Privacy Policy

1 General remarks

Sammelkartenmarkt GmbH & Co. KG collects, processes and uses your personal data in compliance with the strict German and European data protection regulations. Apart from certain particulars required to offer you our services, you may determine yourself which information to provide.

On our website we use, as far as possible, secure transmission technologies, e.g. TLS encryption. However, data transfer on the Internet, especially the communication via e-mail, may involve security gaps. A complete data protection against access of third parties is not possible.

By using the website www.cardmarket.com (hereafter: online platform), but at the latest when registering as a user, you grant your consent to the collection, processing and use of the entered personal data by the Sammelkartenmarkt GmbH & Co. KG as responsible entity on their servers. Please note that the data transmitted by you as part of the use of the website are processed and saved by means of an EDP system. It is understood that we treat your personal data strictly confidentially.

Personal data, i.e. specific data about the personal or factual circumstances of a particular or identifiable natural person, are only collected as far as necessary for the performance of the contract and for the provision of contractual services. The collection of data is carried out exclusively to the extent provided by you.

The processing of personal data may consist in saving, changing, transmitting, blocking and deleting of these data. Any personal data are only saved by us as long as this is necessary for the respective specified purpose or we are obligated by law to save this information.

Already when visiting our website, your information may also be saved to the server when having access (e.g. date, time, pages visited). This data is not considered personal data, but they are anonymised, for example name of the Internet provider, type of Internet browser, pages visited on the website. These data are used for statistical purposes only and to improve our services. By accessing the site, data may also be saved on your computer. These data are called “cookies” and they facilitate the use of the website. However, you have the option to deactivate this function in your web browser. This may result in limitations when using our website.

The user’s personal data will not be transmitted to any third party. Exempt from this are only the service partners of the Sammelkartenmarkt GmbH & Co. KG needed for the completion of the contractual relationship, e.g. providers of payment services (such as e.g. PayPal) as well as a transmission of data to authorities within our legal obligations. In these cases, the provisions of the German Federal Data Protection Act (BDSG) will be strictly observed, the data transfer will be restricted in any event to a minimum extent.

You shall be entitled to the right of withdrawal of the consent with effect for the future at all times and without limitations. The contact data for exercising the withdrawal may be found in the About us section of our website.

You have the right to information free of charge on your stored personal data as well as to the correction, deletion or blocking thereof, in as far as personal data are concerned for the purposes of the BDSG. In order to contact us, please use the contact data to be found in the About us section of our website.

2 Controller

Controller for the purposes of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act is

Sammelkartenmarkt GmbH & Co. KG
Address
Nordkapstr. 4
10439 Berlin
Telephone
+49 30 46770170
E-Mail
[email protected]

Represented by:

Sammelkartenmarkt Verwaltungs GmbH, Nordkapstr. 4, 10439 Berlin, Deutschland, Amtsgericht Berlin (Charlottenburg), HRB 205929 B

Managing directors: Luis Torres, Dr. Matthias Knelangen, Dr. Marko Schädlich, Robert Giel

Registration office
Amtsgericht Berlin-Charlottenburg
Registration number
HRA 39760 B
VAT identification number pursuant to art. 27a Value added tax act
DE256122758

Responsible for the content for the purposes of art. 55 (2) RStV (Interstate Broadcasting Treaty):

Dr. Matthias Knelangen
Nordkapstr. 4
10439 Berlin

3 Name and address of the data protection officer

The data protection officer of the controller is:

Yahya Matar
Nordkapstr. 4
10439 Berlin

E-Mail: [email protected]

4 General information on data processing

  1. In general, the processing of personal data is only done to the extent necessary for the provision of a functional website including contents and services. Regular processing of data is only done upon consent of the data subject. As an exception, the processing of data is done without consent of the data subject if this is not possible for practical reasons and the processing of data is permitted by legal provisions.

  2. Art. 6 (1) point (a) GDPR serves as legal basis for the processing of personal data in so far as the consent of the data subject has been obtained for the processing of personal data.

    Art. 6 (1) point (b) GDPR serves as legal basis for the processing of personal data insofar as this is necessary for the performance of a contract to which the data subject is a contractual party. This also applies to processing necessary for the implementation of pre-contractual measures.

    Art. 6 (1) point (c) GDPR serves as legal basis for the processing of personal data insofar as the processing of personal data is necessary for the performance of a legal obligation to which the company is subject.

    Art. 6 (1) point (f) GDPR serves as legal basis for the processing of personal data insofar as this is necessary for the processing for the protection of a legitimate interest of the company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest.

  3. The personal data of the data subject will be deleted or blocked as soon as the purpose of the data storage is no longer applicable. Storage beyond this purpose can be done if this is required by relevant national or European regulations. Blocking or deleting of the data is also done when a retention period prescribed by the aforementioned regulations expires unless further storage of data is required for the conclusion or performance of a contract.

5 Use of the website

  1. With each visit to the website, the system automatically records data and information from the computer system of the calling computer.

    The following data are collected:

    1. IP address
    2. Time and date of the access
    3. Time zone difference with Greenwich Mean Time (GMT)
    4. Contents of the website
    5. Access status (HTTP status)
    6. Data volume transferred
    7. Web browser
    8. Browser language and version
    9. Operating system
    10. The website from which you entered this website

    The data are saved in the log files of the system. Storage of this data together with other personal user data does not take place.

