Responsible controller and service provider
Lilienthalallee 40 / MOC C229
The protection of your personal data is very important to us. Therefore, we would like to inform you below regarding which data from your visit is used for which purposes. Should there be any further questions regarding the handling of your personal data, you are welcome to contact our data protection officer.
Data protection officer
The data protection officer for the controller is:
Lilienthalallee 40 / MOC C229
1 Basic information on the handling of data
1.1 Extent of processing of personal data
In principle, we collect and use personal data of our users only insofar as this is necessary for the provision of a functional website as well as our content and services as well as for the implementation of our corporate purpose. The collection and use of personal data of our users takes place regularly only with the consent of the user. Exceptions apply in cases in which prior consent is not possible for reasons of fact and the processing of the data is permitted by law.
1.2 Purposes and legal basis for the processing of personal data
We process personal data only to fulfil our contractual obligations or to safeguard our overriding legitimate interests. Our legitimate interests are based on the implementation of our corporate purpose.
Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 (1) (a) EU General Data Protection Regulation (GDPR) forms the legal basis for the processing of personal data.
In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR forms the legal basis. This also applies to processing operations required to carry out pre-contractual measures.
Insofar as processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR forms the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR forms the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not prevail over the former interest, Art. 6 (1) (f) GDPR forms the legal basis for processing.
1.3 Categories of recipients and personal data, origin of the same; data transmission
We pass on personal data for the implementation of our corporate purpose to our business partners and service providers. To implement our corporate purpose, we typically use contact and address data of our customers and business partners. We typically receive the personal data directly from the data subject or with the consent of the data subject, and in exceptional cases also from third parties.
1.4 Transmission to third countries
In principle, we do not share personal data with recipients in third countries (i.e. countries outside the EU). If transmission to recipients in third countries takes place, we ensure that, in addition to the non-disclosure requirement for the transmission, the third-country recipient ensures an adequate level of data protection (or an exemption under Art. 49 (1) GDPR is present).
1.5 Data security
We have taken extensive technical and operational safeguards to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security procedures are regularly reviewed and adapted to technological progress.
1.6 Data deletion and storage duration
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place if a storage period prescribed by the mentioned standards expires, unless there is a need for further storage of the data for conclusion of the contract or fulfilment of the contract.
2 General data collection when visiting our website
In the event of merely informative use of the website, i.e. if you do not register or otherwise provide us with information, we will only collect the personal data that your browser transmits to our server.
As part of the balance of interests pursuant to Art. 6 (1) (f) GDPR, we have considered and balanced our interest in the provision and your interest in the processing of your personal data in accordance with data protection. Since the following data for the provision of our service is technically necessary to offer you our website and also to ensure its stability and security, in particular to provide protection against misuse, we have come to the conclusion that this data - with a data security guarantee based on the state of technology - can be processed, taking due account of your interest in privacy-compliant processing.
2.1 Description and scope of the data collection
Each time our website is accessed, our system automatically collects data and information from the computer system of the visiting computer.
The following data is collected here:
1. Information about the browser type and version used
2. The operating system and user interface
3. The Internet service provider of the user
4. The IP address of the user
5. Access Status / HTTP status code
6. Date and time of access
7. Time zone difference to Greenwich Mean Time
8. Content of the requirement (specific website)
9. Transmitted amount of data
10. Websites from which the system of the user visits our website
11. Websites that are accessed by the user’s system through our website
12. For mobile devices: Manufacturer and type designation of smartphones, tablets or other mobile devices
13. Low-level tracer
The data is also stored in the log files of our system. Storage of this data together with other personal data of the user does not take place.
2.2 Legal basis of data processing
The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.
2.3 Purpose of data processing
The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user’s IP address must be kept for the duration of the session.
Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. In particular, the data helps us to adapt our website and our other information technology systems to the browsers, operating systems and devices used.
An evaluation of the data for marketing purposes does not take place in this context.
