1. CONTENT OF THIS STATEMENT
Data collection takes place for the distribution, sale as well as procurement of products and services and all associated secondary transactions. Secondary purposes are accompanying or supporting functions such as the administration of personnel, suppliers and service providers. If we have received your consent, we will contact you for marketing purposes, for example by e-mail, letter or telephone, to inform you about products, offers or special events.
In this Data Protection Statement, we shall explain to you our handling of your personal data when you visit us at siku.de. In addition, we will inform you of your rights under the General Data Protection Regulation (GDPR).
2. DATA CONTROLLER AND DATA PROTECTION OFFICER
The data controller within the meaning of the GDPR for the processing of your data on siku.de is:
Schlittenbacher Straße 60
58511 Lüdenscheid, Germany
The contact data of our Data Protection Officer is:
Mr. Friedhelm Kolks
Schlittenbacher Straße 60
58511 Lüdenscheid, Germany
3. INDIVIDUAL FUNCTIONS OF THE WEB SITE
In the following, we will explain to you the handling of your data when you use individual functions of our Web site.
3.1. CONTACT FORM / FEEDBACK
We use the information you provide in the contact form (e.g. subject, message, contact data) for the processing of your respective request. Your name and form of address are for personal use only.
Our legitimate interests (facilitating customer contact) and, if you are a customer or want to become one, the fulfilment of the contract, e.g. the processing of an order, constitute the legal basis for the processing. The respective competent department (e.g. Customer Service) is the recipient of your message. We will delete your message upon completion; or else after the expiration of the statutory retention periods.
3.2. SUBSCRIPTION TO THE NEWSLETTER
For you to be able to subscribe to a newsletter, we need your e-mail address. Stating your name is voluntary and is used for personal address.
By ordering the newsletter, you grant us your data protection consent to send you information on products and services of Sieper GmbH relating to toys, in particular toy models, by e-mail. You can revoke this consent at any time with effect for the future by clicking on the unsubscribe link provided in the newsletter or by sending us a message.
After registration, you will receive an e-mail asking you to click on a confirmation link. Only after this confirmation will you receive the subscribed newsletter (double opt-in). We log the date/time and IP address of this confirmation.
Your consent constitutes the legal basis for the processing. We will delete your data when you unsubscribe from the newsletter.
Our newsletters contain special images (Web bugs) and similar techniques, on the basis of which we can recognise whether and when an e-mail has been opened. When a link is clicked on in a newsletter, we also record it. However, we use this data only statistically (i.e. without reference to individuals) in order to optimise our newsletters and offers and to understand better what interests our customers.
3.3. PRIZE GAME
Sieper GmbH collects and uses the data of the participants only for the purpose of implementing the prize game. Any further collection and use of the data takes place only to the extent that the participants agree to it.
The specification of personal data is required for the participation in the prize game. The participant expressly agrees that the data transmitted by him may be collected and processed for the purpose of implementing and executing the prize game. The participant also agrees to receiving news concerning the prize game from Sieper GmbH at the e-mail address filed by him. In the event of a revocation, the participant will be excluded from the prize game.
The personal data entered and transmitted by the participant is collected, stored, used and passed on to third parties, e.g. for the delivery of the prize (mail service, parcel service) by Sieper GmbH solely for the purpose of implementing and executing the prize game. After full implementation of the prize game, the data is immediately and permanently deleted.
The subscription to the newsletter is not mandatory for taking part in the prize game. When you subscribe to the newsletter, we use your e-mail address for sending the newsletter. In this case, the provisions in Item 3.2 apply.
3.4. GOOGLE MAPS
We can use on our Web site services by Google LLC (United States) for the display of maps (e.g. when searching for dealers). In this context, we and Google act with joint responsibility under the data protection law. To display the map, it is necessary that Google processes your IP address.
In relation to the map service provided by Google, the data protection statement of Google applies. With the use of Google Maps, you enter into a direct user relationship with Google.
The cooperation with Google in terms of data protection law is based on a concluded contract on joint responsibility between Google and us pursuant to Section 26 GDPR.
