Data protection information of Marc O’Polo Einzelhandels GmbH

At MARC O’POLO, your satisfaction is always our top priority and protecting your privacy is an important part of our job. We therefore collect, process and use your personal data only in accordance with the principles described below and in compliance with the applicable data protection laws.

The controller pursuant to Article 4(7) of the European General Data Protection Regulation (GDPR) for the website https://www.marc-o-polo.com and the online shop on it (hereinafter referred to as the ‘website’) is MARC O’POLO Einzelhandels GmbH, Hofgartenstrasse 1, 83071 Stephanskirchen, Germany, service@marc-o-polo.de (hereinafter referred to as ‘MARC O’POLO’ or ‘we’).

You can contact our Data Protection Officer by e-mail (datenschutz@marc-o-polo.com) or at our postal address, stating ‘Data Protection Officer’.

If you are under the age of 16, please obtain permission from a parent or guardian before you provide personal data to MARC O’POLO.

We, Marc O’Polo Einzelhandels GmbH, Hofgartenstrasse 1, 83071 Stephanskirchen, Germany (hereinafter referred to as ‘MARC O’POLO’ or ‘we’) process personal data concerning various people in connection with presenting and marketing our goods. These people include the following in particular:
– Visitors to our website www.marc-o-polo.com
– Customers on our online shop
– Subscribers to our newsletter
— Participants in the MARC O’POLO MEMBERS customer loyalty scheme
– Subscribers to our postal marketing
– Participants in our competitions

The protection of personal data is important to us. We only process personal data in accordance with the relevant data protection provisions, especially the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

Section A of this data protection information contains information about the controller responsible for processing your personal data as well as the data protection officer of the controller.

Section B to G contain information about the processing of your personal data.

Section H provides more details about the use of cookies or similar technology.

Section I contains information about your rights with regard to the processing of your personal data.

The definitions of the data protection terminology used in this data protection information are the same as in the General Data Protection Regulation. You can find more detailed information about this in Section J.

Table of contents

Part A

Part B

Part C

Part D

Part E

Part F

Part G

Part H

Part I

Part J

Part K

A. Information about the controller

I. Name and contact details of the controller

Marc O’Polo Einzelhandels GmbH
Hofgartenstraße 1, 83071 Stephanskirchen
E-Mail: service@marc-o-polo.de
Telephone: 00 800 10221022 (free service hotline)
Fax: +49 (0) 231 96677889

II. Contact details of the controller’s data protection officer

Hofgartenstraße 1, 83071 Stephanskirchen
Data protection officer
E-Mail: dataschutz@marc-o-polo.com
Telephone: 00 800 10221022 (free service hotline)

B. Information about the processing of the personal data of visitors to our website www.marc-o-polo.com

I. Use of the website for informational purposes (using essential cookies)

When you use the website for informational purposes, the browser you are using on your device will send certain information such as your IP address to the server of our website for technical reasons. We process this information in order to provide the content you access on the website. Additionally, the information is stored temporarily in a server log file in order to guarantee the security of the IT infrastructure used to provide the website.

For the purpose of providing the search tools on our website, the data you enter into our search tools shall be processed temporarily on our web server.

Information about consent you have granted is stored in cookies (Section H) on your device in order to provide the administrative features for consent relating to our website (e.g. consent to the use of certain cookie-based technologies). During your visit to our website, the cookies and the information stored therein can be accessed in order to determine whether you have given your consent and to what. Additionally, for the purpose of providing your chosen language, data are processed temporarily on our web server in order to provide you with the website content you access in the language you have chosen.

When you start to use the fit advisor, a cookie (Section H) shall be installed for the purpose of providing the fit advisor.

More detailed information about this is available below:

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) when you visit the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to provide the website content you wish to access.
Data are stored in server log files in a format which makes it possible to identify the data subjects for up to six weeks unless a security incident occurs (e.g. a denial-of-service attack).

If a security incident does occur, server log files shall be stored until the security incident has been overcome and fully investigated.
Search tool data Data you enter into the search tools on our website.

This includes all of the information you enter as search strings in each search box on the website.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to provide the website content you wish to access.
Data are stored in server log files in a format which makes it possible to identify the data subjects for up to six weeks unless a security incident occurs (e.g. a denial-of-service attack).

If a security incident does occur, server log files shall be stored until the security incident has been overcome and fully investigated.
Opt-in data Data relating to consent you have granted with regard to our website.

This includes your consent and potentially your individual selection regarding the use of cookie-based technologies.

These data are stored in cookies on your device (section H).
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to take consent to cookies on this website into consideration.
We store these data temporarily on our systems while the website is being made available. The data are stored locally and permanently in the user’s browser for up to two weeks.

(section H.III. for information about how long the cookies remain valid.)
Language selection data Data which are stored in order to provide the language selection feature.

This includes the language you select.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to provide the website content you wish to access in the language you have chosen.
We store these data temporarily on our systems while the website is being made available. The data are stored locally and permanently in the user’s browser for up to two weeks.
Fit advisor data Data generated when you use the fit advisor:

The data include a unique ID which is used to recognise the user of the fit advisor as well as your body size information (height, chest size etc.).

Some of these data are stored in cookies on your device (section H).
Users of the fit advisor. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to offer you sizing advice.
(section H.III. for information about how long the cookies remain valid.)
Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
To provide the website content accessed by the user:

Data are processed temporarily on our web server for this purpose.
HTTP data No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in providing the website content accessed by the user.
Hosting providers.
To provide the search tools on our website:

The data you enter into our search tools are processed temporarily on our web server for this purpose.
Search tool data No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in providing the website search tools accessed by the user.
Hosting providers.
To provide the administrative tool for granting consent with regard to the website.

Certain features of our website require your consent (e.g. the use of certain cookie-based technology).

We provide an administrative tool for granting consent with regard to the website so you can grant and withdraw your consent.

For this purpose, information about consent you have granted is stored in cookies (section H.) on your device. During your visit to our website, the cookies and the information stored therein can be accessed in order to determine whether you have given your consent and to what.
Opt-in data No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in administrating the consent granted by the user with regard to this website.
Hosting providers.
To provide the language selection feature on the website:

For this purpose, data are processed temporarily on our web server in order to provide you with the website content you access in the language you have chosen.
Language selection data. No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in providing the website content accessed by the user in the language selected by the user.
Hosting providers.
To guarantee the security of the IT infrastructure used to provide the website, especially to identify, combat and document disruptions in a legally sound manner (e.g. DDoS attacks):

Data are stored temporarily in log files on our web server and evaluated for this purpose.
HTTP data, Search tool data. No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in guaranteeing the security of the IT infrastructure used to provide the website, especially so as to identify, combat and document disruptions in a legally sound manner (e.g. DDoS attacks).
Hosting providers.

Fit Analytics

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
To provide the fit advisor on the website:

After the user enters his or her data once, the sizes for certain categories of clothing are recommended to the user of our fit advisor on the basis of real cut data provided by MARC O’POLO Fit Analytics.

For this purpose and in order to ensure the security of the IT infrastructure used to provide the fit advisor, data are processed temporarily on our web server in order to provide you with the fit advisor.

For this purpose, information about your use of the fit advisor is stored in cookies (section H) on your device.

If you no longer wish to use the fit advisor, you can click on the following link to erase the data that are being stored by us and in cookies on your device for this purpose:
https://widget.fitanalytics.com/widget/optout/
HTTP data
Fit advisor data
No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in providing a size finder tool in order to improve how our online shop is used.
Fit Analytics GmbH
Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Hosting provider

(currently: Salesforce.com, inc., The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States)
Processors USA No adequacy decision from the European Commission in the sense of Article 45(3) GDPR applies to transfers to these recipients in the USA.

The transfer is subject to EU standard contractual clauses pursuant to Article 46(5) GDPR which were enacted under Article 26(4) of the previous Data Protection Directive (Directive 95/46/EC). Please contact our data protection officer for a copy of the standard contractual clauses (see the contact details in section A).
Fit advisor

Fit Analytics GmbH, Voigtstr. 3, 10247 Berlin, Germany
Processors EU -
II. Use of marketing technology and advertising networks (using marketing cookies)

If you have consented to marketing purposes in the cookie settings (LINK TO: https://www.marc-o-polo.com/on/demandware.store/Sites-MOP-Site/de_DE/Home-CookieSettings), we shall use marketing technology for the following purposes:

- Evaluation of user actions (conversion tracking), segmentation of visitors and evaluation of campaign performance
- Strategic targeting of users of the website for advertising purposes (retargeting), including settling accounts with our retargeting partners for ad placement
- The participation of our website in various advertising networks (affiliate networks) in order to advertise our products in the most effective way possible, including displaying personalised, interest-based adverts and paying for the advertising campaigns with our promotional partners
- Evaluation of the effectiveness of our Facebook adverts and creation of target groups for our Facebook adverts by means of the Facebook pixel
- By incorporating the Facebook pixel, we are enabling Facebook to collect personal data. Facebook is responsible for collecting and processing these data. Facebook merely provides us with aggregated and anonymised assessments or other information generated on the basis of the collected data. We cannot attribute the information provided to us to any natural person. We have no knowledge of the details of how Facebook processes personal data within its own sphere of responsibility. For information about how Facebook processes personal data, see the Facebook privacy policy at https://www.facebook.com/about/privacy/.
Collection and evaluation of how users use our website in order to tailor our newsletters to the interests of each subscriber

We use cookies for this purpose (Section H Marketing).