Our legitimate interest in the processing of data according to Art. 6 (1) (f) GDPR also lies in these purposes.
2.4 Duration of storage
The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. When data is collected for the purpose of providing the website, the data is deleted when the respective session is completed.
When the data is stored in log files, the data is deleted after no more than seven days. Additional storage beyond this is possible. In this case, the IP addresses of the users are deleted or alienated, so that assignment of the visiting client is no longer possible.
2.5 Possibility of objection and correction
The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no possibility of objection on the part of the user.
3.1 Data collection at registration
On our website, we offer users the opportunity to register by providing personal data. The data is entered into an input mask and transmitted to us and stored. Transmission of data to third parties does not take place. The following data is collected during the registration process:
- Academic title (optional)
- First name
- Last name
- Phone number
- Company (optional)
At the time of registration, the following data is also stored:
1. The IP address of the user
2. Date and time of registration
3. Customer number
4. Entity ID
5. E-mail hash
As part of the registration process, the consent of the user to process this data is obtained. After registration, you will receive personal, password-protected access and can view and manage the data you have stored. Registration is voluntary, but may be required to use our services.
3.2 Legal basis for data processing
The legal basis for the processing of the data in the presence of the consent of the user is Art. 6 (1) (a) GDPR.
If the registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, then additional legal basis for the processing of the data is Art. 6 (1) (b) GDPR.
3.3 Purpose of data processing
Registration of the user is required for the provision of certain content and services, in particular the extended use of our webshop on our website.
Registration of the user additionally serves to fulfil a contract with the user or to carry out pre-contractual measures. The registration refers in particular to the use of our webshop.
Typically, purchase contracts for the following product groups are concluded via the webshop:
3.4 Duration of storage
The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection.
This is the case for the data collected during the registration process when the registration on our website is cancelled or modified.
Insofar as the data collected during the registration process is required to fulfil a contract or to carry out pre-contractual measures, the data will be deleted only when it is no longer required for the execution of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contracting party in order to comply with contractual or legal obligations.
Personal data is stored for fraud prevention purposes.
The deletion deadlines for fraud prevention purposes are 6 months, for actual fraud attempts 6 months.
3.5 Possibility of objection and correction
As a user, you have the option of cancelling the registration at any time. The data stored about you can be changed at any time.
You can request deletion or change of your data by sending an e-mail to firstname.lastname@example.org.
If the data is necessary for the fulfilment of a contract or for the execution of pre-contractual measures, premature deletion of the data is only possible, as far as contractual or legal obligations do not preclude such deletion.
4.1 Data collection in the context of contact
A contact form available on our website, which can be used for electronic contact. If a user has accepted this option, the data entered in the input mask will be transmitted to us and saved. This data includes:
The following is a list of the data in the input mask:
1. First and last name
2. E-mail address
At the time of sending the message, no data is stored.
Alternatively, contact is possible via the provided e-mail address. In this case, the user’ personal data transmitted by e-mail will be stored.
The data is not transmitted to third parties in this context. The data is used exclusively for processing the conversation.
4.2 Legal basis for data processing
The legal basis for the processing of the data in the presence of the consent of the user is Art. 6 (1) (a) GDPR.
The legal basis for the processing of the data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR. If the e-mail contact aims to conclude a contract, then the additional legal basis for the processing is Art. 6 (1) (b) GDPR.
4.3 Purpose of data processing
The processing of the personal data from the input mask serves us only for the processing of the contact. In the event of contact via e-mail, this also includes the necessary legitimate interest in the processing of the data.
The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
4.4 Duration of storage
The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. Personal data from the input mask of the contact form and data sent by e-mail is deleted when the respective conversation with the user has ended. The conversation ends when it can be inferred from the circumstances that matter has been ultimately clarified.
The additional personal data collected during the sending process will be deleted at the latest after a period of seven days.