The execution of the contract (provision of the map service) and our legitimate interest in the involvement of a specialised map provider constitute the legal basis for this data processing.
Google has a so-called EU-U.S. Privacy Shield certification. The EU-U.S. Privacy Shield Agreement is a data protection agreement designed to ensure an adequate level of data protection for data transfers to certified U.S. companies. The EU Commission has established the adequacy of the assured data protection level according to the EU-U.S. Privacy Shield agreement with a decision on 12 July 2016 (file no. C(2016) 4176). You can view the current status of the certification of Google according to the EU-U.S. Privacy Shield agreement online.
3.5. FACEBOOK PLUGINS
We have integrated plugins of Facebook on our Web site. When you access pages containing such plugins, a direct connection between your device and Facebook is created, and Facebook can collect and process data on your use of the Web site.
We use on our Web site plugins of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (“Facebook”). This includes, in particular, the integration of posts of our Facebook presence in the “News” > “Social” menu.
When you access a page of our online offer that contains such a plugin, your device creates a direct connection with the servers of Facebook. The content of the plugin is transmitted by Facebook directly to your device. In so doing, Facebook can create user profiles about you from the processed data.
By integrating the plugins, Facebook receives the information that you have accessed the respective page of our Web site. If you are logged into Facebook, Facebook can allocate your visit to your Facebook account. If you interact with the plugins, e.g. by clicking the “Like” button, the corresponding information is directly transmitted by your device to Facebook and stored there. If you are not a member of Facebook, it is still possible that Facebook learns your IP address and stores it.
We have no influence on the amount of data that Facebook collects with the help of this plugin. Please refer to the data protection statement of Facebook to learn more about the purpose and scope of the data collection and the further processing of this data by Facebook as well as about your rights and setting options for the protection of your privacy.
If you are a Facebook member and want to restrict the data use by Facebook, make certain you log out of your Facebook user account and delete cookies on your device. Other settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the American site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/ . The settings are platform-independent, i.e. they are adopted for all devices, such as desktop computers or mobile devices. You can also completely prevent the download of Facebook plugins with add-ons for your browser.
Facebook has a so-called EU-U.S. Privacy Shield certification. The EU-U.S. Privacy Shield Agreement is a data protection agreement designed to ensure an adequate level of data protection for data transfers to certified U.S. companies. The EU Commission has established the adequacy of the assured data protection level according to the EU-U.S. Privacy Shield agreement with a decision on 12 July 2016 (file no. C(2016) 4176). (Retrieve the decision of the EU Commission.) You can view the current status of the certification of Facebook according to the EU-U.S. Privacy Shield agreement online.
Our legitimate interests, in particular our interest in the integration of our Facebook content and the generation of “Likes”, constitute the legal basis for the data processing in connection with Facebook plugins.
3.6. VIDEOS (YOUTUBE)
We have integrated plugins of YouTube for display on our Web site. When you access pages with these plugins, only a preview image is initially displayed. When you click on them, a direct connection between your device and YouTube is created for playing the video, and YouTube can collect and process further data on your use of the Web site.
We use on our Web site videos and plugins of YouTube. YouTube is a service provided by YouTube LLC (901 Cherry Ave., San Bruno, CA 94066, United States; “YouTube”). YouTube LLC is a subsidiary of Google LLC (1600 Amphitheatre Pkwy, Mountain View, CA 94043, United States; “Google”).
We use the so-called “advanced data protection mode” of YouTube. This means that when our Web pages are accessed, only a preview image of the embedded videos of YouTube, or Google, is retrieved.
Only when you open the video with a click is further data transmitted to YouTube, or Google, and cookies are placed by these third party providers. When you are logged into a YouTube or Google account, addition data on the video access can be directly allocated to your account (depending on your account settings). If you don’t want such an allocation to your profile, you must first log out of your YouTube or Google account.
