Sample data protection declaration I. Basics Here we inform you about the processing of personal data when using our online presence. This online data protection declaration applies to our website www.xyz.de as well as to our profiles in the social networks. Personal data is all data that can be traced back to you personally, such as your name, address, email address, IP address or user behavior. With regard to the terms used, such as "processing", "controller" or "data subject", reference is made to the definitions in Art. 4 GDPR. There you will find the following in particular: "Personal data" is all information that relates to an identified or identifiable natural person (the "data subject" or the "data subject"); A natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 (1) GDPR). “Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or linking, restriction, erasure or destruction (Article 4 (2) GDPR). "Controller" (or "responsible body") is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, decides on the purposes and means of processing personal data (Art. 4 No. 7 GDPR). "Processor" is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (Art. 4 No. 8 GDPR). The terms "processing" and "personal data" in particular are very broad, so that almost any handling of data can be understood as such. Please note: This template is intended as a guide. Before use, the template must be adapted to the individual circumstances of your company and, if necessary, supplemented with other tools that you use on your website. In some places, we have included alternative wording in square brackets for you. If you do not use this, you should delete it. II. Who is the responsible body? We are responsible for processing your data: Muster GmbH Musterstraße 123 12345 Musterort Tel.: xx Email: xx III. How can you contact our data protection officer? The data protection officer of the controller is: Max Mustermann Musterstraße 123 12345 Musterort Tel.: xx Email: xx [alternatively: We are not legally obliged to appoint a data protection officer. If you have any questions about the processing of your data, you are welcome to contact us at any time (contact details above)] IV. Who is affected by the data processing? If you visit our website, for example as an interested party, customer, supplier, service provider or other visitor, your personal data will be processed in accordance with the statutory provisions and/or this declaration. All visitors to our website are collectively referred to as “users”. V. What data do we collect from you and for what purposes and on what legal basis do we process it? If you visit our website without registering or providing us with information in any other way, only the personal data that the browser you use sends to our server will be processed. To the best of our knowledge, the following data will then be processed, which is technically necessary to display our website and to ensure its stability and security: - IP address of the requesting computer - Date and time of the request - Name and URL of the retrieved file - Access status / HTTP status code - Volume of data transferred - Website from which the request came (referrer URL) - Browser used - Operating system The processing of this data in so-called log files is necessary to display our website and to ensure stability and security. If you also send us personal data, e.g. as part of an inquiry by e-mail or via our contact form, we will also process the following data, depending on the information you provide: - Inventory data (e.g. name, address) - Contact details (e.g. e-mail address, telephone number) - Content data (e.g. text entries, photos, videos) - Usage data (e.g. sites visited, access times) - Communication / metadata (e.g. device information, IP addresses) We may also process the following personal data for the purposes of providing contractual services, service and customer care as well as marketing / advertising: - Contract data (e.g. subject matter of the contract, term, customer number) - Payment data (e.g. bank details, payment history) We process your personal data when you visit our website for the following purposes: - Providing the functions and content of our online offering - Ensuring a smooth connection to our website - Ensuring comfortable use of our website - Evaluation and guarantee of system security and stability as well as general security measures - Answering any contact inquiries or to communicate with you - other administrative purposes - provision of contractual services - customer service Unless we specify a specific legal basis in this data protection declaration, the following applies to the processing of your personal data: The legal basis for obtaining consent is Art. 6 (1) (a), Art. 7 GDPR. The legal basis for data processing to fulfill our services and carry out (pre-)contractual measures as well as to answer any inquiries is Art. 6 (1) (b) GDPR. The legal basis for data processing to fulfill legal obligations is Art. 6 (1) (c) GDPR. If vital interests of the data subject or another natural person make data processing necessary, the legal basis is Art. 6 (1) (d) GDPR. Data processing to protect our legitimate interests is based on Art. 6 (1) (f) GDPR. Our legitimate interest arises from the purposes of data collection stated above. If, as part of the processing of your personal data, we disclose it to third parties, transmit it to them or otherwise grant them access to the data, this will only be done on the basis of legal permission, provided that you have consented to this, we are legally obliged to do so or on the basis of our legitimate interests. Legal permission exists in particular if the transfer of data is necessary to fulfil contractual obligations (e.g. with payment or