4.5 Possibility of objection and correction
The user has the opportunity to revoke their consent to the processing of personal data at any time. If the user contacts us by e-mail, they may object to the storage of their personal data at any time. In such an event, the conversation cannot continue.
The revocation of consent as well as objection to the storage of your personal data can be sent by e-mail to email@example.com.
All personal data stored in the course of contacting will be deleted in this case.
5 Personalised newsletter
With your consent, you can subscribe to our newsletter, which informs you about our current interesting offers.
To register for our newsletter, we use the so-called double opt-in procedure. This means that after stating your e-mail address, we will send you a confirmation e-mail to the specified e-mail address asking you to confirm that you wish to receive the newsletter. If you do not confirm within a period of 72 hours, the specified data will be deleted automatically. If you confirm the desire to receive the newsletter, we will save your e-mail address until you unsubscribe from the newsletter. The sole purpose of the storage is to be able to send you the newsletter. Furthermore, we store your IP addresses and the registration and confirmation times in order to prevent misuse of your personal data.
The e-mail address alone is required for the transmission of the newsletter. The specification of further, separately marked, information is voluntary and will be used solely to personalise the newsletter. This data is also completely deleted upon revocation. In addition, we store your used IP addresses and the registration and confirmation times. The purpose of the procedure is to prove your registration and, if necessary, to clarify possible misuse of your personal data. After your confirmation we will save your registration data for the purpose of sending you the newsletter. The legal basis is Art. 6 (1) (a) GDPR.
You can revoke your consent to the sending of the newsletter at any time. You can unsubscribe from all newsletters at any time and without giving any reasons or only unsubscribe from special newsletters. The unsubscribe link can be found in every newsletter sent by us under “unsubscribe”. You can provide your revocation by clicking on the link provided in each newsletter e-mail and sending an e-mail firstname.lastname@example.org. The data you provide will not be disclosed to third parties.
We point out that we evaluate your user behaviour when sending you the newsletter. The e-mails sent contain so-called web beacons, also called tracking pixels, for this evaluation. These are one-pixel image files that link to our website, allowing us to evaluate your user behaviour. This is done by collecting web beacons, which are assigned to your e-mail address and linked with your own ID. Links in the newsletter also contain these. With the data obtained in this way, we create a user profile in order to provide you with the newsletter tailored to your interests. In doing so, we record when you read our newsletters and which links you click on in the newsletters, and from this we infer your personal interests. We link this data with the actions you have taken on our website.
The information collected in this way is stored on a server in the European Union.
You can object to this tracking at any time by clicking on the separate link provided in each e-mail or by contacting us via the contact channels. Such tracking is also not possible if you disable the display of images by default in your e-mail program. However, in this case the newsletter will not be displayed completely, and you may not be able to use all the features. If you have the images displayed manually, the above tracking is done.
If you have registered in our webshop and have added products to your wish list, you will receive e-mails with information on discounts, on new availability and on the last available item of the products in your wish list. You can unsubscribe from these notifications by clicking the check mark at the end of the wish list.
6 Your order in our online shop
If you wish to order in our webshop, it is necessary for the conclusion of the contract that you provide your personal data, which we need for the processing of your order. Obligatory information necessary for the execution of the contracts is marked separately; other information is provided voluntarily. We process the data provided by you in order to process your order. We may pass on your payment data to the payment service provider you have selected for this purpose. In addition, we will forward your address data to the selected shipping logistics service provider for processing the shipment.
The legal basis for this is Art. 6 (1) (b) GDPR.
We may also process the data you provide to inform you of other interesting products from our portfolio or to send you e-mails with technical information.
Due to commercial and tax regulations, we are obliged to save your address, payment and order data for a period of ten years. However, after [two years] we limit processing, i.e. your data will only be used to comply with the legal obligations.
You may object to the use of your data for advertising and data analysis purposes at any time. Please send your objection to email@example.com.
To prevent unauthorized access to your personal data, in particular financial data, the ordering process is encrypted by means of a hybrid encryption protocol for secure data transmission “Secure Socket Layer” (SSL).