  2. The legal basis for this is art. 6 (1) point f GDPR.

  3. The collection and temporary storage of the IP address is necessary to enable the presentation of the website on your device. For this, your IP address has to be saved for the duration of your visit of the website. An analysis of these data for marketing purposes does not take place.

  4. The data are deleted when the respective session is ended. If these data are saved in log files, this is done at the latest after seven days. Storage beyond this is possible. In this case, the users’ IP addresses are deleted or alienated so that they can no longer be assigned to the calling client.

  5. The collection of data for the availability of the website and the storage of data in log files for availability of the website are absolutely necessary. Therefore, there is no possibility of appeal.

6 Registration

  1. The website offers users to register by entering personal data. For this, the data is entered into an input mask, then transmitted and saved. A transfer to a third party does not take place. The following data is collected:

    1. Name (first name, surname)
    2. Home address (street, house number, postal code, country)
    3. E-mail address
    4. Time and date of the registration

    Commercial users are also required to enter the company name, the VAT ID and the phone number. Where applicable, a tax statement is required pursuant to section 22f (1) sentence 2 VAT Act. Users who use our platform as non-commercial sellers are required to enter their birth date in addition to the above mentioned data.

    During the registration process the user’s consent for the processing of these data is obtained with reference to the privacy policy.

  2. The legal basis for this, upon consent of the user, is art. 6 (1) point (a) GDPR. If the registration serves the performance of a contract to which the user is a contractual party or serves the implementation of pre-contractual measures, art. 6 (1) point (b) GDPR is an additional legal basis for the processing of data. As far as we are obliged to process data of commercial users and private sellers, the legal basis is art. 6 (1) point (c).

  3. The registration of the user is required to set up a customer account. It serves to identify the user and to perform the user contract via the service. The data entered by commercial users or private sellers are collected for the fulfillment of our legal obligations to the financial authorities.

  4. The data will be deleted as soon as it is no longer required for the fulfilment of the purpose for which they were collected. This is the case during the registration process for the performance of a contract or the implementation of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after conclusion of the contract, it may be required to save personal data of the contractual partner to meet contractual or legal obligations.

  5. Data subjects may modify at any time the user data (except their name and birthday) in their user profile under www.cardmarket.com/Account. Where the data is required for the performance of a contract or the implementation of pre-contractual measures, an advance deleting of data is only possible in so far as the deletion is not barred by contractual or legal obligations. If the recorded name or birthday is incorrect, please reach out to our customer support team to correct the data.

7 Use of the online marketplace

  1. To use the online marketplace, inventory data (e.g. names and addresses as well as contact data of users, user names of authorised users) and contract data (e.g. services used, names of contact persons, payment information) are processed as well as the IP address and the time of the respective user intervention, the user ID and the accessed URLs. This data is stored in the log files of our system. Apart from that, data of third parties entered by the user are processed.

  2. The legal basis for the processing of data upon consent of the user is art. 6 (1) point (a) GDPR. The consent is obtained upon conclusion of the contract.

    Additional legal basis for the processing of data is art. 6 (1) point (b) GDPR, as the processing of the specified data serves to perform a contract to which the user is a contractual party or to implement pre-contractual measures.

    Furthermore, processing is done to improve our services for the benefit of the analysis, optimisation and the economic operation of our website for the purposes of art. 6 (1) point (f) GDPR.

  3. Purpose of the processing

    1. of the inventory data (e.g. names and addresses as well as user contact data) and contract data (e.g. services used, names of contact persons, payment information) is the implementation of the contract as well as billing purposes.
    2. of user names and the entries of the respective users is to ensure the access authorisation of the service.
    3. of the IP address, time of the respective user intervention as well as the accessed URLs is done to optimise our services and to continually improve the user experience.
    4. of third party data entered by the user is the implementation of the contract and the provision of the contracted services.

  4. The data will be deleted as soon as they are no longer required for the fulfilment of the purpose for which they were collected. This is the case for the data collected during the registration process for the performance of a contract or the implementation of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after conclusion of the contract, it may be required to save personal data of the contractual partner to meet contractual or legal obligations (especially fiscal retention periods).

  5. Data subjects may modify or delete the saved data at any time. Where the data is required for the performance of a contract or the implementation of pre-contractual measures, an advance deleting of data is only possible in so far as the deletion is not barred by contractual or legal obligations. In particular, the notice periods of current contracts shall remain unaffected.

8 Payments and Payment Service Providers

  1. If you are redirected to the website of a payment service provider for a payment transaction, the data entered by you will be processed directly by the payment service provider. The Privacy Policy of the respective payment service provider applies.

    1. Klarna-SOFORT Direct payment

      If you choose SOFORT as your payment method, we work with the payment provider Sofort GmbH, Theresienhöhe 12, 80339 München. Sofort GmbH is a subsidiary to Klarna Bank AB, Sveavägen 46, 111 34 Stockholm.