Google has a so-called EU-U.S. Privacy Shield certification that is also valid for the subsidiary YouTube. The EU-U.S. Privacy Shield Agreement is a data protection agreement designed to ensure an adequate level of data protection for data transfers to certified U.S. companies. The EU Commission has established the adequacy of the assured data protection level according to the EU-U.S. Privacy Shield agreement with a decision on 12 July 2016 (file no. C(2016) 4176).
You can view the current status of the certification of Google according to the EU-U.S. Privacy Shield agreement online.
For more information on the purpose and scope of the data collection and processing by YouTube and Google, please refer to the data protection statement of Google: https://www.google.com/intl/de_de/policies/privacy/. There you will also find more information on your rights in this regard and setting options to protect your privacy.
Your data will be processed on the basis of Section 6 (1) p. 1 f) GDPR (balancing of interests) and in our interest in order to make the videos available to you on our Web site and, at the same time, to relieve our servers.
3.7. BROWSE CATALOGUE (YUMPU)
We use a function of the provider i-magazine AG (“Yumpu”), Gewerbestrasse 3, 9444 Diepoldsau, Switzerland, to display our pdf catalogue on our Web site.
Using Yumpu, the content of pdf files is displayed directly in the Web browser on our Web site without having to download pdf files completely.
According to a decision taken by the EU Commission, Switzerland offers an adequate data protection level.
The legal basis for Yumpu’s processing of the data is our legitimate interest (providing an efficient way for a specialised supplier to view pdfs without having to download the entire pdf).
4. ORDERING IN THE SIKU ONLINE SHOP
If you order from our online shop, we collect the information necessary for the implementation of the contract. We do not use this information for advertising purposes without your consent. Depending on the selected method of payment, we can involve external service providers.
If you place an order in the Siku shop, we collect the following data:
· Contact information (title, name, phone number)
· Billing address and delivery address (if different)
· Payment data
We use the information to process the purchase. We transmit the telephone number to the shipping service provider in case of further inquiries.
The legislator has enacted a variety of storage obligations and periods. After the expiration of these periods, the respective data is routinely deleted if it is no longer required for fulfilling the contract. For example, data of a completed fiscal year that relates to commercial law or is financially relevant is deleted after another ten years in compliance with the statutory provisions unless longer retention periods are prescribed or necessary for legitimate reasons.
The legal basis for the processing is the fulfilment of the contract and the fulfilment of our statutory retention obligations.
In the context of the order process, our server places a cookie with an identification number on your computer when you visit the shop area. We use the cookie to recognise you as a user in the payment process (so-called session cookie). The cookie is deleted automatically after one hour. You can refuse the storage of cookies in your browser settings. In this case, however, it is no longer possible to use the Web shop.
We may use external service providers for payment processing. These service providers obtain your data that is necessary for payment processing, e.g. name, address, invoice amount and an order ID. Currently, we use PayPal and, for payment by credit card, Saferpay.
The European operator of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. Usually, PayPal receives from us your name, your address, company, e-mail address, phone and, if applicable, mobile number as well as the IP address or other data required for payment processing. The data transmitted to PayPal may be transmitted by PayPal to credit agencies. The data is transmitted for the purpose of identity and credit checks. PayPal might also forward your data to third parties if it is necessary for the fulfilment of the contractual obligations or if the data is to be processed on behalf of the site operator. The data protection provisions of PayPal apply. The fulfilment of the contract constitutes the legal basis for data processing since the corresponding processing of the data is necessary when the payment method “PayPal” is selected.
If you select the payment method “Credit card”, we use as our service provider Saferpay, an offer of SIX Payment Services (Germany) GmbH, Langenhorner Chaussee 92-94, 22415 Hamburg, Germany. If you select the payment via Saferpay, the data entered by you is transmitted to Saferpay. We do not receive any access to the credit card data. For details of the data handling by Saferpay, see: https://www.six-payment-services.com/de/services/legal/privacy-statement.html Our legitimate interest in the involvement of a specialist service provider for the secure processing of credit card transactions constitutes the legal basis for data processing.