More detailed information about this is available below:

Google Double Click / Google Ads Conversion Pixel / Google Ads Remarketing

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Google Double Click HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Google Double Click is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking.
IP anonymisation is active on this website for the web tracking tools from Google. This means that the IP address sent by your browser for technical reasons is truncated (the last octet of the IP address is deleted) in order to anonymise it.
Google Double Click cookie data Data which are stored in cookies for the web tracking tool Google Double Click on your device.

This includes a unique ID which enables Google to recognise returning visitors – although we are unable to associate it with any individual user – as well as the following parameters: Partner identification number of the advertising partner Google, page type (e.g. an order confirmation page, a product details page or a basket), article numbers of the viewed products, order number, order value.

(Section H.III for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking.
Neither we nor Google store the cookies themselves. However, the data contained in the cookies are added to the Google Double Click profile data (see below).

(Section H.III for information about how long the cookies remain valid.)
Google Double Click profile data Data which are generated by the web tracking tool Google Double Click and stored in pseudonymised user profiles.

This includes information about how you use the website, especially the pages you open, the frequency of visits and the time spent on the visited pages.
Generated independently. - We shall store the data until the purpose for which the data are being processed is achieved.

Microsoft Advertising

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Microsoft Advertising HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Microsoft Advertising is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking.
The data shall be erased after one year at the latest.
Microsoft Advertising cookie data Data which are stored in cookies for the conversion tracking tool Microsoft Advertising on your device.

This includes a unique ID which makes it possible to recognise returning visitors.

(Section H.III for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Microsoft Advertising.
The data shall be erased after one year at the latest.
Microsoft Advertising profile data Data which are generated by the web tracking tool Microsoft Advertising and stored in pseudonymised user profiles

This includes information about how you use the website, especially the pages you open, the frequency of visits and the time spent on the visited pages
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking.
The data shall be erased after one year at the latest.

Criteo

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Criteo HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Criteo is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Criteo.
IP anonymisation is active on this website for the web tracking tool Criteo. This means that the IP address sent by your browser for technical reasons is truncated (the last octet of the IP address is deleted) in order to anonymise it before it is stored.

We do not store these data. Criteo is responsible for storing these data. We do not know how long the data are stored.
Criteo cookie data Data which are stored in cookies for the web tracking tool Criteo on your device.

This includes a unique ID which enables Criteo to recognise returning visitors – although we are unable to associate it with any individual user – as well as the following parameters: Partner identification number of the advertising partner Criteo, page type (e.g. an order confirmation page, a product details page or a basket), article numbers of the viewed products, the number of products in the basket, order number, order value.

(Section H.III for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Criteo.
Neither we nor Criteo store the cookies themselves. However, the data contained in the cookies are added to the Criteo profile data (see below).

(Section H.III for information about how long the cookies remain valid.)
Criteo profile data Data which are generated by the web tracking tool Criteo and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Criteo cookie data.
Generated by Criteo. - We do not store these data. Criteo is responsible for storing these data. We do not know how long the data are stored.

Mediards

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Mediards HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Mediards is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking or send you personalised adverts.
1 year.
Mediards cookie data Data which are stored in a cookie on your device for advertising purposes.

The collected information includes the chosen website language, product and order numbers, the value of the order, the chosen currency and the URL of the visited page.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking or send you personalised adverts.
1 year.
Mediards profile data Data which are generated by the web tracking tool Mediards and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Mediards cookie data.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking or send you personalised adverts.
1 year.

Facebook

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Facebook pixel cookie data Data which are stored in cookies for the Facebook pixel on your device.

This includes a unique ID which makes it possible to recognise returning visitors.

Additionally, we incorporate the following information into the cookies through our data layer in order to help Facebook display the right adverts for each user:
- Order value (OrderValue)
- Purchased products (Product Ids)
- Viewed products (Product Ids)
- Searched products (Product Ids)
- Page type (what page the user was on, e.g. category or confirmation page, product detail page, search results page).

(Section H.III for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, the Facebook pixel might not function properly or at all.
We do not collect or store these data ourselves.

Facebook is responsible for collecting and processing these data. We do not know how long the data are stored.

(Section H.III for information about how long the cookies remain valid.)
Facebook pixel event data Data which are collected by Facebook through the Facebook pixel.

These data include actions (also known as events) which take place on the website. This includes, for example, the completion of a purchase, registration, the addition of payment information, initiation of the checkout process, the addition of products to the basket or a wish list, searches and the viewing of content.

This also includes information (parameters) associated with each recorded event. This information includes, for example, the value of purchases
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, the Facebook pixel might not function properly or at all.
We do not collect or store these data ourselves.

Facebook is responsible for collecting and processing these data. We do not know how long the data are stored.
Facebook pixel analytics data Data which are generated by Facebook on the basis of information collected by the Facebook pixel.

This includes information about the effectiveness of Facebook adverts and the allocation of users to target groups for Facebook adverts.

Using the collected information, Facebook can potentially generate other data for its own purposes or for the purposes of third parties. We have no knowledge of the details of the data generated by Facebook.
Generated independently by Facebook. - Facebook merely provides us with aggregated and anonymised data. We cannot associate these data with a natural person.

Facebook is responsible for collecting and processing personal data. We do not know how long the data are stored.

Flashtalking

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Flashtalking HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Flashtalking is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking or send you personalised adverts.
1 year.
Flashtalking cookie data Data which are stored in cookies for the web tracking tool Flashtalking on your device.

This includes information about the types of page you visit (e.g. an order confirmation page, a product details page or a basket), article numbers of the viewed products, the number of products in the basket or approximate information about your location.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Flashtalking.
1 year.
Flashtalking profile data Data which are generated by the web tracking tool Tectumedia and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Flashtalking cookie data.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking or send you personalised adverts.
1 year.

Stylight

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Stylight HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Stylight is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking or send you personalised adverts.
1 year.
Stylight cookie data Data which are stored in cookies for the web tracking tool Stylight on your device.

This includes information about the types of page you visit (e.g. an order confirmation page, a product details page or a basket), article numbers of the viewed products, the number of products in the basket or approximate information about your location.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Stylight.
We do not store the cookies themselves or the information in the cookies.

(Section H.III for information about how long the cookies remain valid.)
Stylight profile data Data which are generated by the web tracking tool Tectumedia and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Tectumedia cookie data.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists

If you do not provide the data, we will be unable to carry out web tracking or send you personalised adverts.
1 year.

Esome container (conversion tracking with Adition, Appnexus and Facebook)

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Esome HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tools Adition, Appnexus and Facebook which are incorporated into the website by means of the Esome container are used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking.
IP anonymisation is active on this website for the web tracking tools Adition, Appnexus and Facebook which are incorporated into the website by means of the Esome container. This means that the IP address sent by your browser for technical reasons is truncated (the last octet of the IP address is deleted) in order to anonymise it.

The other log data shall be erased after one year at the latest.
Esome cookie data Data which are stored in cookies on your device for the web tracking tools Adition, Appnexus and Facebook which are incorporated into the website by means of the Esome container.

This includes a unique ID which makes it possible to recognise returning visitors.

(Section H.III for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking.
Neither we nor the providers of the web tracking tools store the cookies themselves. However, the data contained in the cookies are added to the Esome profile data (see below).

(Section H.III for information about how long the cookies remain valid.)
Esome profile data Data which are generated by the web tracking tools Adition, Appnexus and Facebook which are incorporated into the website by means of the Esome container and stored in pseudonymised user profiles.

This includes information about how you use the website, especially the pages you open, the frequency of visits and the time spent on the visited pages.

It is stored in separate profiles for the data collected by the web tracking tools Adition, Appnexus and Facebook.
Generated independently. - The data shall be erased after one year at the latest.

Awin

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Awin HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Awin is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Awin.
IP anonymisation is active on this website for the web tracking tool Awin. This means that the IP address sent by your browser for technical reasons is truncated (the last octet of the IP address is deleted) in order to anonymise it before it is stored.

We do not store these data. Awin is responsible for storing these data. We do not know how long the data are stored.
Awin cookie data Data which are stored in cookies for the web tracking tool Awin on your device.

This includes a unique ID which enables Awin to recognise returning visitors – although we are unable to associate it with any individual user – as well as the following parameters: Partner identification number of the advertising partner Awin, page type (e.g. an order confirmation page, a product details page or a basket), URL of the visited page(s), article numbers / names / prices of the viewed products, the number of products in the basket, currency, order number, order value.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Awin.
Neither we nor Awin store the cookies themselves. However, the data contained in the cookies are added to the Awin profile data (see below).

(Section H.III for information about how long the cookies remain valid.)
Awin profile data Data which are generated by the web tracking tool Awin and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Awin cookie data.
Generated by Awin. - We do not store these data. Awin is responsible for storing these data. We do not know how long the data are stored.

Daisycon (only relevant to our Dutch Shop) only in NL privacy policy

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Daisycon HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Daisycon is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Daisycon.
IP anonymisation is active on this website for the web tracking tool Daisycon. This means that the IP address sent by your browser for technical reasons is truncated (the last octet of the IP address is deleted) in order to anonymise it before it is stored.

We do not store these data. Daisycon is responsible for storing these data. We do not know how long the data are stored.
Daisycon cookie data Data which are stored in cookies for the web tracking tool Daisycon on your device.

This includes a unique ID which enables Daisycon to recognise returning visitors – although we are unable to associate it with any individual user – as well as the following parameters: Partner identification number of the advertising partner Daisycon, page type (e.g. an order confirmation page, a product details page or a basket), order number, order value.

