Data Protection Declaration
§ 1 Information about the collection of personal data
(1) In the following section, we will provide information about the collection of personal data when using our website. Personal data are all data that refer to you personally, for example Name, address, email addresses, user behaviour. 1
(2) The data controller according to Article4Paragraph7EU General Data Protection Regulation (GDPR) is [Kreuer Edelstahl GmbH, Markircher Str. 2, 68229 Mannheim, Germany, email: firstname.lastname@example.org] (see our legal notice). [You can reach our data protection officer at [email@example.com] or at our postal address with the addition “The Data Protection Officer".] 2
(3) When you contact us by email or through a contact form, the information you provide (your email address, your name and telephone number if applicable) will be stored by us to answer your questions. We delete the data that arises in this context after it is no longer necessary to store the data, or limit the processing if there are statutory retention requirements.
(4) If we rely on commissioned service providers for individual functions of our offer or if we would like to use your data for advertising purposes, we will inform you in detail below about the respective processes. In doing so, we will also name the specified criteria for the storage duration.
§ 2 Your Rights
(1) You have the following rights towards us with respect to the personal data concerning you: 3
- Right to information,
- Right to rectification or deletion,
- Right to restriction of processing,
- Right to object to the processing,
- Right to data portability.
(2) You also have the rightto complain about the processing of your personal data by us to a Data ProtectionSupervisory Authority.
§ 3 Collection of personal data when visiting our website
(1) In the event of merely informative use of the website, i.e. if you do not register or otherwise provide us with information, we will only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website and to ensure the stability and security (the legal basis is Article6Paragraph1Sentence 1 letter f GDPR): 4
- IP address
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the requirement (concrete page)
- Access status/HTTP status code
- The corresponding amount of data transmitted
- Website from which the request is coming
- Operating system and its interface
- Language and version of the browser software.
(2) In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive assigned to the browser you are using and via which the body that places the cookie (placed by us here) receives certain information. Cookies can not run programs or transmit viruses to your computer. They serve to make the internet offer more user-friendly and effective overall.
- This website uses the following types of cookies, the scope and mode of operation of which are explained below:
- Transient cookies (see b)
- Persistent cookies (see c)
- Transient cookies are automatically deleted when you close the browser. These include, in particular, the session cookies. These session cookies store a so-called session ID, with which various requests from your browser can be assigned to the common session. This will allow your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.
- Persistent cookies are automatically deleted after a specified period, which may differ depending on the cookie. You can delete the cookies in the security settings of your browser at any time.
- You can configure your browser setting according to your wishes and you can forexample refuse acceptance of third-party cookies or all cookies. Please be aware that you may not be able to use all features of this site.
- [The Flash cookies used are not recognised by your browser, but by your Flash plug-in. Furthermore, we use HTML5 storage objects, which are stored on your device. These objects store the required data regardless of your browser and do not have an automatic expiration date. If you do not want to process the Flash cookies, you will need to install an add-on such as, forexample "Better Privacy" for Mozilla Firefox (or the Adobe Flash killer cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using private mode in your browser. In addition, we recommend that you regularly delete your cookies and the browser history manually.] 6
Paragraph 1. Introduction.A definition of personal data (see forexample Kühling/Buchner/Klar/Kühling, GDPR, Article 4 Paragraph 3et. seq.) does not have to be included in the Data Protection Declaration, but makes it easier for non-lawyers to understand the meaning of this Data Protection Declaration. A formulation such as "We take the protection of your data very seriously" should be avoided, since such a statement usually appears to be a (hollow) cliché.
The GDPR applies in principle to any kind of processing of personal data, so that the former demarcation between the German Federal Data Protection Act (BDSG) (oldversion), the German Telemedia Act (TMG) (oldversion) and the German Telecommunications Regulation (TKG) (oldversion) becomes barely relevant (see, forexample Kremer,CR 2012, 438(440 f.)). According to Article 95GDPR, the ePrivacy Directive or, in future, the ePrivacy Regulation (as lex specialis) must be given priority for all "publicly accessible electronic communications services". According to this, the GDPR should impose no additional obligations compared to the current Directive or the future Regulation, so that a lower level of protection of the GDPR compared to that provided for by the ePrivacy Directive / ePrivacy Regulation would also apply. In this respect, (internet) communication services, so-called over-the-top services (OTT), should also be judged by the GDPR. This covers long-distance communication services such as webmail, instant messenger and internet telephony services. As far as the ePrivacy Directive provides for special rules, these must be given priority. This is convincing for the general regulations, such as the rights of those affected to access the GDPR, as long as the special norms do not regulate equivalent rules (Kühling/Buchner/Kühling/Raab,Article. 95 Paragraphs 2 and 5et. seq.). For example, stipulations of the ePrivacy Directive should only be applied if specific provisions are also applicable to the situations regulated in the GDPR. The processing of traffic and location data is also to take place on the basis of the GDPR, insofar as the ePrivacy Regulation does not make explicit provisions (Ehmann/Selmayr/Klabunde/Selmayr, GDPR, Article 95 Paragraph 16et. seq.). Adjustments may become necessary with the entry into force of the ePrivacy Regulation (see also Amendment 173 GDPR).