shipping service providers). A legitimate interest may exist if we use data for direct advertising or to prevent fraud or if you are our customer. A legitimate interest may also exist, for example, when using web or email hosts, cloud providers or other service providers. Such service providers often act as so-called contract processors on the basis of a corresponding contract. They are also obliged to comply with data protection regulations and to guarantee this contractually. The legal basis for such contract processing relationships is Art. 28 GDPR. VI. To whom do we transmit your data? We regularly work with the following recipients in particular: - Shipping service providers - Credit institution - Email hoster - Web hoster We select our external service providers carefully. In the case of order processing relationships (Art. 28 GDPR), these companies are contractually bound to our instructions and are regularly monitored by us. Further information can be found in the following descriptions of the individual services. VII. Will your data be transferred to locations outside the EU? A transfer of your personal data to third countries (i.e. outside the EU or the EEA) or to an international organization is only intended in exceptional cases and in certain cases. Further information can be found in the following descriptions of the individual services. If we process your personal data in a third country or have it processed by third parties, this will only occur if it is to fulfill our (pre-) contractual obligations or on the basis of your consent, a legal obligation or our legitimate interests. Your personal data will only be processed in a third country if the special requirements of Art. 44 ff. GDPR are met, unless legal or contractual permissions exist in the individual case. This means that data processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a data protection level equivalent to that of the European Union or compliance with special, recognized contractual obligations (in particular the so-called “EU standard contractual clauses”). [Alternatively: A transfer of your personal data to third countries (i.e. outside the EU or the EEA) or to an international organization is not intended.] VIII. How long do we process your data? The duration for which your personal data is stored is generally based on existing statutory retention periods (e.g. under commercial or tax law). Unless otherwise stated below, your personal data will be routinely deleted after the expiry of any relevant period, provided that it is no longer required to fulfill or initiate a contract, we no longer have a legitimate interest in continuing to store it and/or if you have not consented to longer storage. In Germany, special retention periods exist in the following areas, among others: - according to commercial law (6 years, e.g. for opening balance sheets, annual financial statements, accounting documents, etc.) - according to tax law (10 years for all documents relevant for tax purposes) - according to the General Equal Treatment Act (AGG) (6 months for documents of rejected applicants) IX. What are your rights? With regard to the processing of your personal data, you have the right... - to request information about your personal data processed by us. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected from us, as well as about the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details (Art. 15 GDPR); - to immediately request the rectification of incorrect or incomplete personal data stored by us (Art. 16 GDPR); - to request the erasure of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims (Art. 17 GDPR); - to request the restriction of the processing of your personal data if you contest the accuracy of the data, the processing is unlawful but you refuse to erase it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have objected to the processing in accordance with Art. 21 GDPR (Art. 18 GDPR); - to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transmitted to another controller (data portability, Art. 20 GDPR); - not to be subjected to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22 GDPR); - to lodge a complaint with a supervisory authority (Article 77 GDPR); - to object at any time to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) or (f) GDPR, for reasons arising from your particular situation; this also applies to profiling based on these provisions (Article 21 GDPR); - to revoke your consent at any time. This means that we may no longer continue the data processing based on this consent in the future (Article 7 (3) GDPR). The last three rights are explained in more detail below. X. When and how can you object to data processing? [The text of this section must be highlighted, i.e. by using bold or italic formatting, a different font or color, etc.] If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 (1) (f) GDPR or for direct advertising or profiling, you have the right to object to the data processing at any time. This will mean that we may no longer process your personal data in the future unless we can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the data processing serves to assert, exercise or defend legal claims. However, the right of objection only applies if there are reasons for doing so that arise from your particular situation or if your objection is directed against direct advertising. In the latter case, you have a general right of objection, which we will implement without specifying a particular situation. If you wish to exercise your right of objection, simply send us a message (see contact details above). XI. When and how can you withdraw your consent? You can revoke any consent you have given us at any time. This will then mean that we will