Most browsers accept cookies automatically. If you want to prevent the storage of cookies, you can choose “do not accept cookies” in the browser settings. You can refer to the instructions of your browser manufacturer regarding how this works in detail. Cookies that are already stored on your computer can be deleted at any time. We point out, however, that our website may only be used to a limited extent in this case.
8 First-party cookies
This type of cookies is set by the website that the user visits. Only this website may read information from the cookies.
9 Third-party cookies
Third-party cookies are set by organisations that are not operators of the website the user visits. These cookies are used for example by marketing companies.
10 Cookies used
The following data is stored and transmitted in the cookies:
Below is a listing of the stored data. Examples can be:
1. Language settings
2. Article in a shopping cart
3. Log-in information
In this way, the following data can be transmitted:
The following is a list of the collected data. This can for example be:
1. Entered search terms
2. Frequency of page views
3. Use of website functions
4. Device or browser information
5. Prestigious products and categories
6. Calling up the wish list and the shopping cart as well as the addition of new products
7. Number of products in the shopping cart
8. Place of origin of the page visitors
9. Reduced IP address
10. E-mail hash
The data of the users collected in this way is pseudonymised by technical precautions. Therefore, an assignment of the data to the calling user is no longer possible.
10.2 Legal basis for data processing
The legal basis for the processing of personal data using cookies is Art. 6 (1) (f) GDPR.
10.3 Purpose of data processing
We require cookies for the following functions:
- Shopping cart
- Protection against attacks on the website
- Remembering session settings
The user data collected by technically necessary cookies will not be used to create user profiles.
The use of the analysis cookies is for the purpose of improving the quality of our website and its contents. Through the analysis cookies we learn how the website is used and so we can constantly optimise our offer. In addition, we can thereby ensure quality assurance and constantly improve the user experience.
Our legitimate interest in the processing of personal data pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.
10.4 Duration of storage, objection and disposal options
Our website uses transient cookies. These are automatically deleted when you close your browser. Typically, these are so-called session cookies. These cookies store a so-called session ID, with which various requests from your browser can be assigned to the common session. This will allow your computer to be recognised when you return to our website. These cookies are deleted when you log out or close the browser.
Our website also uses persistent cookies. These cookies are automatically deleted after a specified period, which may differ depending on the cookie. You can also delete these cookies at any time.
Our website also uses Flash cookies. The Flash cookies used are not captured by your browser but by your Flash plug-in. We also use HTML5 storage objects, which are stored on your device. These objects store the required data regardless of your browser and do not have an automatic expiration date. If you do not want processing of Flash cookies, you must install an add-on such as “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/en/firefox/addon/betterprivacy/) or the Adobe Flash killer cookie for Google Chrome. You may also partially block the use of Flash cookies by changing the settings of your Flash player. You can prevent the use of HTML5 storage objects by using the private mode in your browser. In addition, we recommend that you regularly delete your cookies and the browser history manually.
11 Special tools
In addition to the aforementioned cookies, we use other tools for the purposes of usage analysis, offer optimisation, marketing analysis and advertising optimisation. For these tools, the explanations in section 12 do not apply. We inform you about each of these special features, including the scope of the data collection, the legal basis, the purposes of data collection and your ability to prevent the use of these tools.
12.6 Adobe Tracker
We use the following technology from Adobe Systems Software Ireland Limited (4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland):
12.6.1 Adobe Audience Manager
Everest Tech (AdobeSystem Ireland Ltd.) is an advertising solution that enables businesses to optimise their online search engine advertising. Therefore, Adobe sets a cookie as soon as you have bought or placed something in the shopping cart after clicking on the Google search engine on brunate.com.
Only information such as Keyword, OrderID, ProductID, and Sales are sent to Adobe.
According to Adobe, no further personal data is collected.