Paragraph2. Contact details of the data controller.The data subjects must be provided with a contact opportunity. Therefore, Article 13Paragraph1letter a GDPR demands the name and "contact details" of the data controller. The name must be given in full and in the case of legal persons, the company name must also be given. The contact data must include at least one deliverable postal address. It is convincing to demand that it must be possible to make contact without media disruption, so that an email address or an easy-to-use contact form should be provided for websites (Kühling/Buchner/Bäcker,GDPR, Article 13 Paragraph 22).
Furthermore, as per Article 13Paragraph 1letter b GDPR, the contact details of the data protection officer must be provided, if one has been appointed. The name does not have to be specified. It is sufficient to mention generically named data, as named as an example in the model (Article 29 Working Party, Working Paper 243, Sentence 12f., although the assessment can be transferred to Article 37Paragraph 7GDPR, however, because "contact data” is mentioned in identical wording; a. A. Kühling/Buchner/Bäcker, GDPR, Article 13 Paragraph 23). The establishment of a specially designated data protection email address separates all data protection enquiries from other emails and enables the strict deadlines to be adhered to in accordance with Article 12GDPR. If a representative in the European Union is appointed in accordance with Article 27GDPR, then they must also be named.
Via the link to the Legal Notice (§5German Telemedia Act (TMG); see forexample Oelschlägelin: Oelschlägel/Scholz (ed.), Rechtshandbuch Onlineshop, p. 11et. seq.), the Data Protection Declaration at this point is not unnecessarily extensive. On the other hand, the inclusion of the information directly in the Data Protection Declaration has the advantage that it avoids any discussion about whether the information was properly accessible from the outset. In the case of linking, it is essential to make sure that the link always leads to the right destination and is always available.
Paragraph 3. Identification of the rights of data subjects.The obligation to provide information is stated in Article 13Paragraph 2letter b GDPR. The standard expressly states that only information about “the existence” of the rights must be provided. Further explanations of the contents of the rights are not required, but are optional. Due to the extensive information requirements, which usually lead to very extensive Data Protection Declarations, the present and somewhat short variant shall be selected.
Paragraph4. Regularly processed personal data.The list in the model lists the data usually provided by the data subject to the data controller. The information results from a log file line, which in the case of the widespread “Apache” web server typically looks like this: 18.104.22.168 – – [20/Dec/2013:00:16:00 +0200] “GET/article.pdf HTTP/1.0” 2001500 “http://beispiel.de/website/“ “Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6)”. In any case, it is technically necessary to specify an IP address to ensure the display. Detailed information on the technical information collected http://httpd.apache.org/docs/2.2/logs.html; Stiemerling/Lachenmann,ZD 2014, 133.
It can still be read in many Data Protection Declarations that no personal data would be collected in the event of informational use. Such a wording is flawed, since – at the latest since the judgement of the European Court of Justice in the matter of Breyer- a pseudonymous piece of data for the data controller must be considered to be personal data (ECJ, judgement from 19/10/2016 – C-582/14, ZD 2017, 24withnote Klar/Kühling, hereinafter German Federal Court of Justice (BGH), judgement from 16/5/2017 - VI ZR 135/13, MMR 2017, 605withnote Kipker/Kubis, including for example Moosin: Taeger (Ed.), Recht 4.0, p. 211 (211)). Such pseudonyms include forexample the IP address or a device or browser fingerprint, the combination of technical metadata, such as browser settings, location information, etc. (see forexample Karg/Kühn, ZD 2014, 285). In any case, an IP address is personal, if it is merged with other data, forexample by providing personal details or account information (German Federal Court of Justice(BGH), judgement from 16/5/2017 – VI ZR 135/13, MMR 2017, 605with note Kipker/Kubis, Paragraph46; Schleipfer,RDV 2010, 168(170f.); For personal reference in big data: Schefzigin: Taeger (Editor), Big Data & Co, p. 103; detailed description of the personal reference in Karg, DuD 2015, 520).