5. ANALYSIS OF THE WEB SITE VISIT
ANALYSIS OF VISITOR BEHAVIOUR (ETRACKER)
We use the services of etracker GmbH, Hamburg, Germany (www.etracker.com) for the analysis of usage data. Cookies are used that allow for a statistical analysis of the use of this Web site by its visitors as well as the display of use-related content or advertising. Cookies are small text files that are stored by the Web browser on the user’s device. etracker cookies do not contain any information that would make the identification of a user possible.
The data generated with etracker is processed and stored by etracker in Germany on behalf of the operator of this Web site and is thus subject to the strict German and European data protection laws and standards. etracker was audited for this by an independent body, certified and awarded with the ePrivacyseal data protection quality seal.
Your data will be processed on the legal basis of Section 6 (1) letter f) (legitimate interest) of the EU data protection regulation (EU-GDPR). Our legitimate interest consists in the optimisation of our online offer and our Web site. Since the privacy of our visitors is very important to us, the IP address is anonymised at etracker at the earliest possible point in time; registration or device identifiers are converted by etracker into a unique key that cannot be allocated to a person. The data is not used by etracker for any other purpose; it is not merged with other data or passed on to third parties.
You can object to the data processing described above if it is done in relation to a person. Your objection has no adverse consequences for you.
More information on data protection at etracker can be found here.
6. ADDITIONAL INFORMATION
6.1. MANDATORY DATA
All mandatory information fields are marked with an asterisk (“*”) on our Web site. Without this information, the use of the respective function is not possible.
6.2. DATA RECIPIENT
Your data will be received by the competent departments of Sieper GmbH, e.g. the Shipping Service or Marketing department.
For the technical operation of the Web site, we may involve technical service providers, who are bound by instructions, for order processing. For the newsletter, we make use of services of the provider Episerver GmbH in Berlin; for the analysis of the Web site visits, etracker GmbH, Hamburg.
Hosting is currently performed by:
BT Stemmer GmbH
82140 Olching, Germany
With respect to orders, we can pass on your data to shipping service providers or payment processors.
A transfer to countries outside the European Economic Area only takes place if expressly stated.
6.3. CRITERIA FOR THE STORAGE PERIOD
The legislator has enacted a variety of storage obligations and periods. After the expiration of these periods, the respective data is routinely deleted if it is no longer required for fulfilling the contract. We assess the storage period for your data on the basis of the specific purposes for which we use it. In addition, we are subject to statutory retention and documentation obligations that arise, in particular, from the German Commercial Code (HGB) and the Tax Code (AO) and in many cases amount to six to ten years. Finally, the storage period is also based on statutory limitation periods; pursuant to Sections 195 et seqq of the German Civil Code (BGB), they usually amount to three years (as of the end of the calendar year).
7. ADDITIONAL REMARKS
In the following, we explain some legal and technical terms used in this Data Protection Statement.
Personal data is all information that relates to an identified or identifiable natural person, e.g. information in connection with your e-mail address or depot number.
Processing of personal data refers to any activity in connection with personal data, e.g. collection on an online form, storage on our servers or use for contacting you.
A cookie is a small text file that is stored on your computer. The content of this file is transferred to our servers each time our Web site is accessed.
The IP address is a number that your Internet provider assigns to your device temporarily or permanently. With a full IP address, it is possible in individual cases – on the basis of additional information from your Internet operator – to identify the holder of the connection.
7.2. LEGAL BASIS
The GDPR allows the processing of personal data only if there is a legal basis. We legally obligated to provide the legal basis for the processing of your data.
In the following, we will explain the terminology used in this context.
Consent: Section 6 (1) letter a) EU GDPR
This legal basis allows processing if and to the extent that you habe given aus your consent
Fulfilment of contract: Section 6 (1) letter b) EU GDPR
This legal basis allows the processing insofar as it is required fot the fulfilment of a contract concluded with you, including pre-contractual measures (e.g. preparation of contract conclusion).
Fulfilment of legal obligations: Section 6 (1) letter c) GDPR
This legal basis allows us to process your data insofar as it is required for the fulfilment of a legl obligation to which we are subject.