(Section H.III for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Daisycon.
Neither we nor Daisycon store the cookies themselves. However, the data contained in the cookies are added to the Daisycon profile data (see below).

(Section H.III for information about how long the cookies remain valid.)
Daisycon profile data Data which are generated by the web tracking tool Daisycon and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Daisycon cookie data.
Generated by Daisycon. - We do not store these data. Daisycon is responsible for storing these data. We do not know how long the data are stored.

Tracdelight

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Tracdelight HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Tracdelight is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Tracdelight.
IP anonymisation is active on this website for the web tracking tool Tracdelight. This means that the IP address sent by your browser for technical reasons is truncated (the last octet of the IP address is deleted) in order to anonymise it before it is stored.

We do not store these data. Tracdelight is responsible for storing these data. We do not know how long the data are stored.
Tracdelight cookie data Data which are stored in cookies for the web tracking tool Tracdelight on your device.

This includes a unique ID which enables Tracdelight to recognise returning visitors – although we are unable to associate it with any individual user – as well as the following parameters: Partner identification number of the advertising partner Tracdelight, page type (e.g. an order confirmation page, a product details page or a basket), currency, order number, order value.

(Section H.III for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Tracdelight.
Neither we nor Tracdelight store the cookies themselves. However, the data contained in the cookies are added to the Tracdelight profile data (see below).

(Section H.III for information about how long the cookies remain valid.)
Tracdelight profile data Data which are generated by the web tracking tool Tracdelight and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Tracdelight cookie data.
Generated by Tracdelight. - We do not store these data. Tracdelight is responsible for storing these data. We do not know how long the data are stored.

Tectumedia

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Tectumedia HTTP data Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Tectumedia is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Tectumedia.
We do not store the cookies themselves or the information in the cookies.

(Section H.III for information about how long the cookies remain valid.)
Tectumedia cookie data Data which are stored in cookies for the web tracking tool Tectumedia on your device.

This includes information about the types of page you visit (e.g. an order confirmation page, a product details page or a basket), article numbers of the viewed products, the number of products in the basket or approximate information about your location.

(Section H.III for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Tectumedia.
We do not store the cookies themselves or the information in the cookies.

(Section H.III for information about how long the cookies remain valid.)
Tectumedia profile data Data which are generated by the web tracking tool Tectumedia and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Tectumedia cookie data.
Generated by Tracdelight. - We do not store these data. Tectumedia is responsible for storing these data. We do not know how long the data are stored.

Emarsys eMarketing Systems AG

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Emarsys HTTP data The Web Extend JavaScript commands capture and record website activity in our database for an indefinite period of time. These data are always anonymous or pseudonymised and cannot be exploited by third parties in the event of a security breach. As no other identification measures are in place, the processing of these data is not restricted by the GDPR.

These data are used to generate statistical models on which many of our personalisation algorithms are based.

The following data are collected:
- Browser and version number
- Operating system
- Referrer URL
- IP address (encrypted and truncated)
- Session and cookie IDs
- Country
Users of the website. Three obligations exist:
- To give the customer an opportunity to object to behaviour tracking.
- To access all of the data you possess which relate to a customer.
- To erase all of the data you possess which relate to a customer.
The Web Extend JavaScript commands capture and record website activity in our database for an indefinite period of time. These data are always anonymous or pseudonymised and cannot be exploited by third parties in the event of a security breach. As no other identification measures are in place, the processing of these data is not restricted by the GDPR.
Emarsys cookie data Web Extend leaves various different cookies in your browser. Cookies normally come in a first-party version and a third-party version; the version is selected based on each visitor’s settings. The domain of the third-party cookies is scarabresearch.com.

Fundamentally, the cookies collect the two following types of information:

Information about the service
- IP address
- Browser
- Cookie identifiers
- Pseudonymised identifiers (external IDs or an encrypted e-mail address) from visitors who are logged in.

Information about surfing habits
- itemIDs taken into consideration
- itemIDs added to the basket
- itemIDs purchased

All non-operational information is collected in an encrypted format. Our cookie guidelines have been checked by the Emarsys data security team and are consistent with our data security standards.

You can find a complete list of all cookies used at https://help.emarsys.com/hc/de/articles/360005205113-gdpr-and-web-extend-all-you-need-to-know#the-web-extend-cookies
Users of the website. The typical expiry date is one year with the exception of the session cookie which is erased at the end of every session
Emarsys profile data The Emarsys database regularly updates data which it has collected during visitor sessions. The pseudonymised identifiers for these sessions are allocated to the identifier keys stored in the contact database of Emarsys.

In the case of an external identifier, the key is entered into a user-defined field generated by MARC O‘POLO.

If the identifier is hashed Emarsys e-mails, the key is stored in the fields PredictUserID and PredictSecret in the contact database.

(Section H.III for more detailed information about the content of the cookies.)
Generated by Emarsys. Three obligations exist:
- To give the customer an opportunity to object to behaviour tracking.
- To access all of the data you possess which relate to a customer.
- To erase all of the data you possess which relate to a customer.
The Web Extend JavaScript commands capture and record website activity in our database for an indefinite period of time. These data are always anonymous or pseudonymised and cannot be exploited by third parties in the event of a security breach. As no other identification measures are in place, the processing of these data is not restricted by the GDPR.

Evaluation of user actions (conversion tracking) by means of Google Double Click / Google Ads Conversion Pixel / Google Ads Remarketing

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
Evaluation of user actions (conversion tracking).

The behaviour of users on our website is captured and analysed in a pseudonymised format. Users of the website are tagged in a pseudonymised format to make it possible to recognise you on the website in future. Pseudonymised user profiles are derived from this information. The pseudonymised user profiles are not merged with data relating to the bearer of the pseudonym. The objective of the process is to gauge how effectively a targeted group of people are moved to perform desired actions.

We use the web tracking tool Google Double Click which is provided by Google for this purpose.

The web tracking tool uses cookies for these purposes.

(section H.III. for detailed information about the purposes of the cookies.)
Google Double Click-HTTP-data,

Google Double Click-Cookie-data,

Google Double Click-Profil-data.
No automated decision-making takes place. Point (a) of Article 6(1) of the General Data Protection Regulation (consent). Google LLC.

Strategic targeting of users of the website for advertising purposes (retargeting), including settling accounts with our retargeting partners for ad placement by means of Google Double Click / Google Ads Conversion Pixel / Google Ads Remarketing / Microsoft Advertising / Criteo Pixel / Mediards / Flashtalking / Tectumedia

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
Strategic targeting of users of the website for advertising purposes (retargeting) through various retargeting partners, including settling accounts with each retargeting partner for ad placement.

The behaviour of users on our website is captured and analysed in a pseudonymised format. Users of the website are tagged in pseudonymised format with a unique ID assigned by each retargeting partner so they can be recognised on our website and on websites which display adverts from each retargeting partner (i.e. publisher), as well as on websites operated by each of our retargeting partners.

Pseudonymised user profiles are derived from this information and stored by the retargeting partner in question together with the unique ID assigned by that retargeting partner. The pseudonymised user profiles are not merged with data relating to the bearer of the pseudonym. The objective of the process is to make a user who has already shown interest in a website or product aware of the website or product again in order to increase the relevance of adverts and in turn the click and conversion rate (e.g. the order rate).

We use web tracking tools from the following retargeting partners on our website for this purpose:
– Google (Google Double Click / Google Ads Conversion Pixel / Google Ads Remarketing)
– Microsoft (Microsoft/Bing Advertising)
– Criteo (Criteo Pixel)
– Mediards (tr.mediards.com)
– Flashtalking
– Tectumedia

The information obtained from each web tracking tool is also used by the retargeting partner to evaluate the adverts which direct users to our website through it so as to be able to measure, in pseudonymised format, the number of visits to our website through those adverts and the purchases made in this way for billing purposes. Using this information, each retargeting partner is also able to stop displaying adverts to users who have already purchased the product in question. In this process, we only learn the total number of users who have clicked on a certain advert from our retargeting partners and were then redirected to a page on our website (conversion page). No personal information relating to the identity of the user is shared.

Additionally, the web tracking tool from our retargeting partner Mediards uses the collected data as part of predictive targeting. On the basis of the user and his or her preferences, Mediards creates statistical twins in order to make them aware of our website and products that might potentially be of interest.

The web tracking tool uses cookies for these purposes. (section H.III. for detailed information about the purposes of the cookies.)

In this context, we and each retargeting partner are responsible for processing personal data with regard to the data protection regulations. Additionally, for more information from our retargeting partners about the processing of personal data, please see their privacy policies:
– Google: https://policies.google.com/privacy?hl=de
– Microsoft Ads: https://about.ads.microsoft.com/de-de/ressourcen/richtlinien/privacy-policy
– Criteo: https://www.criteo.com/de/privacy/
– Mediards: https://www.mediards.de/#dataschutz
– Flashtalking: https://www.flashtalking.com/privacypolicy
– Tectumedia: https://www.tectumedia.com/privacy-policy/

On request, we are happy to provide you with the key details of the agreement between us and each retargeting partner (for contact information, see section A.I.).
Google Double Click-Cookie-data
Google Double Click-Profil-data

For Microsoft:
Microsoft-Advertising-HTTP-data
Microsoft-Advertising-Cookie-data
Microsoft-Advertising-Profil-data

For Criteo:
Criteo-HTTP-data
Criteo-Cookie-data
Criteo-Profil-data

For Mediards:
Mediards-HTTP-data
Mediards-Cookie-data
Mediards-Profi-data

For Flashtalking:
Flashtalking-HTTP-data
Flashtalking-Cookie-data
Flashtalking-Profil-data

For Tectumedia:
Tectumedia-HTTP-data
Tectumedia-Cookie-data
Tectumedia-Profil-data
No automated decision-making takes place. Point (a) of Article 6(1) of the General Data Protection Regulation (consent). For Google:
Google LLC

For Microsoft:
Microsoft Corporation

For Criteo:
Criteo SA

For Mediards:
mediards GmbH

For Flashtalking:
Flashtalking GmbH

For Tectumedia:
Tectumedia GmbH

Facebook-Pixel

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
Evaluation of the effectiveness of our Facebook adverts and creation of target groups for our Facebook adverts:

The Facebook pixel captures the actions of users on our website (e.g. making a purchase) and reports the actions to Facebook. If you are registered with a Facebook service, Facebook might be able to link the visit with your account. Even if you are not registered or logged into Facebook, it is possible that Facebook will gain access to and store your IP address and other identifiers.

