2.1. Visiting our website
3. Online performance and Website optimization
3.1. Google Analytics
4.1. Further purposes
4.1.1. Using of contact form
5. Recipients outside of the EU
6. Your rights
7.1. Right to object
8. Data security
This document informs about type and extent of processing personal data by us. Personal data is information, which can be directly or indirectly connected to a specified person.
Data processing by Thomas Spang can basically be separated into three categories:
- We process your personal data, which is necessary to fulfill contractual obligations. In case service providers are needed to fulfill contractual obligations, e. g. logistics companies or payment service providers, we share your personal data with our third party service providers as required. Furthermore, we share your personal data with our tax accountant to fulfill legal obligations.
- The data, collected to process the contract, is also used for the purpose to inform you from time to time about new offers and campaigns. If you are our regular customer, we use your e-mail address for customer satisfaction surveys relating to the previous purchase.
- By using the website of Thomas Spang, several information is exchanged between your device and our server. This information might include personal data. We may use your personal data to optimize our website or to display advertisement in the browser of your device.
According to the GDPR you have different rights, which you can assert, e. g. to object to processing of personal data, mainly for commercial purposes.
1.1 Name and contact of the controller as well as the data protection officer
2. Purposes of processing personal data, legal justifications and legitimate interests of Thomas Spang or third parties as well as categories of recipients
2.1. Visiting our website
By visiting our website, the browser of your device sends information to the server of our website and stores it in so-called server log files. We have no influence on this process. Following data are recorded and stored till an automated erasure:
- IP adress
- Date and time of access,
- Name and URL of retrieved data,
- Access website (Referrer-URL),
- Used browser and, if applicable, the system software as well as the name of your Access Provider.
Legal basis to process the IP-Adress is article 6, no. 1, section f) GDPR. Our legitimate interests result out of the following listed purposes. For your information, we cannot directly identify your identity based on the processed data.
The IP-Adress of your device as well as the above listed data are used for the following purposes:
- Verification of an unobstructed data connection,
- Verification of a comfortable use of our website,
- Analysis of system safety and – stability.
In case your browser or other adjustments of your device use the so called geolocalisation, we use this function to be able to offer you special services referring to your position that means language presetting. This data is solely used for those functions. After finishing, your data will be erased.
3. Order processing
3.1 Data processing when placing an order
The core business of the Thomas Spang is the distance selling of products. To process and fulfill your order, we use the following data:
- Name, Surname
- Invoice and delivery address
- Invoice and payment data
- Date of birth, if applicable
- Telephone number, if applicable
Legal basis to process the above mentioned data is article 6, no. 1, section b) GDPR. That means you provide us with your personal data based on the contractual relationship. Furthermore we use your E-Mail address to send you an electronic order confirmation (art. 6 no. 1 section c) GDPR). This obligation results out of the Civil Law Code (BGB).
If we do not use your contact data for commercial purposes (please see section 4), we store your data until the expiration of any legal or possible contractual warranty and guarantee rights. After expiration of this time period, we store the requested data according to the commercial and tax law. Within this time period (regularly ten years after conclusion of contract), your data will be processed only in case of an audit of the finance administration.
In order to fulfill the purchase contract, the following data processing is necessary:
Data regarding your delivery address and your e-mail address are passed on to logistics service providers, engaged from our side. Only in case of shipment by haulage we pass on your telephone number and, if applicable, your e-mail address to the logistics service provide, engaged from our side, in order to make sure that the delivery is carried out according to your request.
3.1.1. Identity, fraud checks and transmission to credit agencies
If necessary, we check your identity, resp. credit worthiness by using information of service providers or credit agencies. For this purpose we transfer following data to the corresponding service provider/credit agency: name, address. Legal basis to process the above mentioned data is article 6, no. 1, section b) and section f) GDPR. We are entitled to do so to protect your identity as well as to prevent fraud attempts at our expense. The circumstances as well as the result of our query are stored in your user account for the time of our contractual relationship.
Furthermore, the payment service provider might carries out a fraud check, depending on the chosen payment method.
4. Data processing for commercial purposes
The following information refers to the data processing for commercial purposes. Based on the article 6 no. 1 section f) GDPR, such data processing is basically possible and represents a legitimate purpose. The time period for such data storing is not fixed and depends on for how long a commercial contact is necessary.
Furthermore, the Thomas Spang follows its principle to erase data for commercial purposes after a time period of 6 months. If you are a regular customer, we use your E-Mail address for customer satisfaction surveys related to your previous sale. How to react in case of objection, please read section 4.2
4.1. Advertising according to your interests
In order to provide you only with commercial information, which is of alleged interest of you, we categorize and amend your user profile. We use statistic information as well as information concerning your person (e. g. basic data of your user profile). Our aim is to provide you only with advertising, orientated on your real and alleged needs.
