You will need the appropriate software to open the PDF document. If you do not have a programme for displaying PDF files installed on your computer, you can download "Adobe Acrobat Reader" here free of charge: download here for free.
Data protection is a matter of trust, and your trust is important to us. It goes without saying that the data processing of baslerbeauty GmbH & Co. KG, represented by its managing director Timo Allert (hereinafter also "we" or "us") as the Controller within the meaning of Art. 4(7) GDPR, is based on the legal provisions.
I. What do we do with your personal data?
- What are personal data
- Use of data for contract processing and internal organisation - contract initiation and processinge
- Data storage, customer account
- Data usage for advertising purposes
- Erasing and blocking your data
II. Data collection when visiting our sites
III. How do we protect your personal data?
IV. What rights do I have?
- Right to confirmation and information
- Right to rectification
- Right to object
- Right of revocation
- Right to erasure (right to be forgotten)
- Right to restriction of processing
- Right to data portabilitys
- Exercising your rights
I. What do we do with your personal data?
1. What are personal data
Personal data are all information that relates to an identified or identifiable natural person (hereinafter referred to as "data subject"). Identifiability may not require a name. Indirect identifiability is also sufficient, for example by means of allocation to an identification number, to location data, to an online identifier or to one or more special characteristics. That means it is about your identity. This includes, for example, your name, but also your telephone number, your address and other data that you provide to us.
Many legal bases for our data processing can be found in the European General Data Protection Regulation (GDPR), its text and the associated recitals which you can view e.g. here. In the following policy, we make references to corresponding regulations as the respective legal basis of our processing.
2. Use of data for contract processing and internal organisation - contract initiation and processing
If you make an inquiry or conclude a contract with us, we require and process certain data, such as the details of the intended or placed order, your address, e-mail address and payment processing data for the pre-contractual review, contract processing and the handling of any subsequent warranty or guarantee (see art. 6(1) b GDPR as the basis). As part of the order and payment processing, the service providers used by us (e.g. logistics companies, payment intermediaries) will receive the respective necessary data about your person or for the order. We also perform credit checks (see IV below). We cannot accept orders or offer you certain payment options without having appropriate information.
In addition, commercial and fiscal law obliges us to archive data from the concluded transactions for the duration of the statutory retention periods. The legal basis for the corresponding data uses is art. 6(1) c GDPR.
- Processing in the corporate organisation
As part of our corporate organisation, we process your data in our IT systems and, if necessary, transmit data from customers, interested parties, suppliers and staff in accordance with legal obligations to authorities, such as financial administrations and to consultants (tax advisors, lawyers, auditors) in accordance with our interests in legal and economic corporate governance.
The legal basis are art. 6(1) c and f GDPR.
In this context, we analyse data on all corporate and business transactions for corporate control and market analysis. If no necessity arises from the specific purpose, the data are analysed largely anonymously or at least pseudonymously and are made available to third parties in groups detached from persons at most. The legal basis are art. 6(1) c and f GDPR.
- Outsourced IT and hosting
We use IT software and hosting services from service providers as part of the provision of services and the fulfilment of your concerns and our contractual obligations on the basis of our interest in efficient and secure company and contract execution. Your data concerning your interests, concerns, orders and visits or utilisation of our services are also processed with the help of the services of these service providers.
If required by law and not secured by regulations on professional secrecy anyway, we have secured our access and the secure and confidential treatment of your data in contractual terms in data processing cases.
The legal basis is art. 6(1) f GDPR, in conjunction with Art. 28 GDPR (conclusion of a data processing contract) if applicable.
3. Data storage, customer account
Your specific order data will be stored with us. You can register with us (e-mail address and password). By registering, you will have access to the data about you and your orders stored by us and you can manage a newsletter you may have subscribed to.
Once you have registered, we can also link your usage data with the customer login in order to present you interesting content during your visit to the website.
If you want to close your account again, please contact one of the contact options below.
Please note that we will continue storing your data even if it is closed and will use it for the stated purposes (such as order processing, but also for advertising information).
If you contact us via our contact options (e.g. via e-mail, chat or the contact form), we will store your name and contact details as well as your request. The data are used to process your request and to communicate with you. We use your e-mail address to reply to you by e-mail (the legal basis are art. 6(1) a and b GDPR). If you have any questions about specific orders or if we are to do something for you personally, we need your real name. If you have any other questions, you can also enter a pseudonym. If your request has been conclusively handled and there are no other storage obligations, the data will be erased again.