      For the payment process, you will be immediately redirected to the website of the SOFORT GmbH, where the payment will be processed. Any data entered there will not be collected, processed, or stored by Cardmarket. For this data, only the Sofort GmbH privacy policy applies. You can find the Sofort GmbH privacy Policy at https://www.sofort.com/integrationCenter-ger-DE/integration/datenschutz.html or the Klarna Bank AB Privacy Policy at http://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy.

    2. Braintree

      Payments through PayPal as well as credit card payments are processed by payment service provider Braintree. Braintree is a service of PayPal, PayPal UK Ltd., 22-24 Boulevard Royal L-2449, Luxembourg. For these payments, you will be immediately redirected to the Braintree user interface where the payment will be processed. The data to be entered there will not be collected, processed, or stored by us. For this data, only the Braintree privacy policy applies, which you can find at https://www.braintreepayments.com/de/legal/braintree-privacy-policy as well as further privacy statements if applicable.

    3. Wise

      For credit uploads of users who do not have their residence in the EU as well as for withdrawals of credit in the currency Pound Sterling (GBP), we cooperate with Wise. This service is provided by Wise Europe SA, Avenue Louise 54, Room s52, 1050 Brussels, Belgium. As part of the payment process or transaction, you will be redirected directly to the Wise user interface, where the transaction will be processed. The data that you enter there will not be collected, processed or stored by us. In this respect, only the data protection guidelines of Wise apply, which you can access at https://wise.com/de/legal/privacy-policy, as well as any further data protection declarations stated there.

  2. Art. 6 (1) point (a) GDPR is the legal basis for the processing of payment data by the user upon consent from the user.

    Additionally, art. 6 (1) point (b) GDPR serves as legal basis for the processing of personal data, insofar are this data is required for the fulfilment of a contract

  3. The collection of data is done solely for the fulfilment of the contract.

  4. The data will be deleted as soon as it is no longer required for the fulfilment of the contract for which it was collected. This is the case for the personal data if the respective contractual relation with the person concerned was terminated. A contractual relation is considered terminated if the person concerned can no long be considered a client (e.g., by deleting the account).

  5. The person concerned may at any time withdraw consent to the processing of personal data. Any obligation needed to fulfil the contracts remains unaffected by this.

9 Comments function

  1. The website provides the possibility to commentate individual products. Using this function, the data entered into the input mask will be transmitted and saved there. These data are:

    1. Title and name (voluntary information)
    2. E-mail address
    3. Contents of the question

    Additionally the following data are recorded upon contact:

    1. IP address of the calling computer
    2. Time and date of the contact

    As soon as the question is published on the website, this is only done in an anonymised form. Otherwise, no data is passed on to a third party. The data are used exclusively for the processing of the conversation.

  2. The legal basis for the processing of data upon consent of the user is art. 6 (1) point (a) GDPR. Otherwise, the legal basis for the processing of data is art. 6 (1) point (f) GDPR.

  3. The processing of personal data from the input mask only serves to answer the commentaries on the respective product. Our legitimate interest in the processing lies in the provision of useful product information for other users. Any other personal data processed during sending serve to prevent misuse of the question form and to ensure the security of the information technology systems.

  4. The data will be deleted as soon as they are no longer required for the fulfilment of the purpose for which they were collected. This is the case for the personal data from the question form when the question has been answered completely. The additional personal data collected during sending will be deleted at the latest after seven days.

  5. The data subject may at any time withdraw consent to the processing of personal data. You can object to the storage of personal data at any time. However, in such a case the asked questions cannot be answered. Any personal data saved during the question will be deleted in this case. Insofar as there is no personal traceability by posting a question or an answer, these will remain available with the respective product.

10 Use of data via application programming interface (API)

The use of the API using a permanent Access Token enables you to access your own inventory data as well as publicly available data such as trading card prices etc. Neither you nor other users have access to each other’s’ inventory data.

Commercial developers of apps and similar application programmes are provided with an App Key. Here too, no personal data or granting of access rights to such data will be passed on at first.

However, if you log in with your data (user name and password) via a third-party app, you grant this app a temporary access (read and write), limited to 24 hours, to your own inventory data.

We are not liable for possible damages or misuse arising from the use of such third-party apps. For the terms of use and data protection regulations of such third-party apps please refer directly to the app provider.

11 Contact via e-mail or contact form

  1. The website uses contact forms which may be used for electronic contact. If used, the data entered into the input mask or sent by e-mail are transmitted and saved there. These data are:

    1. E-mail address
    2. Contents of the contact

    Additionally, the following data is collected during contact:

    1. IP address of the calling computer
    2. Time and date of the contact

    A transfer to a third party does not take place in this context. The data will be used exclusively for processing the conversation.

    We work with the Freshdesk helpdesk software, a service from Freshworks Inc. 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA, for the handling of enquiries.

  2. The legal basis for the processing of data upon consent of the user is art. 6 (1) point (a) GDPR.

    The legal basis for the processing of data transmitted when sending an e-mail is art. 6 (1) point (f) GDPR.

    If the contact is aimed at concluding or performing a contract, the additional legal basis for the processing is art. 6 (1) point (b) GDPR.

  3. The processing of personal data from the input mask or by e-mail only serves to process the contact. In case of a contact via e-mail, this shall also constitute the required legitimate interest in the processing of data. Any other personal data processed during sending serves to prevent misuse of the contact form and to ensure the security of the information technology systems.