4.2. Right to object
You have the right to object free of charge at any time to processing of your personal data for the above mentioned purposes, for each communication channel separately and with effect for the future. Just contact us by E-Mail or letter as mentioned in section 2.
If you enter an objection, we block the contact address in question for any further commercial data processing. Please note that you might get in exceptional cases, after your objection, temporarily commercial material. This is based on a technical background and does not mean that we do not implement your objection. Thank you very much for your understanding.
On our site you have the option to sign in for a newsletter. In order to make sure that your e-mail address is correct, we use the so called Double-Opt-In-procedure: after you have registered your e-mail address on our site, we send you a confirmation link. Your e-mail is only being taken into our mailing list, when you have clicked on the confirmation link.
The processing of your electronic data is based solely on your approval (article 6 no. 1 section a GDPR). You can object at any time to processing of your personal data with effect to the future. Either you send an e-mail at the e-mail address mentioned in section 2 or you click on the “sign off” button at the end of each newsletter.
5. Online performance and Website optimization
Our website uses so-called cookies in several locations. In case these Cookies are related to personal data, their use is based on the article 6 no. 1 section f GDPR. Our interest to optimize our website can be seen as legitimate according the the GDPR.
Cookies are small text files that are stored on your computer and that are saved by your browser when visiting our website. Cookies do not create any damage on your computer and do not contain viruses. Cookies store information related to your device. However, that does not mean that we directly get knowledge of your identity. Cookies are used to improve the use of our website for you. We use so-called „session cookies“, e. g. to realize that you have visited single pages of our website or that you are already logged in your user account. In case of a repeated visit of our website, your visit is registered automatically as well as your settings, in order to prevent a new entry.
In case you use a user account or activate the function „remain logged“, the information, stored in the Cookies, will be added to your user account.
The storage time of Cookies depends on the purpose, and varies. Our Cookies are stored different times. You find a list with our Cookies and its storage time in the settings of your browser.
5.1. Google Analytics
This website uses Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA („Google“). Google Analytics uses so-called „cookies“, text files that are stored on the user’s computer and which allow an analysis of the use of the website, based on article 6, no. 1 section f) GDPR. A pseudonym user profile is created and Cookies are used. Information like
- Operating system,
- User’s IP address
is transferred to a Google server in the USA and stored there. This information is used to evaluate the use of the website in order to compile reports on the website activities and to provide other services related to the website usage and the Internet usage for the website operator. This information might be shared with third parties, insofar there exists a legal requirement or it concerns data processors. Under no circumstances Google will associate your IP address with any other Google data. The IP address will be anonymized. This ensures masking of the user’s IP address so that all data is collected anonymously.
You can prevent the storage of the cookies by means of a corresponding setting of their browser software; in this case not all functions of this website may be fully utilized.
The user can also prevent Google from collecting the data (including IP address) generated by the cookie and its use of the website (including IP address) as well as the processing of this data by Google, by downloading the browser plug-in available under the following link and installed: https://tools.google.com/dlpage/gaoptout?hl=de
Alternatively to the Brower-Add-in, mainly with browsers on mobile devices, you can prevent Google Analytics from collecting the data by using the link: deactivate Google Analytics. An opt-out Cookie is placed preventing the storage of your data whilst visiting our website in the future. Please note that this opt-out-Cookie is only valid for this browser and our website, and is stored on your device. If you erase Cookies in your browser, you need to activate the opt-out-Cookie once more.
5.2. Google AdWords
Use of Google Adwords Conversion-Tracking
We use the online-advertising program „Google AdWords“ and within Google AdWords the Conversion-Tracking. Google Conversion Tracking is the analysis provider of Google Inc.
(1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).
By clicking on an advertisement placed by Google, a Cookie for the Conversion Tracking is stored at your device. This Cookie is valid only for 30 days, does not contain any personal data and cannot be used for personal identification. When visiting different pages of our website within the Cookie runtime, Google and we register your click on the advertisement and the redirection to our website. Every Google AdWords customer gets a different Cookie in order to prevent that Cookies can be traced via websites of other AdWords customers.
Information, which is collected with the Conversion Cookie, is used to create Conversion statistics for AdWords customers, who have decided for the Conversation Tracking. Customers are informed about the total number of users, who have clicked on the advertisement and have been redirected to a website equipped with a Conversion-Tracking-Tag. However, they do not get any information on personal data.
This website uses components of YouTube. Operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphittheatre Pkwy, Mountain View, CA 94043-1351, USA.