5. Data usage for advertising purposes
We are interested in maintaining the customer relationship with you, attracting new customers, reactivating old customers and providing our customers with information and offers. In order to safeguard these legitimate interests, we process your data on the basis of art. 6(1) f of the GDPR (also with the help of service providers) in order to communicate information and personalised offers from us to you and to improve our information and offers.
In our advertising activities, we pursue the interest to protect you from unwanted or uninteresting advertising. In order to take your interests into account, we include such data in the selection of the information you know we know. They include, for example, orders, information you have already received or your reactions to relevant advertising information on postal advertising or our newsletters and e-mail information. Where this makes technical and economic sense for the purpose of pursuing the purposes, we separate appropriate data from your person in order to protect your interests, pseudonymize them and form groups (clusters) in which the individual information is collected before an evaluation.
We use the following data on the basis of the aforementioned legal basis, without asking you separately for your consent.
- Postal advertising
We use your first and last name, your postal address and - insofar as we have received this additional information from you - your title, academic degree, your date of birth and your professional, industry or business name to send offers and information about our company and our services and products by mail if we expect this information to be in your interest after evaluating the data provided at the beginning of this section.
- E-mail advertising for own similar offers
If we have been provided with your e-mail address in connection with the sale of goods, we use the e-mail address to advertise our own similar products. You may also object to any advertising use at any time without incurring any costs other than the transmission costs according to the basic rates. In the commercial sector, we use the telephone number for advertising purposes, even if your consent is assumed.
We are using the company Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, with which we have also concluded contractual agreements on data protection (data processing contract), as a service provider.
Please refer to the statements on e-mail advertising with consent for our further data uses for evaluation and optimisation in this context.
If you participate in our competitions, we will use your data to execute the competition, including but not limited to notifying the winner. If you have given us separate consent to a specific form of contact, we will use your data within the scope of the consent, e.g. to contact you by e-mail or telephone (see consent below; legal basis is art. 6(1) a GDPR). The data of the participants will be deleted from our active systems after the competition. They are archived by us for legal defence purposes only, at most until the statute of limitations of conceivable claims (usually three years) has expired. The legal basis is Art. 17(3) e GDPR. The winner’s data will be archived for the duration of legal retention obligations for commercial and tax reasons as well as for the avoidance of disadvantages for the winner (e.g. recall of products) (legal basis is art. 6(1) c GDPR).
-E-mail advertising with separate consent
If you have registered separately for our newsletter, your e-mail address and any other personal data that you have voluntarily provided to us during registration (e.g. your name for the address) will be used for our own advertising purposes and for advertising partner offers, if applicable, included in the newsletter.
We perform statistic evaluations of when such an e-mail is read, which offers of information attract interest and with how much intensity (for example when a link is activated). The evaluation is performed to improve delivery times and optimise the content of our offers and advertising information.
6. Erasing and blocking your data
We will store your personal data until the stated purposes have been achieved or for as long as we have a legitimate interest in the storage.
After that, they are erased if no other agreements have been made with them or if there are legal archiving obligations (e.g. due to commercial or tax law). In the case of legally compelled archiving, the data are blocked for other accesses. These documents will be erased and destroyed after the statutory retention periods within the scope of regular actions in accordance with data protection requirements have expired.
If you have consented to the collection, processing and use of your data, we will store and use your data for an indefinite period of time until the purpose for which you gave your consent is cancelled or no longer applies. Subsequently, the consent and processed data are archived for legal defence purposes until the statute of limitations (usually three years) takes effect (legal basis is art. 17(3) e GDPR).
If you no longer wish to receive advertising from us, we will use your name, address and, if applicable, the e-mail address for the purpose of blocking you in appropriate lists with which we will match our advertising activities so that you no longer receive any advertising. In this sense, erasing your data means initially that your data will be blocked in our systems, including but not limited to those used for our advertising and marketing activities (legal basis is art. 6(1) f GDPR). The data will - if necessary - continue to be processed for purposes other than advertising, e.g. in the context of contract processing and warranty, if applicable, as well as commercial and tax documentation (legal basis are art. 6(1) b and c GDPR).
If you wish to have your data erased instead of blocked, despite the possible consequence of continuing to receive advertising in individual cases, please let us know.
At your request, we may block all or part of your personal data. To this end, please inform us of the extent to which and, if applicable, for what period they should be blocked. In this way, you can completely or temporarily exclude processing and use of your data for certain areas to the extent that is technically possible.
II. Data collection when visiting our sites
1. Technical information
You can visit our site without providing any information about yourself. However, if you visit our websites, even if you are following a link in a newsletter or an advertisement, for example, certain data are recorded and stored in log files nevertheless. Even if you have visited the site following a newsletter link or ad link on the Internet, access data without direct personal reference is collected, e.g.