  4. The data will be deleted as soon as they are no longer required for the fulfilment of the purpose for which they were collected. This is the case for the personal data from the input mask of the contact form and the data transmitted via e-mail when the respective conversation with the data subject has ended. The conversation is ended if the circumstances indicate that the respective issue has been resolved conclusively. The additional personal data collected during sending will be deleted at the latest after seven days.

  5. We have concluded a "Data Processing Agreement" with Freshworks. This is a contract pursuant to which Freshworks is required to protect our users' data and to process the data exclusively according to instructions on our behalf in accordance with the data protection rules. It includes the so-called standard contractual clauses provided for in the GDPR. The text of the contract with Freshworks can be found at https://www.freshworks.com/de/datenverarbeitungsnachtrag; more information can be found at https://www.freshworks.com/privacy.

  6. Your data will be erased after processing of your enquiry is completed. This is the case if it is possible to infer from the circumstances that the situation in question has been conclusively clarified and insofar as no legal retention periods prevent it.

  7. The data subject may at any time withdraw consent to the processing of personal data. In case of a contact via e-mail, you can object to the storage of personal data at any time. However, in such a case the conversation cannot be continued. In this case, any personal data saved during contact will be deleted.

12 Use of cookies

  1. The website uses cookies. Cookies are text files, which are saved in the web browser or by the web browser on the user’s computer system. This cookie contains a distinctive string of characters that enable the clear identification of the browser upon re-entering the website. Cookies cannot transmit viruses onto the device or execute programs.

    Cookies help to make the website more user-friendly. Some elements of the website require the identification of the calling browser even after the page was changed.

    Insofar as cookies are technically not necessary, these are only loaded when the user has given consent. For this, we are using a plugin that will not collect any personal data itself. The information about an existing consent, for its part, is saved as a cookie. However, no personal data is collected for this purpose.

    Transient cookies are deleted automatically when the session is closed. These include e.g. session cookies which save the so-called session ID and by means of which the different web inquiries can be allocated to the joint session. This allows for the device to be recognized in a new session.

    Persistent cookies are deleted automatically after a prescribed retention period, which may be different for each cookie. The corresponding settings may be deleted at any time in the settings of the web browser.

    Cookies save the following data:

    1. Log-in information

    2. Language settings

    3. Entered search terms

    4. Number of website calls

    5. Use of different function of the website

  2. The legal basis for the use of technically necessary cookies is art. 6 (1) point (f) GDPR.

  3. The purpose of the application of technically necessary cookies is to simplify the use of websites for the user. Some functions of the website cannot be offered without the use of cookies. For this, it is necessary that the browser be recognised after a change of page.

    The user data collected by technically necessary cookies are not used to create user profiles.

  4. The legal basis for the application of technically necessary cookies is art. 6 (1) point a GDPR, if the user has given consent to the respective cookie. The purpose for the application of technically not necessary cookies is to analyse the use of the website and to continually improve individual functions and offers as well as the user experience. By means of statistical analysis of the user experience, the offer can be improved and designed to be more interesting for the user. Further details may be taken from the respective sections of the privacy statement.

  5. Cookies are saved on the user’s computer and are transmitted from there to our website. Hence, you as user also have full control over how cookies are used. By changing the settings in your web browser, you can deactivate or limit the transmission of cookies separately from the opt-in banner. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

    Open Cookies Settings

13 Google Analytics

  1. The website uses “Google Analytics”, a web analytics service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter referred to as: “Google”). Google uses cookies, text files which are saved on your device and which enable an analysis of the website use. The information about the use of this website generated by the cookie are usually transmitted to a Google server in the USA and saved there. If an anonymisation of the IP address to be transmitted by the cookie is activated on the website by the extension “_anonymizeIp()” (hereafter referred to as: IP anonymisation”), the IP address will be shortened beforehand by Google within the member states of the European Union or other signatory states of the Agreement on the European Economic Area. The full IP address will be transmitted to a Google server in the USA and shortened there only in exceptional cases. Google will use this information on behalf of the controller to evaluate the website use, to compile reports about website use and to perform further services connected to website and Internet use. During this process, pseudonymous user profiles may be created from the processed data. The IP address transmitted using Google Analytics will not be merged with other Google data.

    The website uses Google Analytics only with the activated IP anonymisation as described above. This means that Google will process your IP address only in the shortened form. Therefore, a personal traceability can be excluded.

  2. Google Analytics is only activated via our cookie banners. Therefore, The legal basis for the processing is the the user's consent for the purposes of art. 6 (1) point (f) GDPR.

  3. The website uses Google Analytics in order to analyse the website use and to continually improve different functions and offers as well as the user experience. Using statistical analysis of the user behaviour, the offer can be improved and designed to be more interesting for the user. Herein also lies the legitimate interest in the processing of the above data by Google.

  4. Separately from the opt-in banner, the storage of cookies generated by Google Analytics may be blocked by adjusting the corresponding settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website. If you wish to block the collection of data generated by the cookie and related to the user behaviour (including your IP address), you may download and install the web browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout.

    In order to oblige Google to process the transmitted data only as instructed and to comply with the data protection regulations, the controller has concluded a processing contract with Google.