There is a transfer of personal data to the US. Guarantees pursuant to Art. 44 ff. GDPR exist through the subjugation of Adobe under the Privacy Shield, which you can find here.
The legal basis for processing the data is Art. 6 (1) (f) GDPR. . We use the service provider Adobe to optimise our search engine campaigns on Google, thereby improving our advertising efficiency. Our legitimate interest pursuant to Art. 6 (1) (f) GDPR lies therein.
We do not provide any personal data. If you do not want Adobe to receive anonymised data, you can click here http://www.adobe.com/de/privacy/opt-out.html. If you would like more information about Adobe, you can find all the privacy topics here: https://www.adobe.com/de/privacy/marketing-cloud.html.
12.7 Google Tracker
We use technology from Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, which is part of Google Inc. (1600 Amphitheater Parkway, Mountain View, CA 94043, USA; “Google”).
12.7.1 Google AdWords and Conversion Tracking
To promote our services, we run Google Adwords ads using Google Conversion Tracking for personalised, interest-based, and location-based online advertising. The option to anonymise the IP addresses is regulated in the Google Tag Manager via an internal setting that is not visible in the source of this page. This internal setting is set so that the anonymisation of IP addresses required by the Federal Data Protection Act is achieved.
The ads will by displayed according to search queries on websites of the Google network. We have the opportunity to combine our ads with specific keywords. With the help of cookies, we can display advertisements based on the previous visits of a user to our website.
Using this technology, Google and we as a customer receive information that a user clicked on an ad and was redirected to our webpages. The information obtained here is used exclusively for statistical evaluation for ad optimisation. We do not receive any information that personally identifies visitors. The statistics provided to us by Google include the total number of users who have clicked on one of our ads and, if applicable, whether they have been redirected to a conversion-tagged page of our website. Based on these statistics, we can understand which search terms have often led to clicks on our ads and which ads lead to contact by the user via the contact form.
If you do not want this to happen, you can prevent the storage of the cookies required for these technologies, for example, through the settings of your browser. In this case your visit will not be included in the user statistics.
You can prevent participation in this tracking process in several ways:
a) By setting your browser software accordingly, the suppression of third-party cookies in particular will prevent you from receiving any third-party advertisements;
b) By disabling the cookies for conversion tracking by setting your browser to block cookies from the domain “www.googleadservices.com”, https://www.google.com/settings/ads - this setting will be be deleted when you delete your cookies;
c) By deactivating the interest-based advertisements of the providers that are part of the “About Ads” self-regulation campaign via the link http://www.aboutads.info/choices - this setting will be be deleted when you delete your cookies;
d) By permanent deactivation in your browsers Firefox, Internet Explorer or Google Chrome under the link http://www.google.com/settings/ads/plugin. We point out that in this case you may not be able to use all features of this offer in full.
The legal basis for the processing of your data is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the knowledge gained through evaluation of the statistics on the user behaviour and the effectiveness of our advertisements. This, in turn, serves to constantly improve our website and our advertising presence.
For more information about privacy at Google, see http://www.google.com/intl/en/policies/privacy and https://services.google.com/sitestats.html. Alternatively, you can visit the Network Advertising Initiative (NAI) website at http://www.networkadvertising.org. Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US Framework. However, we and Google continue to receive statistical information on how many users visited this page. If you also do not want to be included in these statistics, you can prevent this with the help of additional programs for your browser (for example with the add-on Ghostery).
12.7.2 Google Analytics and Conversion Tracking
This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Use is done on the basis of Art. 6 (1) (f) GDPR. Google Analytics uses so-called “cookies”, text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by the cookie about your use of the website such as
• Browser type / version,
• Operating system used,
• Referrer URL (the previously visited page),
• Host name of the accessing computer (IP address),
• Time of the server request,
are usually transmitted to a Google server in the US and stored there. The IP address provided by Google Analytics as part of Google Analytics will not be merged with other Google information. We have also extended Google Analytics with the code “anonymizeIP” on this website. This guarantees the masking of your IP address so that all data is collected anonymously. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there.