no longer be permitted to process your personal data based on this consent in the future. If you wish to exercise your right of revocation, simply send us a message (contact details see above). XII. Who can you complain to? With regard to our processing of your personal data, you have the right to complain to a data protection supervisory authority. A list of the state data protection supervisory authorities can be found, for example, at the following address: www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html XIII. When and why is the provision of your data necessary? When using our contact form or when sending inquiries by email, you provide us with your personal data (e.g. name, address or email address). The provision of your personal data is sometimes required by law (e.g. tax law regulations). It may also be necessary to carry out (pre-)contractual measures. Failure to provide your personal data would mean that the contract with you cannot be concluded or that your inquiry cannot be answered. In order to execute contracts or pre-contractual measures or to communicate with us, the provision of the following data is mandatory: - First and last name - Address - Email address - If applicable, customer data (e.g. customer number) - Text entries - If applicable, telephone number (e.g. for queries or answering customer inquiries) Unless otherwise stated in this privacy policy, all other information is voluntary. XIV. Does automated decision-making (e.g. profiling) take place? An automated decision, including profiling, does not take place. XV. How can you contact us? You can contact us either by post, telephone or email (see above). If you contact us, for example, by email or via our contact form, we will automatically save the personal data you voluntarily send to us for the purpose of processing your inquiry or to contact you. This data will not be passed on to third parties. XVI. How do we secure our website? Taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk (Article 32 GDPR). These measures include, in particular, safeguarding the confidentiality, integrity and availability of data. We have also established business processes that ensure, in particular, the protection of data subject rights, the deletion of data and the response to data breaches. In addition, we observe the principles of data protection law, including data protection through technology design and through data protection-friendly default settings (privacy by design and privacy by default, Article 25 GDPR). For security reasons and to protect the transmission of your personal data and other confidential content, we use encrypted transmission via SSL certificate on our website. You can recognize this by the fact that “https” (instead of “http”) appears in the address bar of your browser, as does a lock symbol and a different colour display. XVII. What are cookies and how do we use them? We use so-called cookies on our website. These are small files containing text information that are saved by your browser or stored on your device. So-called transient (or temporary) cookies are automatically deleted when you close your browser. This includes, in particular, session cookies. These save a specific identifier (the so-called session ID), which allows your device to be recognized when you return to our website. This allows, for example, the contents of an online shop’s virtual shopping cart or your login status to be saved. Session cookies are deleted when you log out or close your browser. So-called persistent (or permanent) cookies are automatically deleted after a certain period of time; the storage period varies depending on the cookie. This means, for example, that user information can be saved for reach measurement or marketing purposes, or even a login status, for longer periods of time. A distinction must be made between so-called first-party cookies and third-party cookies, both temporary and permanent. The former are set by the responsible party, while the latter are set by third-party providers. You can delete cookies at any time using the security settings in your browser or, for example, refuse to accept third-party cookies. If you generally wish to object to the use of cookies used for online marketing purposes, you can do so with various services or providers, for example via the American website www.aboutads.info/choices or the European website www.youronlinechoices.com. Please note that if you do, you may not be able to use all the functions of our website. We may use temporary or permanent cookies, as well as first-party and third-party cookies, on our website, for example to identify you for subsequent visits if you have an account with us (otherwise you would have to log in again for each visit). You will find further information about this below in our privacy policy. We currently only use cookies that are technically necessary to provide our services (e.g., to store the login status). The legal basis for the use of cookies is Art. 6 (1) (f) GDPR. If other, technically unnecessary cookies are used, we will obtain your consent (Art. 6 (1) (a) GDPR). XVIII. What about our profiles on social networks? We operate the following profiles on social networks in order to be able to contact the users active there and inform them about our services. When you access the respective networks, the respective terms and conditions and the data protection information of the respective operators apply. Unless otherwise stated in our privacy policy, we only process user data if they contact us within the social networks, for example, by posting on our profile pages or sending us messages. Our social media profiles: [List the social networks you are represented on here, e.g., Facebook, LinkedIn, Instagram...]