On the basis of the information it collects, Facebook provides us with aggregated, anonymised measurements relating to our Facebook adverts. In particular, we can tell whether users who see our Facebook adverts perform certain actions on our website, e.g. making a purchase (these are known as conversions).

Additionally, on the basis of the information it collects, Facebook enables us to reach people who have visited our website or carried out a certain action on our website through Facebook adverts within six months of their last visit to our website and optimise our types of target group (audiences). Such adverts can be shown to the users of our website when they visit the social network Facebook or other websites which also use this method.

Facebook also enables us to create “lookalike audiences” on the basis of the information collected by Facebook so we can show our Facebook adverts to people who have similar characteristics to the users of our website.

Facebook merely provides us with aggregated and anonymised assessments or other information generated on the basis of the collected data. We cannot attribute the information provided to us to any natural person. Facebook is responsible for collecting and processing personal data. We have no knowledge of the details of how Facebook processes the data within its own sphere of responsibility.
Facebook-Pixel-HTTP-data,
Facebook-Pixel-Cookie-data,
Facebook-Pixel-Event-data,
Facebook-Pixel-Analyse-data.
We do not use automated decision-making within our own sphere of responsibility.

We have no knowledge of the details of how Facebook processes the data within its own sphere of responsibility, especially with regard to automated decision-making.
Legal grounds for facilitating the collection of personal data by Facebook on our website:

Point (a) of Article 6(1) of the General Data Protection Regulation (consent)

We do not process personal data within our own sphere of responsibility. We have no knowledge of the details of how Facebook processes the data within its own sphere of responsibility, especially with regard to the legal grounds on which Facebook processes the data.
Evaluation of the activity of users of our website for the purposes of Facebook or third parties:

Facebook can also use the information collected by the Facebook pixel for its own purposes or the purposes of third parties, e.g. to create target groups for other clients who wish to display adverts.

Facebook is responsible for collecting and processing personal data. We have no knowledge of the details of how Facebook processes the data within its own sphere of responsibility.
Facebook-Pixel-HTTP-data,
Facebook-Pixel-Cookie-data,
Facebook-Pixel-Event-data,
Facebook-Pixel-Analyse-data.
We do not use automated decision-making within our own sphere of responsibility.

We have no knowledge of the details of how Facebook processes the data within its own sphere of responsibility, especially with regard to automated decision-making.
Legal grounds for facilitating the collection of personal data by Facebook on our website:

Point (a) of Article 6(1) of the General Data Protection Regulation (consent).

We do not process personal data within our own sphere of responsibility. We have no knowledge of the details of how Facebook processes the data within its own sphere of responsibility, especially with regard to the legal grounds on which Facebook processes the data.

Stylight GmbH

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
Stylight is a marketing partner of MARC O'POLO. Stylight is given access to our product data feed (ID, description, size, colour etc. of the individual products) and advertises the individual products on its site. When a customer clicks on one of our products on the Stylight website, he or she is redirected to the MOP product details page. Session tracking is used to measure the relevance of the products so Stylight can use it to rank them. Conversion tracking is used to evaluate user actions. Stylight-http-data,
Stylight-Cookie-data,
Stylight-Profil-data.
No automated decision-making takes place Point (a) of Article 6(1) of the General Data Protection Regulation (consent). Stylight GmbH

Esome container (conversion tracking with Adition, Appnexus and Facebook)

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
Evaluation of user actions (conversion tracking), segmentation of visitors and evaluation of campaign performance:

For the purposes of evaluating user actions (conversion tracking), the behaviour of users on our website is captured and analysed in a pseudonymised format. Users of the website are tagged in a pseudonymised format to make it possible to recognise you on the website in future. Pseudonymised user profiles are derived from this information. The pseudonymised user profiles are not merged with data relating to the bearer of the pseudonym.

The objective of the process is to gauge how effectively a targeted group of people are moved to perform desired actions. We use the web tracking tools provided by Adition, Appnexus and Facebook which we embed into our website using the tag manager of our advertising partner Esome. Adition, Appnexus and Facebook process data on our behalf for the purposes of providing the tool.

Strategic targeting of users of the website for advertising purposes (retargeting) through various retargeting partners, including settling accounts with each retargeting partner for ad placement.

The behaviour of users on our website is captured and analysed in a pseudonymised format. Users of the website are tagged in pseudonymised format with a unique ID assigned by each retargeting partner so they can be recognised on our website and on websites which display adverts from each retargeting partner (i.e. publisher), as well as on websites operated by each of our retargeting partners.

The web tracking tools use cookies for these purposes.(section H.III. for detailed information about the purposes of the cookies.)
Esome-HTTP-data,
Esome-Cookie-data,
Esome-Profil-data.
No automated decision-making takes place. Point (a) of Article 6(1) of the General Data Protection Regulation (consent). Esome advertising technologies GmbH

For Adition:
Adition technologies AG,
Active Agent AG

For Appnexus:
AppNexus Inc.

For Facebook:
Facebook Ireland Limited

Participation in the advertising networks of Awin, Daisycon (only relevant to our Dutch shop) and Tracdelight

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
The participation of our website in various advertising networks (affiliate networks) in order to advertise our products in the most effective way possible, including displaying personalised, interest-based adverts and paying for the advertising campaigns with our promotional partners:
We participate in the advertising networks of the following advertising partners:
– Awin (formerly Affilinet)
– Daisycon (only for the Dutch shop on our website)
– Tracdelight

Tracking pixels from our advertising partners are incorporated into our website so our website can participate in each advertising network. Cookies from our advertising partners are also used in this context. (section H.III. for detailed information about the purposes of the cookies.)
The tracking pixels enable our advertising partners to collect information about how users use our website.

The information obtained in this way is used to evaluate adverts which link to our website from the advertising partner in question so as to be able to measure, in pseudonymised format, the number of visits to our website through those adverts for billing purposes.

Additionally, our advertising partners capture the actions of users on our website and analyse this behaviour in a pseudonymised format. Users of the website are tagged in pseudonymised format so they can be recognised on our website as well as other websites which participate in the advertising network in question. Pseudonymised user profiles are derived from this information. The pseudonymised user profiles are not merged with data relating to the bearer of the pseudonym. The objective of the process is to determine the interests of a user on the basis of his or her surfing behaviour in order to allocate the user to specific target groups for advertising. This way, the advertising partner in question can show the user more relevant, interest-based and in turn more interesting adverts.

In this context, we and each advertising partner are responsible for processing personal data with regard to the data protection regulations. Additionally, for more information from our advertising partners about the processing of personal data, please see their privacy policies:
https://www.awin.com/de/rechtliches/privacy-policy-DACH
https://www.daisycon.com/de/dataschutzhinweis/
https://www.tracdelight.io/dataschutz/

On request, we are happy to provide you with the key details of the agreement between us and the other controllers (for contact information, see section A.I.).
For Awin:
Awin-HTTP-data,
Awin-Cookie-data,
Awin-Profil-data.

For Daisycon:
Daisycon-HTTP-data,
Daisycon-Cookie-data,
Daisycon-Profil-data. For Tracdelight:
Tracdelight-HTTP-data,
Tracdelight-Cookie-data,
Tracdelight-Profil-data.
No automated decision-making takes place. Point (a) of Article 6(1) of the General Data Protection Regulation (consent). For Awin:
AWIN AG

For Daisycon:
Daisycon B.V.

For Tracdelight:
tracdelight GmbH

Emarsys eMarketing Systems AG

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
Collection and evaluation of how users use the website in order to tailor newsletters to the interests of each subscriber.

If you have consented to Emarsys cookies under Marketing and registered in the online shop and consent has been given by e-mail or post, clickstream data shall be stored in your user profile in order to show you personalised content. Only categories of data such as the last category clicked on or products added to the basket shall be stored; no unique click paths shall be stored.
Emarsys HTTP-data,
Emarsys Profil-data,
Emarsys Cookie-data.
No automated decision-making takes place. Point (a) of Article 6(1) of the General Data Protection Regulation (consent). Emarsys eMarketing Systems AG

Google LLC

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
Processors. EU. Google is certified under the EU–US Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active..