- the website from which you are visiting
- the site being accessed or the name of a retrieved file
- type and version of your browser,
- time and date of access
- the operating system used to run the browser
- the name of your internet service provider
- the internet address of the user (IP address)
- products and contents in which the visitor is interested and how this interest is expressed, such as duration, frequency, interaction with forms, navigation elements and links
We are not able to draw conclusions about you based on these data and will not do so without your separately given consent. In cases in which we know a date which theoretically allows conclusions to be drawn about your person, such as the IP address, we have taken care to make drawing any conclusions about you more difficult by shortening them appropriately.
If we include third-party content on our site (e.g. embedded films or other information), they will receive your IP address solely for this purpose, as the content cannot be delivered to your browser otherwise.
For more information about the cookies used, see Cookie settings. It also allows you to edit any consent you may have already given.
2. Profile usage
The law categorises the formation of automated data collections on a person under the term profiling. According to Art. 4(4) GDPR, profiling is any type of automated processing of personal data that consists in the use of this personal data to evaluate certain personal aspects relating to a natural person, including but not limited to the analysis or prediction aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location of this natural person.
Like others, we use profiles that we create based on your purchasing and usage behaviour. Under no circumstances do we derive decisions from this which may be disadvantageous for you.
We are basing this on our interest to tailor our offer to your needs as much as possible and to optimise it economically (legal basis art. 6(1) f GDPR).
We form pseudonymized user profiles of a statistical nature, i.e. separated from characteristics of your person, in order to be able to draw conclusions about interests in our content and offers by means of evaluation and to coordinate relevant information and offers with users displaying corresponding interests.
We also use the information to improve data security, counter attacks on our systems and, where appropriate, assist law enforcement agencies in responding to attacks on our systems or other criminal activities.
Profiles that we create from these data are deleted after the advertisement has been executed. We store the underlying data pseudonymously and regularly check whether they can still be used for the above purposes. If this is not the case, the data will be deleted or blocked for advertising purposes if there are other legal grounds to continue their storage.
We use appropriate web analysis tools to analyse user behaviour. For more information, see Cookie settings.
III. How do we protect your personal data?
1. General protective measures
The law requires companies to create an adequate level of data protection. Among others, the respective risk for the data, the probability of occurrence, the state of the art and the costs must be aligned with each other. We have provided appropriate technological and organisational measures to implement the security of your data and its processing in accordance with the legal requirements. If you have any concerns about data entry or any other questions or suggestions, please contact our customer service or our Data Protection Officer. More contact details are listed at the end of this policy.
Your personal data will be transferred securely by encryption when you place an order and when you log in to your personal account. We use the SSL (Secure Socket Layer) coding system. We secure our website and other systems by technological and organisational measures against loss, destruction, access, modification and dissemination of your data by unauthorised persons. You should always keep your login information confidential and close the browser window when you have finished communicating with us, especially when you share your computer with others.
2. Protecting your payment data
We use payment service providers to make as many payment methods available to you as possible which are also as secure as possible. Insofar as they are available from us and not already deposited there by you on the basis of the registration or provided by you in the course of the payment process, the payment service providers receive certain data intended for reviewing and granting the payment transaction requested by you; they require them for their internal processes of a payment approval and audits to this purpose. Audits include authentication, a procedure that allows the payment service provider to verify your identity or the authorised use of a particular payment instrument, including the use of personalised security features. A so-called strong customer authentication (checking your identity or authorisation) may require you to enter further data that is based on the agreements between you and the selected payment service provider or the bank approving the payment. There are also exceptions to the requirement of strong customer authentication, which may depend on the amount and number of transactions with the means of payment and on which we have no influence.
If available from us and not already deposited by you on the basis of the registration with them or provided by you in the course of the payment process, the payment service providers will be provided with address and order data for the purpose of reviewing and authorising the payment requested by you:
PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxemburg (Luxemburg) https://www.paypal.com/nl/webapps/mpp/ua/privacy-full?locale.x=en_EN
Amazon Payments Europe S.C.A. 5, Rue Plaetis, 2338 Luxemburg https://pay.amazon.eu/help/201751600
Apple Inc. https://www.apple.com/de/privacy/
The data that we pass on is encrypted for the transmission. The data for the means of payment and the payment data are also encrypted and transmitted via appropriate interfaces. During this process, we do not gain any knowledge of the payment data.
For further information that payment service providers provide in connection with credit checks, please refer to section IV.
3. Credit check and scoring
On our site, payment service providers present payment options in which identity and credit checks are carried out, based on the interest in protecting yourself against payment failures and customers against identity misuse.