    In the exceptional cases where personal data have been transmitted to the USA, Google has submitted to the Privacy Shield Agreement between the European Union and the USA and has been certified. Hence, Google is obliged to comply with the standards and regulations of the European Data Protection Law. Further information may be found under the following link: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status =Active

    Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Further information on data use by Google, on settings and appeal options as well as on privacy policy may be found on the following Google websites:

    1. User conditions:
      http://www.google.com/analytics/terms/
    2. Overview on privacy policy:
      http://www.google.com/intl/de/analytics/learn/privacy.html
    3. Privacy statement:
      https://www.google.com/intl/de/policies/privacy/
    4. Data use by Google upon your use of our partners’ websites or apps:
      https://www.google.com/intl/de/policies/privacy/partners/
    5. Data use for advertising purposes:
      https://www.google.com/policies/technologies/ads/
    6. Settings on personalised advertising by Google:
      http://www.google.de/settings/ads

    For users who visit our website from the People’s Republic of China (PRC), it is possible to use the services of Site Monitor of the provider Miaozhen Ltd, Beijing, PRC with servers in the PRC instead of Google Analytics for the same purpose and subject to the same restrictions. In order to deactivate Site Monitor, visit http://i.miaozhen.com.cookie_opt.html.

14 Visual Website Optimizer

  1. The website uses "VWO (Visual Website Optimizer)", a service by the company Wingify, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitampura, Delhi 110034, India (hereinafter referred to as: "VWO"). When using this service VWO stores and processes information about your user behaviour on our website. For this, cookies are used. These are small text files which enable an analysis of the user's website use. Cookies are stored locally on your terminal device.

    The information about the website use generated by the text file (cookie) is transmitted to Wingify in an anonymised form. The transmission of data outside the country of origin cannot be ruled out.

  2. Visual Website Optimizer is only used if you have given consent via the cookie banner. The legal basis for the processing is the user’s consent pursuant to art. 6 (1) point a GDPR.

  3. Data processing using VWO serves marketing and optimisation purposes. It enables an analysis of the user behaviour on our website and, therefore, the improvement of individual functions and offers. This puts us in a position to continually improve the user experience of the website users. A statistical analysis of the user behaviour on our website allows us to improve our offer and design it to be more interesting for the user. Herein also lies the legitimate interest in the processing of the above data by the third-party provider.

  4. Separately from the opt-in banner, the installation of cookies may be blocked by deleting existing cookies and by deactivating the storage of cookies in the settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website. You may also block the storage of the above-mentioned information by Wingify by setting an opt-out cookie on the website linked below:

    https://vwo.com/opt-out/

    Please note that the opt-out setting will be deleted once the cookies are deleted. Also separately from the opt-in banner, you may object to the recording and transmission of personal data and block the processing of these data by deactivating JavaScript in the browser. Additionally, you may block the execution of JavaScript code entirely by installing the corresponding add-on for your browser (e.g. https://noscript.net/). In case of the use of such blockers or the deactivation of JavaScript, you may not be able to make full use of all features of our website.

    Information of the third-party provider: Wingify, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, Delhi 110034, India. Further information of the third-party provider on data protection may be found on the following website: https://vwo.com/en/privacy-policy/ .

15 Microsoft Ads

  1. The website uses “Microsoft Ads”, an advertising service of “Microsoft” of Microsoft Corp., One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”). In the process, Microsoft files a cookie on your device, provided that you have entered our website via a Microsoft Bing ad. Both Microsoft and controller are able to know that someone clicked on the ad, was redirected to our website and has reached a predetermined target page (conversion site). During this process, only the total number is recorded of users who have clicked on a Bing ad and were then redirected to the conversion site. Microsoft collects, processes and uses information via the cookie to create user profiles using pseudonyms.

  2. Bing Ads will only be activated if you have given consent via our cookie banner. Therefore, the legal basis is the user’s consent pursuant to art. 6 (1) point a GDPR.

  3. The use of Bing Ads serves to analyse user behaviour and to show advertisements. No personal information on the identity of the user is processed.

  4. Independently from the opt-in banner, the required filing of cookies may be refused – e.g. by setting your browser to generally deactivate the automatic filing of cookies. Additionally, you may prevent the recording of data generated by the cookie and related to the use of the website as well as the processing of this data by Microsoft by objecting to the data use under the following link: http://choice.microsoft.com/opt-out. Find further information on data protection and on the used cookies at Microsoft and Bing Ads on the Microsoft website: https://privacy.microsoft.com/privacystatement.

16 Meta Ads

  1. The website uses “Facebook Ads” (hereafter referred to as: “Pixel”), an analysis programme of the social network “Facebook.com” of the Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (hereafter referred to as: “Facebook”) in order to track users’ behaviour after they have clicked on a Facebook ad. The recorded data is collected anonymously and serves analysis for market research purposes. Facebook can connect this data to an existing Facebook account and use it for their own advertising purposes according to the Facebook data use policy.

    The user can enable Facebook as well as their partners to place ads on and off Facebook. Furthermore, cookies may be saved to your computer for these purposes.

  2. Facebook Pixel will only be activated if you have given consent via the cookie banner. Therefore, the legal basis for the processing is the user’s consent pursuant to art. 6 (1) point a GDPR.