The European Commission has decided that the EU–US Privacy Shield affords an adequate level of protection:
http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

Microsoft Advertising

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Microsoft Corporation

One Microsoft Way, Redmond, WA 98052-6399, United States of America
Processors. USA. -

Criteo

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Criteo SA

32 Rue Blanche, 75009 Paris, France
(Joint) controller. EU. -

Tectumedia

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Tectumedia GmbH

Eichhornstrasse 3, 10785 Berlin, Germany.
Processors. EU. -

mediards

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
mediards GmbH

Im Mediapark 8, 50670 Köln, Germany.
Processors. EU. -

Facebook

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Facebook Ireland Limited

4 GRAND CANAL SQUARE, D2 Dublin, Ireland
(Joint) controller. EU. -

Flashtalking GmbH

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Flashtalking GmbH

Schanzenstr. 35, 51063 Köln, Germany.
Processors. EU. -

Stylight GmbH

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Stylight GmbH

Nymphenburger Str. 86, 80636 Munich, Germany.
Processors. EU. -

Esome Container (Conversion Tracking über Adition, Appnexus und Facebook)

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Esome advertising technologies GmbH Processors. EU. -
Adition technologies AG,

Oststrasse 55, 40211 Duesseldorf, Germany, sowie deren Unter-Auftragsverarbeiter

Active Agent AG, Ellen-Gottlieb-Strasse 16, 79106 Freiburg, Germany.
Processors. EU. -
Facebook Ireland Limited,

4 GRAND CANAL SQUARE, D2 Dublin, Ireland.
Processors. EU. -

Daisycon (nur relevant für unseren niederländischen Länder-Shop)

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Daisycon B.V.,

Alnovum Gebäude, P.J. Oudweg 5, 1315 CH Almere, Netherlands.
(Joint) controller. EU. -

Awin

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
AWIN AG,

Eichhornstraße 3, 10785 Berlin, Germany.
(Joint) controller. EU. -

Tracdelight

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
tracdelight GmbH,

Arabellastraße 23, 81925 Munich, Germany.
(Joint) controller. EU. -

Emarsys eMarketing Systems AG

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Emarsys eMarketing Systems AG,

Hans-Fischer-Str. 10, 80339 Munich, Germany.
Processors. EU. -
III. Use of web analytics technologies (using analytics cookies)

If you have consented to analytical purposes in the cookie settings we shall use web analytics technologies for the following purpose:

· In order to improve the website

· to reach website targets more effectively (e.g. increase the number of page views) and

· to calculate the remuneration of advertising partners (affiliates)

we use the web analytics technologies Google Analytics and Triple A from Artefact. We use cookies for this purpose (section H Analyse).

More detailed information about this is available below:

Google Analytics

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Google Analytics HTTP data. Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web analytics tool Google Analytics is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.

Additionally, links from our advertising partners on our website can contain certain parameters with which we can determine the origins of our users more effectively (e.g. the identification numbers of certain advertising media or campaigns)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web analytics with Google Analytics.
IP anonymisation is active on this website for the web analytics tool Google Analytics. This means that the IP address sent by your browser for technical reasons is truncated (the last octet of the IP address is deleted) in order to anonymise it before it is stored.

We shall store the other data for 38 months.
Google Analytics cookie data. Data which are stored in cookies for the web analytics tool Google Analytics on your device.

This includes a unique ID which makes it possible to recognise returning visitors.

(section H.III. for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web analytics with Google Analytics.
38 months.

(section H.III. for information about how long the cookies remain valid.)
Google Analytics profile data. Data which are generated by the web analytics tool Google Analytics and stored in pseudonymised user profiles.

This includes information about how you use the website, especially page visits, the frequency of visits, the time you spend on pages you visit and the origin of the visitor (i.e. which promotional partners or initiatives brought the user to the website), allocated to the unique user ID of each visitor contained in the Google Analytics cookie data.
Generated independently. 38 months.

Artefact TripleA

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
TripleA HTTP data The tool TripleA is used centrally for affiliate marketing. TripleA is a tracking and reporting tool which is used to roll out and measure the effectiveness of online marketing measures. Fundamentally, the tool consists of tracking servers, a central database and the reporting front end. Website visitors The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web analytics with TripleA.
30 days
TripleA cookie data On the tracking servers, data are collected in connection with the display of adverts (impression tracking), the redirection of the visitor to the customer’s website (click tracking), the opening of touchpoints through incorporation into the customer’s website (conversion tracking) and the visit of a user to a customer’s website. Both cookie and pixel technology are used Website visitors The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web analytics with TripleA.
30 days
TripleA cookie data Tracking IDs, time stamps, referrer, truncated IP address Website visitors The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web analytics with TripleA.
30 days

Google Analytics sowie Artefact TripleA

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
To improve the website, to reach website targets more effectively (e.g. increase the number of page views) and to calculate the remuneration of advertising partners (affiliates).

The behaviour of users on our website is captured and analysed in a pseudonymised format. Users of the website are tagged in a pseudonymised format to make it possible to recognise you on the website in future. Pseudonymised user profiles are derived from this information. The pseudonymised user profiles are not merged with data relating to the bearer of the pseudonym. The objective of the process is to investigate where users come from (e.g. from which advertising partners and advertising campaigns), what sections of the website are visited and how often sub-pages and categories are viewed, including for how long. This way, we can improve our website by tailoring it to the needs of our users, control campaigns more effectively and calculate how much remuneration is due to our advertising partners (affiliates).

We use the following web analytics tools for this purpose:
– Google Analytics from Google
– The analytics tool TripleA from Artefact

The web analytics tools use cookies for these purposes.

(section H.III. for detailed information about the purposes of the cookies.)
For Google Analytics:
Google Analytics HTTP data,
Google Analytics cookie data,
Google Analytics profile data.

For Triple A:
TripleA HTTP data,
TripleA cookie data,
TripleA profile data.
No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in improving the website, reaching website targets more effectively (e.g. increasing the number of page views) and calculating the remuneration of advertising partners (affiliates).
For Google Analytics:
Google LLC.

For Artefact TripleA:
Artefact GmbH.

Google Analytics

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Google LLC

1600 Amphitheatre Parkway Mountain View, CA 94043, USA.
Processors. USA. Google is certified under the EU–US Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

The European Commission has decided that the EU–US Privacy Shield affords an adequate level of protection:
http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

Artefact Triple A

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Artefact Germany GmbH,

Philosophenweg 21, 47051 Duisburg, Germany.
Processors. EU. -
IV. Use of personalisation technologies (use of personalisation cookies)

If you have consented to personalisation purposes in the cookie settings we shall use web analytics technologies for the following purposes:
– To display personalised content in the online shop
– Insert containing personalised content for print advertising

We use cookies for this purpose (section H Personalisation).

More detailed information about this is available below:

Adnymics GmbH

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Adnymics script data Data which are stored in cookies for the web tracking tool Adnymics on your device.

This includes a unique ID which allows Adnymics to recognise logged-in customers who return as well as a product code.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Adnymics.
(section H.III. for information about how long the cookies remain valid.)

Dynamic Yield

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Dynamic Yield HTTP data. Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) for technical reasons when the web tracking tool Dynamic Yield is used on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to carry out web tracking with Dynamic Yield.
IP anonymisation is active on this website for the web tracking tool Dynamic Yield. This means that the IP address sent by your browser for technical reasons is truncated (the last octet of the IP address is deleted) in order to anonymise it before it is stored

We do not store the other data; these data are only stored in Dynamic Yield cookies in your browser (see “Dynamic Yield cookie data” below).
Dynamic Yield cookie data. Data which are stored in cookies for the web tracking tool Dynamic Yield on your device.

This includes information about the types of page you visit (e.g. an order confirmation page, a product details page or a basket), article numbers of the viewed products and the number of products in the basket.

(section H.III. for more detailed information about the content of the cookies.)
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists

If you do not provide the data, we will be unable to carry out web tracking with Dynamic Yield.
We do not store the cookies themselves or the information in the cookies.

(section H.III. for information about how long the cookies remain valid.)

Adnymics GmbH

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
The click and buying behaviour of users is analysed so a parcel insert containing personalised product recommendations can be generated for each user if an order is placed. Adnymics cookie data,
Adnymics profile data.
No automated decision-making takes place Point (a) of Article 6(1) of the General Data Protection Regulation (consent). Adnymics GmbH
Matomo

Dynamic Yield

Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
To show the user product recommendations at specific points in the online shop.

The behaviour of users on our website is captured and analysed in a pseudonymised format. Users of the website are tagged in a pseudonymised format to make it possible to recognise you on our website in future. Pseudonymised user profiles are derived from this information. The pseudonymised user profiles are not merged with data relating to the bearer of the pseudonym. The objective of the process is to make a user who has already shown interest in a website or product aware of the product again in order to increase the relevance of adverts and in turn the click and conversion rate (e.g. the order rate).

Dynamic Yield provides a variety of analyses.

(section H.III. for detailed information about the purposes of the cookies.)
Dynamic Yield HTTP data,
Dynamic Yield cookie data
No automated decision-making takes place. Point (a) of Article 6(1) of the General Data Protection Regulation (consent). Dynamic Yield

Adnymics GmbH

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
adnymics GmbH,

80335 Munich, Germany
Processors. EU.

Dynamic Yield

Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Dynamic Yield

Prinzessinnenstraße 8-14, 10969, Berlin, Germany.
Processors. EU.
V. Use of online contact forms

On the website, we provide you with the means of contacting us via contact forms. We process the information you provide in the contact forms in order to process your enquiry, such as the availability of certain products. Additionally, we might store the information as evidence for the purposes of filing, exercising or defending against legal claims or in order to comply with statutory storage obligations, especially those imposed by tax and commercial law.

When you use the contact forms on the website, the browser you are using on your device will send certain information such as your IP address to the server of our website for technical reasons. We process this information in order to provide the contact forms on the website and ensure the security of the IT infrastructure used to provide the form.