The differentiation between the three main groups mentioned in the Declaration is common and is based on the comments made by the Article 29 Working Party, Working Paper 194 from 7/6/2012. A more detailed subdivision in the Data Protection Declaration does not seem necessary, as the data protection legal particularities are limited to the differentiation described here. The use of persistent cookies is generally prohibited, as they can collect data on a permanent basis, even if it were no longer necessary to perform the purpose. Nevertheless, it is not only session cookies that may be used. The further-reaching cookies are permissible if they are provided with a time limit, for example so that they areautomatically deleted two months after their setting. If the cookies are not necessary to be able to provide the desired service, the user's consent must be obtained or the data protection compliance must be ensured by means of the clauses used here in the following sections.
Paragraph 6. Flash cookies and HTML5 storage objects.The Flash cookies and HTML5 storage objects described have significantly more extensive possibilities of user tracking than browser cookies, so that a separate description will be necessary in the case of such cookies and objects being used. So far, there are no decisions or publications by the regulatory authorities that comment on how to represent their use in detail. The present model attempts to present sufficient information. However, it is unclear whether this would be considered lawful (for the technology of flash cookies, for example, Stiemerling/Lachenmann,ZD 2014, 133(136); for legal evaluation under the German Federal Data Protection Act (BDSG) oldversion Schröder,ZD 2011, 59; zu Technik und rechtlicher Bewertung von HTML5 storage objects (on technology and the legal evaluation of HTML5 storage objects) e.g. https://www.w3.org/TR/html5; Dieterich, ZD 2015, 199; Conrad/Dovas/Klattein: Forgó/Helfrich/Schneider (Editor), Betrieblicher Datenschutz, Chapter 4 Paragraph 85 et. seq.).
§ 4 Additional functions and offers of our website
(1) In addition to the purely informational use of our website, we offer various services that you can use if you are interested. To do this, you will generally need to provide other personal data that we use to provide the service and for which the aforementioned data processing principles apply.
(2) In part, we use external service providers to process your data. These have been carefully selected and commissioned by us, and they are bound by our instructions and are regularly inspected. 7
(3) Furthermore, we may disclose your personal data to third parties, if sales campaigns, competitions, contracts or similar services are offered by us together with partners. You can receive more information about this when providing your personal data or below in the description of the offer. 8
(4) Insofar as our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you about the consequences of this circumstance in the description of the offer. 9
§ 5 Objection or revocation against the processing of your data
(1) If you have given your consent to the processing of your data, you can revoke this consent at any time. Such revocation will affect the admissibility of the processing of your personal data after you have granted it to us. 10
(2) Insofar as we base the processing of your personal data on the balance of interests, you may file an objection to the processing. This is the case if, in particular, the processing is not required to fulfil a contract with you, which will be presented by us in the subsequent description of the functions. In the event of you filing such an objection, we would ask you to explain the reasons why we should not process your personal data as we have done. In the case of your justified objection, we will examine the situation and will either discontinue or adapt the data processing or point out to you our compelling legitimate reasons on which we will continue the processing. 11
(3) Of course, you may object to the processing of your personal data for advertising and data analysis purposes at any time. You can inform us about your advertising objection under the following contact details: [all contact details]. 12
Paragraph 7. Data processing by processors.The explanation of the data processing in § 5 of the model refers strictly to the transfer of data to the order processor. Although the processing of the order is part of the processing referred to in Article 4Paragraph 2GDPR, Article 28GDPR however leads to the fact that the order processor is not a third party as per Article 4Paragraph 10GDPR. Therefore, the data-receiving order processor is not an independent data controller and does not need to be explicitly mentioned to the data subject. Since the order processor is treated like an internal body of the data controller and is not considered to be the data controller, the information is not necessary, but it is recommended for clarification (for order processing →Form. G.I.).
However, the information may serve to meet the requirements of Article 13Paragraph 1letter e GDPR, whereby the categories of recipients must be specified. The present text proposal mentions the service providers as a very abstract category, which will be deepened in the further course of the Data Protection Declaration by the description of the individual. The note is also included for reasons of transparency, in order to break the expectation of the data subject that all data would only be processed internally. It is also important that all the requirements of Article 28GDPR be adhered to, i.e. in particular the careful selection of the service provider, the conclusion of a contract and the regular monitoring of compliance with the requirements. In order to be accountable, the internal documentation must be ensured (→Form. A.I.).
Paragraph 8. Disclosure to third parties.Disclosure of user data to other data controllers (e.g. Online marketing providers, financial service providers), is only permitted if a permission as per Article 6Paragraph 1Sentence 1 GDPR has been fulfilled and the data subject is informed when their personal data is collected. The information about the third parties as recipients can be found, for example, in the exact description of the functions on the website and in the Data Protection Declaration for the respective functions. It should be linked to the data protection and contract provisions of the third party. The present wording has been kept general and must be supplemented below in the description of the individual functions.