  3. The website uses Pixel for marketing and optimisation purposes, particularly to place relevant and interesting ads, to improve reports on campaign performance or to avoid that the same ads are viewed several times. This is also the legitimate interest in the processing of the above data.

  4. Independently from the opt-in banner, the installation of cookies may be blocked by deleting existing cookies and deactivating the storage of cookies in the settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website.

    Consent, except for the cookie settings on our website, may be withdrawn here:

    https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

    Additionally, Facebook has submitted to the Privacy Shield Agreement between the European Union and the USA and has been certified. Hence, Facebook is obliged to comply with the standards and regulations of the European Data Protection Law. Further information may be found under the following link:

    https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC

    Information of the third-party provider: Facebook Ireland Ltd. 4 Grand Canal Square , Grand Canal Harbour, Dublin 4, IRELAND, Fax: +0016505435325. Further information on data use by Facebook, on settings and appeal options as well as on privacy policy may be found on the following Facebook websites:

    https://www.facebook.com/about/privacy/

17 Facebook Connect

  1. The website uses „Facebook Connect“ (hereafter referred to as „Connect“), an analysis programme of the social network „Facebook.com“ of Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (hereafter referred to as: „Facebook“) to enable a registration or login via Facebook rather than a direct registration on the website.

    By clicking Facebook Connect the user is redirected from Facebook to the website to register there or log in. The following data are transmitted via this link:

    1. Facebook name
    2. Facebook profile and cover photo
    3. Facebook cover photo
    4. E-mail address entered in Facebook
    5. Facebook ID
    6. Facebook friend list
    7. Facebook likes
    8. Date of birth
    9. Gender
    10. Country
    11. Language

  2. Facebook Connect will only be activated if you have given consent via our cookie banner or via the active use of the login by the user. Therefore, the legal basis for the processing is the user’s consent pursuant to art. 6 (1) point a GDPR. The collected data will be deleted upon conclusion or termination of the contract. Legal retention periods shall remain unaffected.

18 Twitter Analytics

  1. The website uses “Twitter Analytics”, a web analysis service of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (in the following short: “Twitter“). Twitter uses cookies, small text files which are saved on the device and which enable an analysis of the website use. The information generated by the cookie about the use of the website are generally transmitted to a Twitter server in the USA and saved there. Twitter uses this information to analyse on behalf of the controller the use of the website, to compile reports about website use and to provide further services related to the use of the website and the Internet. This may be used to create pseudonymous user profiles using the processed data. The IP address transmitted using Twitter Analytics will not be merged by with other data Twitter.

  2. Twitter Analytics will only be used if you have given consent via our cookie banner. Therefore, the legal basis for the processing is the user’s consent pursuant to art. 6 (1) point a GDPR.

  3. The website uses Twitter Analytics in order to analyse the website use and to continually improve different functions and offers as well as the user experience. Using statistical analysis of the user behaviour, the offer can be improved and designed to be more interesting for the user. Herein also lies the legitimate interest in the processing of the above data by Twitter.

  4. Separately from the opt-in banner, the storage of cookies generated by Twitter Analytics may be blocked by adjusting the corresponding settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website.

    In order to oblige Twitter to process the transmitted data only as instructed and to comply with the data protection regulations, the controller has concluded a processing contract with Twitter.

    In the exceptional cases where personal data have been transmitted to the USA, Twitter has submitted to the Privacy Shield Agreement between the European Union and the USA and has been certified. Hence, Twitter is obliged to comply with the standards and regulations of the European Data Protection Law. Further information may be found under the following link: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO

    Further information on data us by Twitter, on settings and appeal options as well as on privacy policy may be found on the following Twitter websites:

    1. User conditions:
      https://twitter.com/de/tos#current

    2. Overview on privacy policy:
      https://twitter.com/privacy

19 Twitter Ads

  1. The website uses “Twitter Ads”, an advertising service of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (in the following short: “Twitter”) in order to track users’ behaviour after they have viewed or clicked on a Twitter ad. The recorded data is collected anonymously and serves analysis for market research purposes. Twitter can connect this data to an existing Twitter account and use it for their own advertising purposes according to the Twitter data use policy.

    The user can enable Twitter as well as their partners to place ads on and off Twitter. Furthermore, cookies may be saved to your computer for these purposes.

  2. Twitter Ads will only be activated if you have given consent via our cookie banner. Therefore, the legal basis for the processing is the user’s consent pursuant to art. 6 (1) point a GDPR. \

  3. The website uses Twitter Ads for marketing and optimisation purposes, particularly to place relevant and interesting ads, to improve reports on campaign performance or to avoid that the same ads are viewed several times. This is also the legitimate interest in the processing of the above data.

  4. The installation of cookies may be blocked by deleting existing cookies and deactivating the storage of cookies in the settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website.

    If users do not wish Twitter to allocate the data collected via the website directly to the Twitter account, users need to log out of Twitter before visiting our website. You can completely block loading the Twitter plugin using Add-ons, e.g. with the script blocker „NoScript“ (https://noscript.net/).