More detailed information about this is available below:

Categories of personal data we process Personal data in the categories Sources of data Obligation to make the data available Duration of storage
Contact form HTTP data. Log data which are generated by the Hypertext Transfer Protocol Secure (HTTPS) when you access contact forms on the website.

These data include your IP address, the type and version of your browser, your operating system, the page you visited, the page you were on previously (referrer URL) and the date and time of your visit.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to provide the website content you wish to access.
Data are stored in server log files in a format which makes it possible to identify the data subjects for up to seven days unless a security incident occurs (e.g. a denial-of-service attack).

If a security incident does occur, server log files shall be stored until the security incident has been overcome and fully investigated.
Contact form data. Data which you share with us in contact forms on the website.

This includes the information you send us in each contact form on the website. It can include the following data in particular: Your name, date of birth, address, phone number, e-mail address and the content of your enquiry.
Users of the website. The provision of data is not required by law or by a contract and is not necessary for the conclusion of a contract. No obligation to make the data available exists.

If you do not provide the data, we will be unable to process your enquiry.
Data shall be stored until we finish handling your enquiry.

Additionally, we shall store these data as evidence for the purposes of filing, exercising or defending against legal claims for a transition period of three years from the end of the year in which you shared the data with us or until the end of any ongoing legal disputes.

Furthermore, we shall store the data for longer if we are subject to a statutory storage obligation, especially under tax or commercial law. Depending on the nature of the documents, we may be obliged to store the data for six or ten years in accordance with tax and commercial law (Section 147 of the German Tax Code (AO) and Section 257 of the German Commercial Code (HGB)).
Purpose of the processing of personal data Categories of personal data we process Automated decision-making Legal grounds and legitimate interests Recipients
Provision of our contact forms on the website.

HTTP data are processed temporarily on our web server for this purpose.
Contact form HTTP data. No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in providing the website content accessed by the user.
Hosting providers.
To guarantee the security of the IT infrastructure used to provide the form, especially to identify, combat and document disruptions in a legally sound manner (e.g. DDoS attacks).

Data are stored temporarily in log files on our web server and evaluated for this purpose.
Contact form HTTP data. No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in guaranteeing the security of the IT infrastructure used to provide the form, especially so as to identify, combat and document disruptions in a legally sound manner (e.g. DDoS attacks).
Hosting providers.
To process your enquiry. Contact form data. No automated decision-making takes place. Where your enquiry concerns a contract to which you are party or steps prior to entering into a contract:

Point (b) of Article 6(1) of the General Data Protection Regulation (performance of a contract or in order to take steps prior to entering into a contract).

Otherwise:

Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

In this case, we have a legitimate interest in processing your enquiry.
Customer service providers.
Storage and processing to serve as evidence for the purposes of filing, exercising or defending against legal claims. Contact form data. No automated decision-making takes place. Point (f) of Article 6(1) of the General Data Protection Regulation (balance of interests).

We have a legitimate interest in filing, exercising or defending against legal claims.
Customer service providers.
Storage of data in order to comply with statutory storage obligations, especially those imposed by tax or commercial law.

Depending on the nature of the documents, we may be obliged to store the data for six or ten years in accordance with tax and commercial law (Section 147 of the German Tax Code (AO) and Section 257 of the German Commercial Code (HGB)).
Contact form data. No automated decision-making takes place. Point (c) of Article 6(1) of the General Data Protection Regulation (compliance with a legal obligation). Customer service providers.
Recipients Role of the recipient Headquarters of the recipient Adequacy decision or appropriate or adequate guarantees for transfers to third countries and/or international organisations
Hosting providers.

(currently: Salesforce.com, inc. The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA).
Processors. USA. No adequacy decision from the European Commission in the sense of Article 45(3) GDPR applies to transfers to these recipients in the USA.

The transfer is subject to EU standard contractual clauses pursuant to Article 46(5) GDPR which were enacted under Article 26(4) of the previous Data Protection Directive (Directive 95/46/EC). Please contact our data protection officer for a copy of the standard contractual clauses (see the contact details in section A).
Kundenservice-Dienstleister

(derzeit: arvato direct services Dortmund GmbH, Schleefstr. 1, 44287 Dortmund, Germany).
Processors. EU. -

C. Information on the processing of personal data of the customers of our Online Shop

On our website you have the possibility to use our MARC O’POLO online shops, which are available in different country versions through country-specific URLs (e.g. for Germany under www.marc-o-polo.com/de-de/) (the “Country Shops”). You will find a list of the individual Country Shops in Part A, clause 1.1 of our T&Cs. The Country Shops are referred to jointly below as “Online Shop”.

We process various personal data, for example the data you communicate to us in your order form, in order to provide various functions in our Online Shop, to enter into, fulfil and reverse sales contracts, to send emails containing advertising for our own similar products under the conditions set out in section 7(3) German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG), ensure the security of the IT infrastructure used to provide the Online Shop, manage and assert claims for payment, provide the review function, conduct a fraud credit check during and after you have completed your order, carry out customer surveys for market research purposes and evidence purposes and meet statutory retention obligations.

You can place orders in our Online Shop “as a guest” or alternatively through a customer account. In our customer shop for Germany, use of our customer account is exclusively limited to participants in our Customer Loyalty Programme MARC O’POLO MEMBERS. The details on processing of personal data of participants in the Customer Loyalty Programme, including use of the customer account, are described in Section E of this Data Protection Information.

You will find more detailed information on this below:

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
HTTP data Protocol data which accrues when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), and date and time of visit.
Users of the Online Shop. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Basket data Data on the products you place in the basket of the Online Shop.

This includes article description, article number, quantity, size, colour, price and currency.
Users of the Online Shop. Provision of the data is required for a purchase. There is no obligation to provide the data.

If the data is not provided, you will not be able to purchase any articles in our Online Shop.
Before an order is completed:
We do not store this data on our systems on a longer-term basis, but only temporarily at the time of providing our website (e.g. to show the contents of a basket). It is stored on a temporary basis locally in the user’s browser for the duration of the user’s session.

After an order is completed:
Data is saved until your order has been processed in full, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Contact details Data you provide us with during the order process so that we can contact you in order to process your order.

This can include above all the following information: title, surname, first name, postal address, telephone number and email address.
Users of the Online Shop. The provision of the data described in the order process as required is necessary to be able to enter into a contract. There is no obligation to provide the data.

If the data is not provided, it is not possible to enter into a contract.
Data is saved until your order has been processed in full, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Shipping data Data you provide us with during the order process for the delivery of the articles you order.

This includes the shipment method selected, where applicable, and any delivery address you have specified which is different from the billing address.
Users of the Online Shop. Provision of the data is required for a purchase. There is no obligation to provide the data.

If the data is not provided, you will not be able to purchase any articles in our Online Shop.
We store the data until you order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Payment data Data you provide us with to pay for the articles you order. This depends on which payment method you select.

Depending on the payment method, this covers for example your IBAN number, BIC numbers or billing address.
Users of the Online Shop The provision of the data described in the order process as required is necessary to be able to enter into a contract. There is no obligation to provide the data.

If the required information is not provided, you will not be able to enter into a contract.
Data is saved until your order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Order data Information about your order.

This includes information on the articles purchased (article description, price, currency, order number), store version used, date and time of purchase, payment method selected and shipment method, and status of your order.
Generated by us. - Data is saved until your order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Receivables data Data we process for managing our claims for payment in our internal accounts receivable management system.

This includes in particular information on currently outstanding items, incoming payments, dunning levels, ongoing collection processes and returns.
Payment service providers, debt collection agencies, generated by us. - Data is saved until your order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Transaction email data Information from transaction emails which we send in order to process/reverse your order (e.g. order acknowledgements).

This includes the content and time of the transaction emails.
Generated by us. - Data is saved until your order has been fully processed. This also includes possibly reversing the order.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Order and return values Any reasons for return specified in a return. Users of the Online Shop. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot take into account the reasons for the return when calculating and assessing the return rate.
We do not store the reasons for a return on our systems.

We store the return rate for 24 months.
Order and return values Order value and prices of the returned goods and the contact details used by you, which we need for determining your return rate.

To calculate your return rate, we determine the percentage share of your returns on the basis of the total order value which you have generated as a whole from orders in our Online Shop.
Generated by us. - We do not store the reasons for a return on our systems.

We store the return rate for 24 months.
Review data Information which you provide to us when reviewing products.

This includes your email address and a user name which you are free to choose.
Users of the Online Shop. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the site’s review function.
Data is stored as long as your review is shown on our website.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Creditworthiness data Information on the creditworthiness of our customers. This includes in particular the credit reports provided by credit reference agencies based on data in the insolvency and debtors’ registers at the local courts (Amtsgerichte) and registrations of payment behaviour that is in breach of contract by creditors and creditors’ representatives. Credit reference agencies. - We store the data until you order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Creditworthiness data This also includes information generated by us about the timely settlement of our claims and knowledge we have gained from previous fraud and credit checks, such as limits set for your purchases. Generated by us. - We store the data until you order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Market research data Information we collect in connection with customer surveys for market research purposes, in order to analyse in particular customer satisfaction and the contents of our product range in pseudonymised form. Users of the Online Shop. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out surveys and analyses for market research purposes.
We store this data in pseudonymised form for a maximum of 38 months.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of our online shop functions on the website.

For this purpose, HTTP data is temporarily processed on our web server.
HTTP data, basket data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the website content requested by the user.
Hosting provider.
Completion and fulfilment of sales contracts entered into via the Online Shop.