Legitimate interests: Section 6 (1) letter f) EU GDPR
In accordance with this legal basis, processing is allowed to us, insofar as it is necassary to protect our legitimate interests (or those of third parties) and your conflicting interests do not prevail.
8. YOUR RIGHTS
You have the right to request from us a confirmation as to whether we process the personal data concerning you; if this is the case, you have the right to information about your personal data in question and about the stipulations specified in Section 15 GDPR.
Under Section 16 GDPR, you have the right to the correction of inaccurate personal data concerning you and, if applicable, to the completion of incomplete personal data.
You have the right to demand from us that personal data concerning you be promptly deleted if one of the reasons specified in Section 17 GDPR applies, e.g. if the data is no longer needed for the purposes pursued.
8.4. RESTRICTION OF THE PROCESSING
You have the right to demand from us the restriction of the processing, if one of the prerequisites specified in Section 18 GDPR is given – e.g. if you have objected to the processing – for the duration of the examination by us.
8.5. DATA PORTABILITY
Under Section 20 GDPR, you have the right, under certain conditions, to receive, transfer and have transferred, if technically feasible, the data you have provided to us in a structured, common and machine-readable format.
Independently of other administrative or judicial remedies, you have the right to complaint with a supervisory authority if you are of the opinion that the processing of the personal data concerning you by us infringes on the GDPR; Section 77 GDPR. You can assert this right with a supervisory authority in the Member State of your residence, your work place or the place of the alleged infringement. For the contact details of the supervisory authorities in Germany, see https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
8.7. REVOCATION (OF CONSENT)
If you provide us with a data protection consent, you have the right to revoke it at any time with effect for the future. This also applies to a data protection consent that you have given before the GDPR took effect. 8.8. OBJECTION You have the right to object to the processing of your personal data for reasons, which arise from your specific situation, inasmuch as we base the processing on Section 6 (1) letter e) or f) GDPR. We shall no longer process this data unless we can give proof of reasons worthy of protection for the processing that outweigh your interests, rights and liberties; or if the processing serves for the assertion, exercise or defence of legal claims (Section 21 GDPR). If your personal data is used by us for direct marketing (e.g. by e-mail), you have the right to object to the use of your data for these purposes at any time. This also applies to profiling if it is associated with direct advertising. Profiling refers to the use of personal data in order to analyse or predict specific personal aspects (e.g. interests).
You have the right to object to the processing of your personal data for reasons, which arise from your specific situation, inasmuch as we base the processing on Section 6 (1) letter e) or f) GDPR. We shall no longer process this data unless we can give proof of reasons worthy of protection for the processing that outweigh your interests, rights and liberties; or if the processing serves for the assertion, exercise or defence of legal claims (Section 21 GDPR).
If your personal data is used by us for direct marketing (e.g. by e-mail), you have the right to object to the use of your data for these purposes at any time. This also applies to profiling if it is associated with direct advertising. Profiling refers to the use of personal data in order to analyse or predict specific personal aspects (e.g. interests).
9. CONFIDENTIALITY AND DATA SECURITY
Employees are deployed for working with personal data who have been pledged to confidentiality in accordance with Section 28 (3) p. 2 GDPR and have made themselves familiar with the provisions on data protection. Every employee (person) who has access to personal data is only allowed to process and use this data in accordance with the instructions of the employer/client. Appropriate technical and organisational measures have been taken to protect personal data (Sections 28 and 32 GDPR). The confidentiality, integrity, availability and reliability of the systems and services in connection with the processing is ensured. A firewall as well as malware protection software are installed, activated and regularly updated on all systems used. With the registration of the employees, a user identification/authentication takes place at the workplaces. The used passwords must be changed at regular intervals. The access rights of the employees are matched to the activity profile of each employee. Agreements on order processing and on confidentiality have been entered into with the software suppliers and order processors. The technical and organisational measures to ensure processing security is periodically reviewed, assessed and evaluated.
Last update: Januar 2019