    Further information on data use by Twitter, on settings and appeal options as well as on privacy policy may be found on the following Twitter websites:

    1. User conditions:
      https://twitter.com/de/tos#current

    2. Overview on privacy policy:
      https://twitter.com/privacy

    3. Privacy statement:
      https://policies.google.com/privacy.

20 Social Plugins via Shariff

On our website, we have integrated social media buttons of the following providers via the Shariff tool of (German) computer magazine c't and heise-online:

  1. Facebook Connect, a service of Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA, data policy: https://www.facebook.com/about/privacy/
  2. Facebook Impressions, a service of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland, data policy: https://www.facebook.com/about/privacy/
  3. Share on Twitter, a service of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA, privacy policy: https://twitter.com/privacy
  4. Share on Instagram, a service of Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, data policy: http://instagram.com/legal/privacy/
  5. Share on Reddit, a service of Reddit Inc., Reddit, 548 Market St. #16093, San Francisco, California 94104, data policy: https://www.reddit.com/help/privacypolicy/

By using Shariff the respective social media buttons are integrated only as graphics so that no data exchange with the respective social network provider takes place. If users wish to use the respective button, they will be redirected to the respective provider. A data exchange with the respective provider takes place only after having clicked on the respective button. How your data are processed by the respective providers may be taken from the above-noted terms of use and data policies.

21 Reddit Conversion Tracking

On our website, the “Reddit Conversion Pixel” is used, an analysis service of the Reddit Inc., 520 Third Street, Suite 305, San Francisco, CA 94107, United States. This tool files a cookie on your PC if you get to our website via a Reddit ad. This cookie does not serve any personal traceability. If you visit our website, it will be identifiable to us as well as to Reddit that you clicked on the corresponding ad and were redirected to our website.

Reddit Conversion Tracking will only be activated if you have given consent via our cookie banner. Therefore, the legal basis for the processing is the user’s consent pursuant to art. 6 (1) point a GDPR.

Using the data obtained by conversion cookies, conversion statistics are compiled for us. This way, we will know the total number of users who responded to our ad and were redirected to one of our pages equipped with a Reddit pixel. During this procedure, we do not receive any information allowing us to identify you personally as user. If you oppose this tracking procedure, you may deactivate the storage of cookies, separately from the opt-in banner, via your Internet browser. If needed, use the help function of your browser for further information. Detailed information on Reddit’s privacy policy may be found at https://www.reddit.com/help/privacypolicy/.

22 YouTube

  1. The website is embedding videos of the online platform "YouTube". The YouTube operating company is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. It is a subsidiary of Google.

    If the person concerned is logged in to YouTube, YouTube and Google collect information about which subpages this person visits. Data exchange takes place only when clicking the video.

    Further information on YouTube are available at https://www.youtube.com/yt/about.

  2. YouTube will only be activated if you have given consent or by clicking the video. Therefore, the legal basis for the processing is the user’s consent pursuant to art. 6 (1) point a GDPR.

  3. Purpose is an improved presentation of the website and a user-friendly handling of videos without having to link to another platform.

  4. Via the YouTube videos, YouTube and Google always receive information about the person concerned having visited our website when this person has been logged in to YouTube at the same time when visiting our website. This is done regardless of whether or not the person concerned clicks on a YouTube video. This transmission may be prevented by the person concerned logging out of YouTube first.

YouTube's privacy policy (available at https://www.google.de/intl/policies/privacy/) gives information about the collection, processing and use of personal data by YouTube and Google.

23 Google (Invisible) reCAPTCHA

  1. The website uses “Google reCAPTCHA”, a Turing test by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter referred to as: “Google”). Google checks whether the data entries on the website are made by a person or an automated programme. For this, user behaviour is analysed using different attributes. The analysis starts automatically upon entering the website. For the analysis, reCAPTCHA analyses various information (e.g. IP address, time spent on the website or mouse movements by the user). The data collected in the analysis are transmitted to Google.

    The reCAPTCHA analyses are running completely in the background. Website visitors are not notified that an analysis takes place.

  2. The legal basis for the processing is art. 6 (1) point f GDPR

  3. The controller has the legitimate interest that the website be protected against improper automated spying and SPAM.

  4. For further information on Google reCAPTCHA as well as on Google’s privacy policy go to the following links:

    1. https://www.google.com/intl/de/policies/privacy/

    2. https://www.google.com/recaptcha/intro/android.html

24 Encrypted data transfer

When logging in (“Login”) or establishing a contact all data is transmitted via an encrypted connection using TLS technology. The certificate required for this, which has been installed on the server, has been issued by an independent organisation. An encrypted connection may be recognised by the change in the address bar of the browser from http:// to https://.

As soon as the encrypted TLS connection has been established, your entries transmitted to the shop can no longer be read by a third party.

25 Applicant data

As a rule, your data will be automatically deleted three months after the application procedure. In addition, you may request the deletion of your data at any time via e-mail to [email protected]. Please note, in this case, that you are withdrawing from all ongoing application procedures.

26 Rights of the data subject

If personal data is processed, the users are “data subjects” for the purposes of the GDPR and are entitled to the following rights towards the controller:

  1. Right of access

    The data subject may demand a confirmation from the controller on whether personal data is processed.