For the exceptional cases in which personal data is transferred to the US, Google has submitted to the EU-US Privacy Shield https://www.privacyshield.gov/EU-US-Framework.
On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website usage and internet usage to the website operator. This constitutes our legitimate interest within the meaning of Art. 6 (1) (f) GDPR.
You can prevent the storage of cookies by a corresponding setting of your browser software; however, we point out that in this case you may not be able to use all the features of this website to the full extent.
You may also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de. An opt-out cookie will be set which prevents the future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again.
This website also uses Google Analytics for cross-device analysis of visitor traffic, carried out via a user ID. You can disable the cross-device analysis of your use in your customer account under “My Data”, “Personal Data”.
12.7.3 Google AdWords and Google Analytics Remarketing Lists for Search Ads (RLSA)
brunate.com uses Google AdWords and Google Analytics Remarking Lists for Search Ads (RLSA). Here, users who visit brunate.com are tracked via a Google Tag and their behaviour is recorded. Their list membership has a standard duration of 30 days and a maximum duration of 540 days.
The information generated by the cookie about your use of the website such as
• Browser type / version,
• Operating system used,
• Referrer URL (the previously visited page),
• Host name of the accessing computer (IP address),
• Time of the server request,
Recorded behaviours, such as page time spent, completed or cancelled, and direct bounces on the visit, can be used to customise the ads on Google’s search results pages.
For the exceptional cases in which personal data is transferred to the US, Google has subjected itself to the EU-US Privacy Shield, which you can find here.
The legal basis for processing the data is Art. 6 (1) (f) GDPR. Our legitimate interest lies in analysing the effectiveness of our advertising and the concomitant continuous improvement of our advertising efficiency.
If you want to object to the use of the data, then please click here.
12.7.4 Google Dynamic Remarketing
On our website we use the Dynamic Remarketing feature of Google AdWords. The technology allows us to post automatically generated, targeted ads after you visit our website. The advertisements are based on the products and services you clicked on during the last visit to our website.
If you do not want to receive user-based advertising from Google, you can opt out of advertising from Google using the display setting.
For the exceptional cases in which personal data is transferred to the US, Google has submitted to the EU-US Privacy Shield.
The legal basis for the processing of the data is Article 6 (1) (f) GDPR. Our legitimate interest lies in the offer of personalised advertising and the associated increase in our advertising efficiency.
12.7.5 Google Shopping Reviews
brunate.com uses Google Shopping Reviews. After placing the order, buyers are given the opportunity to submit a rating from brunate.com to other potential customers.
Should a customer agree to this, the following information will be provided:
E-mail address (to send the evaluation survey) Country of delivery
Estimated time of delivery (for the time of sending the survey)
For the exceptional cases in which personal data is transferred to the US, Google has subjected itself to the EU-US Privacy Shield, which you can find here. The legal basis for processing the data is Art. 6 (1) (a) GDPR.
Our legitimate interest lies in your consent to participate in the survey. This data must be collected so that the third-party Google Shopping Reviews commissioned by us can provide you with an independent survey upon our consent regarding the delivery of your order.
The storage duration of your data is 12 months.
We use Crashlytics (a service of Google Ireland Ltd., Gordon House, Barrow St, Dublin 4, Ireland) in the brunate.com app for quality measurement and evaluation of the usage behaviour of our app users. The focus of Crashlytics is on measuring technical crashes of the app, with the goal of making the app more stable and avoiding errors in the app source code for better usability. Furthermore, we can use Crashlytics to understand which app version the user is on and whether a user updates the app regularly. The information we collect is not linked to personally identifiable information in the analysis software.
Crashlytics uses the following personal information:
• IP address (anonymised)
• Device-related data such as device type, model, operating system, browser type and version
• Usage-related information such as time of use, length of stay, place of origin
The legal basis for processing the data is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the usage analysis and the associated continuous optimisation of our website.