DieThis includes in particular processing payments, delivering the goods ordered by you and sending transaction emails in order to inform you about the status of your order.
Basket data, contact details, shipping data, payment data, order data, transaction email data. No automated decision-making takes place. Point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation (performance of a contract or steps prior to entering into a contract). Hosting provider, Arvato Distribution, parcelLab, system and service mail service provider, delivery service provider, payment service providers.
Carrying out a fraud and credit check before fulfilling your order in order to avoid the risk of a payment default as far as possible. We decide on the basis of mainly automated checks whether we can offer you payments methods and which ones, and/or the extent to which we can fulfil your order to the desired extent.

The fraud and credit check is performed by Infoscore Consumer Data GmbH (part of Arvato Financial Services, Rheinstraße 99, 76532 Baden-Baden) on our behalf (“Infoscore Consumer Data”).
Contact details, basket data, shipping data, order data, accounts receivable data, order and return values and creditworthiness data. Automated decision-making takes place based on the following logic:

The fraud and credit check begin when you enter your contact and shipping details and click on “Next”, before we show certain payment methods for your order.

Infoscore Consumer Data checks on the basis of predefined rules whether fulfilment of the order entails a risk of payment default, meaning that only secure payment methods should be offered, i.e. no purchase on account.

For this purpose, Infoscore Consumer Data first checks your contact and delivery details to verify your age and your contact and delivery details and whether the specified address(es) are correct.

In addition, Infoscore Consumer Data analyses the number and values of the orders over a certain time period. It checks in particular the extent to which your contact and delivery details were used for previous orders, for example whether different email addresses were used for the same billing address within a short period of time. In addition, Infoscore Consumer Data checks the information generated by us regarding timely settlement of our payment claims and knowledge we have gained from previous fraud and credit checks, such as limits set for your purchases. Infoscore Consumer Data examines in particular whether the maximum configured order limit is reached, checks your return rate generated from the order and return values and calculates from our accounts receivable data whether and to what value outstanding items, dunning levels or ongoing collection processes exist.

To calculate your return rate, we determine the percentage share of your returns on the basis of the total order value you have generated as a whole from orders in our online shop.

In addition, Infoscore Consumer Data obtains a credit report from a credit reference agency and transmits your contact and shipping data to the agency for this purpose. The credit report contains a score which is calculated on the basis of a scientifically recognised mathematical-statistical method and can be used to assess the credit risk.

On the basis of the score provided by the credit reference agency and the other checks described above, Infoscore Consumer Data assesses the payment default risk. Infoscore Consumer Data then sends the results of the fraud and credit check to us in automated form, which we interpret on the basis of default rules and determines which payment methods we show in the next step of the order process.
Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to reduce the risk of a payment default as far as possible.
Infoscore Consumer Data, credit reference agency.
Carrying out a fraud check after you have completed your order.

Depending on the result of the automated fraud and credit check described above and before fulfilment of the order, Infoscore Consumer Data additionally carries out a manual fraud check on our behalf upon completion of the order, i.e. after you click on “BUY”, for certain orders.

We have defined rules for selecting the orders we check manually in order to automatically select all orders on the basis of predefined criteria. The criteria for manual checks are in particular the specific payment method selected, the value of the order, your place of residence or the total order value during the last 168 hours using the same contact and shipping data.

During the manual fraud check Infoscore Consumer Data checks whether an increased suspicion of fraud should be presumed to exist in the specific case, taking into account (apart from our internal data) information from publically accessible sources such as Yellow Pages or publically accessible websites. Taking into account Infoscore Consumer Data’ recommendation, we either approve the order or decide to cancel the order in individual cases.
Contact details, basket data, shipping data, order data, accounts receivable data, order and return values, creditworthiness data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests). Our legitimate interest is to reduce the risk of a payment default as far as possible. Infoscore Consumer Data.
Sending emails containing advertising for similar products to customers who have given us their email address during an order in the Online Shop and who have been clearly informed when their email address was collected that they can object to this use of their email address at any time, without any costs arising beyond the basic cost of transmission. We also point out this right to object again every time we use the email address, i.e. in every email containing product recommendations.

We use the information about your previous purchases which is contained in the transaction email data for the promotion of similar products in order to ensure that you only receive advertising which is suited to your interests.
Contact details, transaction email data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to use the email address for direct advertising for our own similar articles under the conditions of section 7(3) German Act Against Unfair Competition.
Cheetah Digital.
Carrying out customer surveys for market research purposes and pseudonymised analysis of the market research data in order to further develop and improve the contents of our product range. Market research data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to further develop and improve our product range. Survey agency
Ensuring the security of the IT infrastructure used for the provision of the Online Shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).

For this purpose, data is temporarily stored and processed in log files on our web server.
HTTP data, basket data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the Online Shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider.
Managing and asserting our claims for payment. Contact details, accounts receivable data. No automated decision-making takes place. Point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation (compliance with a legal obligation). Debt collection agency.
Reversing sales contracts in the event of a cancellation or other reasons for reversing orders. Contact details, shipping data, payment data, order data, transaction email data, accounts receivable data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to reverse sales contracts.
Delivery service provider.
Provision of the review function.

For this purpose, the details entered by you and your review will be checked and, once they have been successfully verified, published on our website. The review will be shown exclusively under the user name chosen by you.

We will inform you by email that your review has been published.
Review data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the function of the website requested by the user.
Hosting provider.
Storing and processing for evidence purposes for the possible establishment, exercise or defence of legal claims. HTTP data, contact details, payment data, order data, basket data, shipping data, transaction email data, accounts receivable data, creditworthiness data, review data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
Hosting provider.
Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch– HGB)).
Contact details, payment data, order data, basket data, shipping data, transaction email data, accounts receivable data, review data. No automated decision-making takes place. Point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation (compliance with a legal obligation). Hosting provider.
Recipient Recipient’s location Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting provider

(currently: Salesforce.com, inc. The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Payment service provider Controller EU -
Delivery service provider Controller EU -
parcelLab GmbH

Schillerstr. 23a, 80336 Munich, Germany
Processor EU -
Arvato Distributions GmbH

An der Autobahn 22, 33333 Gütersloh, Germany
Processor EU -
Infoscore Consumer Data GmbH

part of Arvato Financial ServicesRheinstraße 99, 76532 Baden-Baden
Processor EU -
Credit reference agency

(currently: informa Solutions GmbH part of Experian Ltd., Rheinstraße 99, 76532 Baden-Baden, Germany)
Controller EU -
Debt collection companies

(currently: Germany and Netherlands: Paigo GmbH, Rheinstraße 99, 76532 Baden-Baden
Processor EU -
Austria: infoscore austria GmbH, Weyringergasse 1, 1040 Vienna Processor EU -
Switzerland: infoscore Inkasso AG, Ifangstrasse 8, 8952 Schlieren) Processor Switzerland Adequacy declaration of the EU Commission for personal data in Switzerland: http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32000D0518&from=DE
Netherlands: infoscore Nederland B.V., Postbus 3, 8440 AA Heerenveen) Processor Netherlands -
Cheetah Digital Germany GmbH,

Speditionsstraße 1, 40221 Düsseldorf, Germany
Processor EU -
Survey agency

(currently: SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland)
Processor Dublin (Ireland) - European Union (EU) -

D. Information on the processing of personal data of subscribers to our email newsletter

We offer you the possibility on the website to sign up for our email newsletter. The newsletter informs you about new outfits and current product trends as well as our special events, special offers and competitions.

When you sign up for our email newsletter, certain information is collected, for example your email address. We process this information to confirm your subscription and to provide the email newsletters. Apart from this, we store this data for evidence purposes for the establishment, exercise or defence of any legal claims. If you also take part in customer surveys, we will process the data collected in the survey for market research purposes.

When the subscription and unsubscription forms for our newsletter on the website are used, certain information, for example your IP address, is sent to our server by the browser used on your device for technical reasons. We process this information in order to provide the subscription and unsubscription forms for our newsletter on our website.

You will find more detailed information on this below:

Purpose of the processing of personal data Categories of personal data processed Sources of the data Obligation to provide the data Storage data
Newsletter form HTTP data Protocol data which accrues when you access the form to sign up for and cancel our newsletter on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons

This includes IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), and date and time of visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Newsletter subscriber data Data that we collect for subscription to our newsletters.

This includes the following details: email address, first name and surname and, where appropriate, whether you would like to receive newsletters with content for women or men.
Newsletter subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide you with any newsletters.
We store this data for as long as you are signed up to for our newsletter.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Newsletter opt-in data Protocol data which accrues for technical reasons when you sign up for and cancel the newsletter.