    If such a processing takes place, the following information may be requested from the controller:

    1. the purposes for which personal data are processed;
    2. the categories of personal data which are processed;
    3. the recipient or categories of recipients to whom the respective data have been disclosed or will be disclosed;
    4. the envisaged period for storing personal data or, if specific information is not available, the criteria used to determine that period;
    5. the existence of a right to rectification or deletion of personal data, of a right to restriction of processing by the controller or right of appeal against this processing;
    6. the existence of the right to lodge a complaint with a supervisory authority;
    7. any available information about the source of the data where personal data are not collected from the data subject;
    8. the existence of automated decision-making, including profiling, referred to in art. 22 (1; 4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such data processing for the data subject.

    The data subject shall have the right to information about whether personal data are transmitted to a third country or an international organisation. In this context, the data subject may request information on the appropriate safeguards pursuant to art. 46 GDPR relating to the transmission.

  2. Right to rectification

    The data subject shall have the right to rectification and/or completion of data against the controller if the processed personal data are inaccurate or incomplete. The controller has to correct these data immediately.

  3. Right to restriction of processing

    The restriction of processing of personal data may be requested if one of the following conditions applies:

    1. the accuracy of the personal data is contested for a period enabling the controller to verify the accuracy of the personal data;
    2. the processing is unlawful and the deletion of personal data is opposed and the restriction of their use is requested instead;
    3. the controller no longer needs the personal data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims, or
    4. the processing has been objected pursuant to art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

    Where the processing of personal data has been restricted, such data shall – with the exception of storage – only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

    Where the restriction of the processing has been restricted under the above conditions, the data subject shall be informed by the controller before restriction is lifted.

  4. Right to deletion

    Obligation to deletion

    The data subject shall have the right to request from the controller the deletion of personal data without undue delay and the controller shall have the obligation to delete these data without undue delay where one of the following grounds apply:

    1. the personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed.
    2. the consent is withdrawn on which the processing is based pursuant to point (a) art. 6 (1) or point (a) art. 9 (2) GDPR and where there is no other legal basis for the processing.
    3. the processing is objected to pursuant to art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the processing is objected to pursuant to art. 21 (2) GDPR.
    4. the personal data have been unlawfully processed.
    5. the personal data have to be deleted to comply with a legal obligation according to Union or Member State law to which the controller is subject.
    6. the personal data have been collected in relation to the offer of information society services referred to in art. 8 (1) GDPR.

    Information to third parties

    Where the controller has made the personal data public and is obliged pursuant to art. 17 (1) GDPR to delete these data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the deletion of any links to, or copies or replications of, those personal data.

    Exceptions

    The right to deletion shall not apply to the extent that processing is necessary

    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interests in the area of public health pursuant to points (h) and (i) of art. 9 (2) and art. 9 (3) GDPR;
    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to art. 89 (1) GDPR in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
    5. for the establishment, the exercise or defence of legal claims.

  5. Right to notification

    Where a right to rectification, deletion or restriction of the processing is claimed against the controller, the controller shall be obliged to communicate this rectification or deletion of data or the restriction of the processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

    The data subject shall have the right against the controller to be informed about those recipients.

  6. Right to data portability

    The data subject shall have the right to receive the personal data provided to the controller in a structured, commonly used and machine-readable format. The data subject shall also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    1. the processing is based on consent pursuant to point (a) of art. 6 (1) GDPR or point (a) art. 9 (2) GDPR or on a contract pursuant to point (b) art. 6 (1) GDPR and
    2. the processing is carried out by automated means.

    In exercising this right, the data subject shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons shall remain unaffected by this.

    The right to data portability shall not apply for a processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  7. Right to object

    The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data based on point (e) or (f) art. 6 (1) GDPR; including profiling based on those provisions.

    The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

    Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such marketing; this includes profiling to the extent that it is related to such direct marketing.

    Where processing for direct marketing purposes was objected to, the personal data shall no longer be processed for such purposes.

    The data subject shall have the possibility, in the context of the use of information society services – notwithstanding Directive 2002/58/EG – to exercise your right to object by automated means using technical specifications.

  8. Right to withdraw declaration of consent to the data protection law

    The data subject shall have the right to withdraw the declaration of consent to the data protection law at any time. The withdrawal of consent shall not affect the lawfulness of the processing which has taken place based on the consent before its withdrawal.

  9. Automated individual decision-making, including profiling

    The data subject shall have the right not to be subject to a decision based on automated processing - including profiling – which produces legal effects concerning the data subject or similarly significantly affects them. This shall not apply if the decision:

    1. is necessary for entering into or performance of a contract between the data subject and the controller,
    2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms as well as legitimate interests, or
    3. is based on the data subject’s explicit consent.

    However, these decisions shall not be based on special categories of personal data referred to in art. 9 (1) GDPR, unless point (a) or (g) of art. 9 (2) apply and suitable measures to safeguard the rights and freedoms and legitimate interests are in place.

    In the cases referred to in points (1) and (3) the controller shall implement suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

  10. Right to lodge a complaint with a supervisory authority

    Without prejudice to any other administrative or judicial remedy all data subjects shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if it is considered that the processing of data infringes the GDPR.

    The supervisory authority to which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 GDPR.

End of the Privacy Statement

Save/ print privacy statement as PDF

If you do not have a PDF reader installed to show or print the private policy, you can download the file for free e.g. under www. adobe.com.

cardPreview