Data transfer to the USA occurs. Guarantees pursuant to Art. 44ff GDPR exist through the subjection of Cashlytics to the Privacy Shield, which you can find here.
If you want to object to the transmission of data, send an e-mail to firstname.lastname@example.org.
16 Direct advertising permission in accordance with Section 7 (3) UWG
We use the e-mail address collected when you purchase a product on our website for direct advertising for our own and similar products. If you no longer wish to receive direct advertising, you can object to the use of your e-mail address at any time. There is a corresponding link in each newsletter for this purpose. You can also contact us by e-mail email@example.com to request the cancellation of the newsletter.
17 DISTRIBUTION OF DATA
A transfer of your personal data to third parties for purposes other than those listed does not take place.
We only share your personal data with third parties if:
• You have given your express consent,
• Disclosure is required to assert, exercise or defend any legal claim and there is no reason to believe that you have an overriding interest in not disclosing your information,
• In the event that there is a legal obligation to disclose, and
• It is permitted by law and is required for the execution of contractual relationships with you.
When transmitting data outside the European Union, the high European level of data protection generally does not exist. With regard to a transfer, it may be that there is currently no adequacy decision of the EU Commission within the meaning of Art. 45 (1), (3) GDPR. This means that the EU Commission has so far not positively established that the country-specific level of data protection corresponds to the level of data protection of the European Union under the GDPR, so we have created the aforementioned appropriate guarantees.
Possible risks that may not be completely ruled out in connection with data transmission are in particular:
• Your personal data may possibly be processed beyond its intended purpose.
• In addition, there is the possibility that you may not assert or enforce your privacy rights, such as your right to information, correction, deletion or data portability.
• There may also be a higher likelihood that data processing may be incorrect and that the protection of personal data does not quantitatively and qualitatively meet the requirements of the GDPR.
20 RIGHTS OF DATA SUBJECTS
20.1 Rights of data subjects
If personal data is processed by you, you are a data subject within the meaning of the GDPR and you have the following rights vis-a-vis the controller:
20.2 Right to information
You may required the controller to confirm if personal data concerning you is processed by us.
If such processing occurs, you can request information from the controller about the following:
1. The purposes for which the personal data is processed;
2. The categories of personal data that are processed;
3. The recipients or the categories of recipients to whom the personal data relating to you has been or will be disclosed;
4. The planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
5. The existence of a right to correction or deletion of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
6. The existence of a right of appeal to a supervisory authority;
7. All available information on the source of the data if the personal data is not collected from the data subject;
8. The existence of automated decision-making including profiling under Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject.
You have the right to request information about whether the personal data relating to you is transferred to a third country or an international organisation. In this regard, you can request to be informed of the appropriate guarantees in accordance with Art. 46 GDPR with regard to the transfer.
20.3 Right to correction and restriction
You may request the restriction of the processing of your personal data under the following conditions:
1. If you contest the accuracy of your personal data for a period of time that enables the controller to verify the accuracy of your personal data;
2. The processing is unlawful and you refuse the deletion of the personal data and instead demand the restriction of the use of the personal data;
3. The controller no longer needs the personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims; or
4. If you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest to the Union or a Member State.
If the processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
20.4 Right to deletion
a) Obligation to delete
You may require the controller to delete your personal data without delay, and the controller is required to delete that information immediately if one of the following applies:
1. Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
2. You revoke your consent to the processing pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and there is no other legal basis for the processing.
3. Pursuant to Art. 21 (1) GDPR, you object to the processing and there are no prevailing justifiable reasons for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
4. Your personal data has been processed unlawfully.
5. The deletion of personal data concerning you is required to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
6. The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.
b) Information to third parties
If the controller has made the personal data relating to you public, and pursuant to Art. 17 (1) GDPR is obligated to delete the data, it shall take appropriate measures, including technical ones, to inform data controllers who process the personal data, taking into account available technology and implementation costs, that you as a data subject have requested deletion of all links to such personal data or all copies or replicas of such personal data.