Paragraph 9. Data transfers outside the EEA.For the starting point selected in this model of data collection within Germany, the processing of personal data is unproblematic, insofar as this is done within the EEA. In the case of a transfer to third countries without an adequacy decision by the EU Commission (in the online area, the USA in particular), the data controller must take additional precautions (→Form. G.VII.).
In addition to securing the transfer of data between the data controller and third parties, the data subject must, in accordance with Article 13Paragraph 1letter f GDPR, be informed about the fact of the third-country transfer, as well as about which specific guarantees the data transfer is based upon. It is therefore to be notified whether an EU Commission adequacy decision pursuant to Article 45GDPR exists, whether a suitable guarantee pursuant to Article 46, 49GDPR is used or whether an Exception according to Article 49of the GDPR is present. When using suitable guarantees, it is also necessary to show how a copy of the documents can be obtained. The obligation to provide information can be fulfilled for information that is present online via a link. Otherwise, the data subject must be shown how they can obtain the documents, e.g. via a request to the data protection officer of the data controller (see Kühling/Buchner/Bäcker, GDPR, § 13 Paragraph 34). Although the obligation to provide information does not refer to the adequacy decision ("or in the case of transfers pursuant to"), information about the "EU-US Privacy Shield" may be provided via a link to create greater user confidence.
Paragraph 10. Notice of revocability of consent.The GDPR provides for different variants as to when a data subject can act against the processing of their personal data. The data subject must be informed about all of these rights. The model covers all relevant information obligations of the GDPR. The data subject should be regularly informed separately about their rights with regards to consent and other data processing.
A consent is only validly granted if it is revocable at any time (Article 7Paragraph 3Sentence 1 GDPR) and the data subject has been informed about their option to revoke consent at any time (Article 7Paragraph 3Sentence 3 GDPR). To ensure knowledge, the data subject must always be informed of the right to revoke consent in the declaration of consent. Therefore, general information about the revocability of the consent should be prefixed, which should then be repeated again in the concrete consent declarations.
Paragraph 11. Objection to data processing in case of balance of interests.A data subject may make an objection based on the balance of interests pursuant to Article 6Paragraph 1Sentence 1 letter f GDPR about the data processing at any time, if they can give reasons "arising out of their particular situation" (Article21Paragraph 1GDPR). In the case of the informational offer of a website without additional functions, whereby the data are processed pursuant to Article 6Paragraph 1Sentence 1 letter f GDPR, it is not possible for the data subject to object to the processing of their personal data. For any other data processing operation that is based on the balance of interests (e.g. the analysis of the data for advertising purposes), an objection is however fundamentally possible.
The consequence of the right to object is that a data subject can file a justified objection to certain data processing and the data controller may subsequently be exposed to possible claims. It is disputed in the literature under what conditions the data subject concerned can exercise their right of objection: It is sometimes assumed that it is sufficient that the data subject simply declares that they do not want any data processing, i.e. that no substantive justification is necessary (BeckOK DatenSR/Wolff/Brink/Forgó, Article 21, Paragraph 8). However, this can not be convincing, since the wording of the law clearly requires justification based on the personal situation and this wording was already contained in the German Data Protection Guidelines (DSRL), which had very high requirements for the justification (see Simitis/Dix, German Federal Data Protection Act (BDSG), § 35 Paragraph 58). It is therefore convincing that the data subject has to put forward concrete and serious reasons why the balancing of interests in the contested processing operation is in their favour (e.g. Lachenmann, Datenübermittlung im Konzern, p. 287 f.; Paal/Pauly/Martini, GDPR, Article 21 Paragraph 30 f.).
Regardless of how extensive a justification must be: The data subject must be advised of their right of objection pursuant to Article 21Paragraph 4GDPR. For information, a formulation close to the wording is proposed in order to make it clear to the data subject that they must put forward serious reasons against the processing. The information must be in a "separate form from other information", which is made clear here by it having its own paragraphs and the underlining.
Paragraph 12. Objection to direct marketing.In addition to the general right of objection, there is a right to object if the personal data are used for purposes of "direct marketing". Since the GDPR does not define the concept of direct marketing, the information about the possibility of objecting to the use of the data for advertising and analysis purposes should be formulated rather broadly in the Data Protection Declaration.
The duty to inform against direct advertising follows from Article 21Paragraphs 2and 4GDPR, which demand special emphasising via a form separate from other information, an intelligible wording and the provision of information at the latest at the time of the initial communication. The information obligations are fulfilled in § 5 Paragraph 3 of the model. The underlining distinguishes the text from the rest of the explanation. In addition, the text should be in bold and, forexample, be highlighted via a border around the section.