You will use credit information for the fulfilment of your payment request, which is calculated on the basis of recognised mathematical-statistical procedures, which also include your address data.
For details on the credit checks carried out by the payment service providers we use, please refer to the information provided on the websites of the payment service providers.
The legal basis for the aforementioned checks is Art. 6 (1) b GDPR in order to be able to check your payment requests and Art. 6(1) f GDPR, based on the interests indicated above.
The rights to which you are entitled can be found in the following policy under IV.
IV. What rights do I have?
As a data subject, you can assert certain rights by law.
1. Right to confirmation and information
In accordance with Art. 15 GDPR, you have the right to request confirmation from us as to whether your personal data will be processed. In the event that we process such data, you have a right to free access to your stored data. The access shall include information on
- the purposes of processing;
- the categories of personal data processed;
- the recipients or categories of recipients to whom the personal data have been disclosed or will still be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored or, if this is not possible, the criteria for determining that period;
- the existence of a right to rectify or erase the data relating to their personal data or to restrict the processing by the controller or the right to object to such processing;
- the existence of a right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject: any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved as well as the significance and the envisaged effects of such processing for the data subject.
The data subject shall also have the right to information on whether personal data have been transmitted to a third country or to an international organisation. If this is the case, the data subject shall also have the right to be informed of the appropriate safeguards relating to the transfer. If you have any questions regarding the collection, processing or use of your personal data, information or other assertion of your rights, please contact us using the contact details listed at the end of this policy.
2. Right to rectification
If the personal data processed concerning you is incorrect or incomplete, you have a right to demand their rectification and/or completion from the controller. The controller must make the correction immediately..
Your objection to the identity and creditworthiness check may mean that we can generally offer you only limited payment options or reject a contract.
4. Right of revocation
You have the right to revoke any consent you may have given at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of such consent until revocation.
5. Right to erasure (right to be forgotten)
a) Conditions for erasure
You have the right to request the erasure of the personal data concerning you. Please note that a right to immediate erasure (Art. 17 GDPR) ("right to be forgotten") only exists if one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing is according to art. 6(1) a GDPR or art. 9(2) a GDPR, and there is no other legal ground for the processing.
- You object to the processing according to art. 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes according to art. 21(2) GDPR.
- The personal data concerning you have been unlawfully processed.
- The personal data have to be erased for compliance with a Union law or the law of the Member States to which the controller is subject.
- The personal data concerning you have been collected in relation to the offer of information society services referred to in art. 8(1) GDPR.
b) Further right to be forgotten
If we have made the personal data concerning you public and we are obliged to erase them in accordance with Art. 17(1) GDPR, we shall take reasonable steps, including technical measures, taking account of the available technology and the cost of implementation, to inform controllers which are processing the personal data that you as the data subject have requested the erasure of any links to, or copy or replication of, those personal data.
c) Exceptions from erasure
Please note that in addition to the above conditions, the following exceptions may justify your erasure request being denied:
The right to erasure does not apply to the extent that processing is necessary
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health pursuant to art. 9(2) h and i as well as art. 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) GDPR, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
6. Right to restriction of processing
You have the right to restrict processing if you dispute the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data or if you refuse erasure in the event of unlawful processing and instead demand the restriction of the use of personal data. You also have the right if we no longer need the data but you require that personal data to establish, exercise or defend legal claims. You can finally assert this right if you have objected to the processing in accordance with art. 21(1) GDPR, and it is not yet clear whether the legitimate grounds of the controller override your grounds.
Where processing has been restricted, these data may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or of a Member State. The option of continuous storage remains unaffected. If the restriction of the processing was limited according to the aforementioned provisions, you will be informed by us before the restriction is lifted.
7. Right to data portability
In addition, you have a right to data portability to you in a "structured, commonly used and machine-readable format" of the data you have provided to us, which we have processed on the basis of a valid consent or whose processing was necessary for entering into or fulfilling a valid contract. You also have the right to request the direct transmission to another controller, where technically feasible.
The right is only valid if the rights and freedoms of others are not adversely affected.
8. Exercising your rights
If you have any questions or wish to exercise your rights, please contact our customer service (contact details below).
You may also contact our data protection officer. The latter is responsible for your complaints. You can reach our data protection officer using the following e-mail: firstname.lastname@example.org. In addition, if you think that we do not adequately deal with your request, you have, among others, the right to lodge a complaint with the supervisory authority responsible for data protection, in particular in the Member State of your residence, place of work or place of alleged infringement (without prejudice to any other administrative or judicial remedy).
Your baslerbeauty GmbH & Co. KG