The right to deletion does not exist if the processing is necessary.
1. To exercise the right to freedom of expression and information;
2. To fulfil a legal obligation which requires processing under the law of the Union or of the Member States to which the controller is subject, or to carry out a task which is in the public interest or in the exercise of public authority delegated to the controller;
3. For reasons of public interest in the field of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
4. For archival purposes of public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, to the extent that the right referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing; or
5. To assert, exercise or defend legal claims.
20.5 Right to information
If you have the right of correction, deletion or restriction of the processing vis-a-vis the controller, it is obliged to notify all recipients to whom the personal data concerning you has been provided of the correction, deletion or restriction of the processing unless this proves to be impossible or involves a disproportionate effort.
You have the right vis-a-vis the controller to be informed about these recipients.
20.6 Right to data portability
You have the right to receive personally identifiable data you provide to the controller in a structured, common and machine-readable format. You also have the right have this data transferred to another controller without hindrance by the controller to whom you provided the data, provided that:
1. The processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and
2. the processing is done by automated methods.
In exercising this right, you also have the right to obtain that personal data relating to you be transmitted directly from one controller to another controller, as far as technically feasible. Freedoms and rights of other persons may not be affected.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.
20.7 Right to objection
You have the right at any time, for reasons arising from your particular situation, to object to the processing of your personal data, which occurs pursuant to Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.
The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purposes of asserting, exercising or defending legal claims.
If the personal data relating to you is processed for direct advertising purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct advertising purposes, your personal data will no longer be processed for these purposes.
Regardless of Directive 2002/58/EC, you have the option, in the context of the use of information society services, of exercising your right to objection by means of automated procedures that use technical specifications.
20.8 Right to revoke the data protection consent declaration
You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
20.9 Automated decision on a case-by-case basis, including profiling
You have the right not to be subjected to a decision based solely on automated processing – including profiling – which will have legal effect or affect you in a similar manner. This does not apply if the decision
1. Is required for the conclusion or performance of a contract between you and the controller,
2. Is permitted under Union or Member State legislation to which the controller is subject, and such legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
3. Occurs with your express consent.
However, these decisions may not be based on special categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) applies and reasonable measures have been taken to protect your rights and freedoms and your legitimate interests.
With regard to the cases mentioned in (1) and (3), the controller shall take appropriate measures to uphold your rights and freedoms and legitimate interests, including at least the right to obtain the intervention of a person at the controller, to express your own position, and to challenge the decision.
20.10 Right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to appeal to a supervisory authority, in particular in the Member State of your place of residence, employment or the place of the alleged infringement, if you believe that the processing of the personal data concerning you violates the GDPR.
The supervisory authority to which the appeal has been submitted shall inform the complainant of the status and results of the appeal, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
The following supervisory authority is responsible for the controller:
Bayerisches Landesamt für Datenschutzaufsicht
Phone: 0981 53 1300
21 RIGHT REGARDING PROCESSING FOR DIRECT ADVERTISING
Pursuant to Art. 21 (2) GDPR, you have the right to object at any time to the processing of personal data concerning you. In the event of your objection to processing for the purpose of direct advertising, we will no longer process your personal data for these purposes. Please note that the objection only applies for the future. Processing that took place before the objection is not affected.
22 NOTICE ON THE RIGHT TO OBJECTION REGARDING THE WEIGHING OF INTERESTS
Insofar as we base the processing of your personal data on a balance of interests, you may object to the processing. In the event of such an objection, we ask you to explain the reasons why we should not process your personal data as described by us. In the case of your justified objection, we will examine the situation and will either discontinue or adapt the data processing or explain to you our compelling reasons worthy of protection.
23 LINKS TO OTHER WEBSITES
In case of disputes the German language version is applied.
As of 01/01/2019