Whilst using websites containing such components, a connection is set-up to the server of YouTube. With this YouTube gets the information, which special page of our website you visit. In case you are logged in your YouTube account, your surfing behavior on the internet is assigned to your profile. This can be avoided by logging out of your YouTube account.
6.1. User account
In order to provide you the maximum customer service, you have the possibility to store your personal data permanently in a password protected user account.
The registration of a user account is optional. Legal basis for the registration is article 6, no. 1, section b) GDPR. After registration of your user account, a repeated data entry is not necessary. Furthermore, you can review and adjust your personal data in your user account at any time. In addition to the requested data in case of an order, you need to insert a self-chosen password for the registration of your user account. Please treat your personal access data as strictly confidential and do not pass them on to third parties. We do assume no liability for improperly used passwords, except we shall be responsible for the misuse. Please note that you stay logged in, also after leaving our website, unless you sign out actively. You have at any time the possibility to erase your user account. Please note that parallel all data in your user account are erased as well.
6.1. Further purposes
6.1.1. Using of contact form
When contacting us by e-mail or via our contact form, we store the data provided by your side (besides your request also your e-mail address, where applicable your name and your telephone number), in order to answer your questions. Legal basis for that is article 6, no. 1 section a GDPR that means you provide your data based on your consent. We will of course use the provided data exclusively for contacting you. All data, which are not mandatory for contacting you, are marked as optional in the contact form. This data helps us to concretize and an improved processing of your query. Insofar it concerns data regarding communication channels (e. g. e-mail address, telephone number); you agree as well that we might contact you via that communication channel to answer your query. You have the right to object free of charge at any time to processing of your personal data for the above mentioned purposes with effect for the future. Just contact us by E-Mail or letter as mentioned in section 2.
The legality of processing your data based on your consent up to the time of your objection is not affected. However, please note that from the time of a possible objection the processing of your query is not possible anymore. If no objection is placed, your data related to your query are erased. In the unlikely event that a legal retention period, we store the required data in blocked form (normally for six resp. ten years), based on article 6 no. 1. section c GDPR in accordance with the corresponding regulation of the fiscal code (cf. § 147 AO) resp. commercial law (cf. § 257 HGB).
In case of your participation in competitions, we collect personal data, which is necessary to process the competition. Normally this contains an individual competition input (e. g. a comment or foto) as well as name and contact data. Of course, your participation in competitions and the related data collection is optional. Your data will only be used for competition purposes, in order to send you a win notification. Legal basis for the data processing is your consent acc. to article 6 no. 1 section a GDPR. For an objection of your consent, possible at any time, and a possible further storage, the aforementioned statements are valid.
7. Recipients outside of the EU
With the exception of the data processing, mentioned in section 5.1, 5.2 and 5.3, no personal data is transferred outside of the European Union (EU) or the European Economic Area (EAA).
8. Your rights
Besides your right to object the consents given to us, you have further rights, based on the respective legal requirements:
- Right of access to personal data acc. to article 15 GDPR; mainly concerning collection purposes, categories of personal data, recipients of categories of your personal data, storage time, origin of your data (if not directly collected from you)
- Right to rectification of incorrect order incomplete data acc. to article 16 GDPR,
- Right to erasure of your stored personal data according to article 17 GDPR, as far as neither legal nor contractual retention periods resp. further regulations regarding an extended storage exist
- Right to restriction of processing your data acc. to article 18 GDPR, as far as you doubt its correctness, the processing is illegitimate, but you oppose its erasure; the controller does not need the data anymore, however you need them for assertion, exertion or defense of legal demands or you have objected to its processing acc. to article 21 GDPR
- Right to data portability to article 20 GDPR, that means the right, to get transferred selected stored personal data from us in a common, machine-readable format or to urge to transfer to another controller
- Right to lodge a complaint with a supervisory authority. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. The supervisory authority, with which the complaint has been lodged, shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to article 78 GDPR.
Right to object
Subject to the conditions of article 21, no. 1 GDPR you have the right to object to processing of your personal data, based on reasons resulting of a special situation of the data subject.
9. Data security
All personally transmitted data, including your payment data, are transferred with the common used and secure Standard SSL (Secure Socket Layer). SSL is a safe and proven standard, which is e. g. also used for Online banking. You can identify a safe SSL-connection also at the s after the http (means https://…) in the address line of your browser or at the lock-item in the lower area of your browser. Furthermore, we us appropriate technical and organisational measures to safe your stored personal data against manipulation, partially or complete loss or against unauthorized access of third parties. Our safety measures are constantly improved, according to technical development.