This includes the data and time you sign up for the newsletter, date and time the subscription notification is sent in the double opt-in process, date and time subscription is confirmed in the double opt-in process and the IP address for confirming the device used, and the date and time of any cancellation of the newsletter.
Newsletter subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to provide you with newsletters.
We store this data for as long as you are signed up to our newsletter.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Market research data Information which we collect in connection with customer surveys for market research purposes in order to analyse the satisfaction of our customers in pseudonymised form and improve the contents of our product range. Newsletter subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out and surveys and analyses for market research purposes.
We store this data in pseudonymised form for a maximum of 38 months.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the form to sign up for and cancel our newsletter on the website:

For this purpose, data is temporarily processed on our web server.
Newsletter form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the website content requested by the user.
Hosting provider, email newsletter provider, system and service mail provider.
Ensuring the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data is temporarily stored and evaluated in log files on our web server.
Newsletter form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider, email newsletter provider, system and service mail provider.
“Double opt-in” to confirm the subscription:

For this purpose, we send an e-mail message containing a request to confirm the email address specified when subscribing. A subscription only becomes effective once the subscriber confirms their email address by accessing the confirmation link contained in the email.
Newsletter subscription data, newsletter opt-in data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the legally conclusive documentation of your consent to receipt of the newsletter.
System and service mail provider.
Sending the newsletter to the email address specified by the newsletter subscriber. The newsletter contains information about products and services of Marc O’Polo Einzelhandels GmbH (e.g. Clothing, Shoes & Accessories, Bags, Junior, Living or the MARC O’POLO MEMBERS programme including cross-channel services), also covering information on current product trends, special events, invitations to take part in customer surveys, special offers or competitions. We use your name to address you personally and to determine gender-specific contents in our email newsletter. Newsletter subscription data, newsletter opt-in data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Email newsletter provider, communications agency.
Carrying out customer surveys for market research purposes and pseudonymised analysis of the market research data in order to further develop and improve the contents of our product range. Market research data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to further develop and improve our product range. Survey agency.
Storing and processing for evidence purposes for the possibly establishment, exercise or defence of legal claims. Newsletter subscription data, newsletter opt-in data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
Email newsletter provider, system and service mail provider.
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting CRM currently:

Microsoft Ireland Operations Ltd (South County Business Park, Dublin, D18, Ireland)
Processor EU -
Hosting e-shop currently:

Salesforce (Salesforce.com, inc. The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States).
Processors. USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Email newsletter provider

(currently: Cheetah Digital Germany GmbH, Speditionsstraße 1, 40221 Düsseldorf, Germany)
Processor Germany (EU) -
System and service mail provider

(currently: Amazon SES, Amazon Web Services EMEA SARL, 5 rue Plaetis, Luxembourg, L-2338, Luxembourg)
Processor Luxembourg (EU) -
Survey agency

(currently: SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland)
Processor Dublin (Ireland) - European Union (EU) -
Communications agency

(currently: Defacto relations GmbH, Am Pestalozziring 1-2, 91058 Erlangen, Germany)
Processor Germany (EU) -

E. Information on the processing of personal data of the participants in the Customer Loyalty Programme

We operate the Customer Loyalty Programme MARC O’POLO MEMBERS (the “Customer Loyalty Programme”). In connection with the operation of the Customer Loyalty Programme we process personal data of the programme’s participants, in particular to provide the web applications in the Online Shop in which participants can provide their data in order to sign up for the Customer Loyalty Programme, to perform the double opt-in process, to operate a customer database, to provide the Customer Loyalty Programme services described in Part C of the T&Cs and on the website, to carry out customer surveys, to send advertising content by post, to send programme-related communications by post, email or telephone, to ensure IT security in the Online Shop and for evidence purposes or to meet statutory retention obligations. We also process your data in order to send personalised advertising content to the communication channels selected by you, for a personalised analysis of your affinity to MARC O’POLO products and to show personalised banner advertising if you have consented to this.

Bricks-and-mortar stores which are run by us or our sales partners take part in the Customer Loyalty Programme (participating bricks-and-mortar stores referred to jointly below as “Bricks-and-Mortar Stores”). A list of current Bricks-and-Mortar Stores can be found in our store finder under www.marc-o-polo.com/stores. You can look for the nearest stores at a specified location or post code here. We mark the Bricks-and-Mortar Stores which take part in the Customer Loyalty Programme in the list of your search results in the store finder with graphic icons. The Country Shop in Germany operated by us also takes part in the Customer Loyalty Programme and is available on the website www.marc-o-polo.com/de-de/ or on the devices in the Bricks-and-Mortar Stores (the version of the German Country Shop available on the devices in the Bricks-and-Mortar Stores is referred to below as the “store version”). The Bricks-and-Mortar Stores and the German Country Shop, including the store version, are also referred to jointly as “Participating Stores”.

You will find more detailed information on this below:

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage data
Customer master data Required data that you specify when registering for the Customer Loyalty Programme: title, first name, surname, date of birth, postal address, email address and password. If you have been given a provisional customer card (“pre-card”) in a Bricks-and-Mortar Store, this also includes: customer card number and Bricks-and-Mortar Store through which you provisionally registered. Participants in the Customer Loyalty Programme. Provision of the customer master data is required in order to take part in the Customer Loyalty Programme.

If these required details are not provided, you will not be able to take part in the Customer Loyalty Programme.
We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of four years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Customer master data We will save the Bricks-and-Mortar Store where you registered for the Customer Loyalty Programme as your “favourite store” in your customer account.

We also determine your nearest Bricks-and-Mortar Store and nearest factory outlet on the basis of your postal address and store them in our customer database.

In addition, we allocate a personal membership number to every participant in the Customer Loyalty Programme.
Generated by us. - We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of four years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Email opt-in data Protocol data which accrues for technical reasons when managing your consent to the receipt of email advertising.

This includes the date and time of subscription for email advertising, date and time the subscription notification is sent in the double opt-in process, date and time subscription is confirmed in the double opt-in process and the IP address of the device used to confirm, and the date and time of any cancellation of the email advertising.
Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to provide you with email advertising.
We store this data for as long as you are signed up to email advertising or our newsletter.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Registration protocol data Protocol data which we collect when you register for the Customer Loyalty Programme. This includes: country, language used, date of your registration and the Participating Store where you registered. Generated by us. - We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of four years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Participant’s details Information which the participant specifies in their customer account or when placing orders in the German country store. This includes your contact details (first name and surname), your telephone number, your date of birth, your email address, the delivery and billing addresses and payment methods you use, your preferred communication channels and advertising content, your favourite store, your statement on whether you would like to collect points as part of the Customer Loyalty Programme and the wish list you have compiled in the German country store. Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If this data is not provided, we cannot provide certain functions of the customer account and cannot individualise our advertising content on the basis of your participant’s details.
We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Purchase history Information on your purchases, if you identify yourself as a participant in the Customer Loyalty Programme in a Bricks-and-Mortar Store or identify yourself as a participant in the German country store by entering your log-in details. This includes details of the articles purchased (article description, article number, number, size, colour, price, currency and number of points collected) as well as the location (Online Shop or country, town/city and branch for Bricks-and-Mortar Stores) at the time of the purchase and delivery status. Participating stores - We store this data for as long as you are signed up to the Customer Loyalty Programme.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.
Article data Information on your selection of products, which we need in order to process the additional options for ordering and reserving articles described in our T&Cs.

This includes information on the article selected by you (article number, colour, size, price) and the transaction number.
Generated by us. - We store this data as part of your purchase history for as long as you are signed up to the Customer Loyalty Programme.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.
Customer service request data Information you provide us with in your queries to customer service over the phone or using the online contact form, e.g. subject and background of your query. Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to individualise our advertising content and sales advice on the basis of this data.
We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of four years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
HTTP data Protocol data which accrues when accessing the Online Shop via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons: IP address, type and version of your internet browser, operating system used, page accessed, last site accessed before visiting the site (referrer URL), and date and time of access. Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Online use profile data Data in usage profiles which we create by analysing the usage behaviour of participants in the Customer Loyalty Programme in the Country Shop for Germany. This includes: data about the use of the website, in particular page visits, frequency of visits and time spent on the pages visited, information about articles you have viewed and/or placed in the basket or placed in the wish list in your customer account, technical information on the device used by you (in particular browser version and device number) and your (click) reactions to our advertising. Generated by us. - We store this data for as long as you are signed up to the Customer Loyalty Programme.
Service usage data Information on the nature and scope of the services used by you in connection with the Customer Loyalty Programme, in particular the additional options for ordering and reserving articles and the vouchers redeemed by you. Generated by us - We store this data for as long as you are signed up to the Customer Loyalty Programme.
Segment profile data Allocation to participant segments which we create by analysing customer master data, purchase history, customer service request data, online usage profile data and service usage data. This includes the following segment categories: purchasing activities (lead, new, active, inactive, lost), willingness to pay (zero, basic, full return, good, top, unknown), frequency of purchases (zero order, single order, slow shopper, medium shopper, heavy shopper), discount affinity, channel preference, product preference and latest purchase category. Generated by us. - We store this data for as long as you are signed up to the Customer Loyalty Programme.
Market research data Information we collect in connection with customer surveys for market research purposes, in order to analyse in particular the satisfaction of our customers in pseudonymised form and to improve the contents of our programme. Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out surveys and analyses for market research purposes.
We store this data in pseudonymised form for a maximum of 38 months.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.

a) Processing of personal data on legal bases

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the web applications in the Online Shop where you can notify us of your data for registering for the Customer Loyalty Programme. HTTP data, customer master data, registration protocol data. No automated decision-making takes place. Balancing of interests (Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to provide the website content requested by the participants. Hosting service provider, Online Shop developer
“Double opt-in” to confirm your consent to the receipt of email advertising.

For this purpose, we send an email message requesting that you confirm the email address specified when signing up. A subscription to email advertising only becomes effective once the participant confirms their email address by accessing the confirmation link contained in the email.
Customer master data, email opt-in data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is the legally conclusive documentation of your consent to the receipt of email advertising. System and service mail provider.
Operation of a customer database in which we maintain and the customer master data and participant’s details and keep it up to date. Customer master data, participant’s details. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to operate a well-ordered database as the basis for optimum maintenance of the customer database. Hosting service provider, communications agency.
Provision of the additional options for ordering and reserving articles.

In connection with the options for reserving and collecting articles described in Part C clauses 2.4.1 and 2.4.2 of the T&Cs which you have selected in the German country store, we forward the article data required for putting aside the article(s) (article number, colour, size, price, transaction number, article price) and the customer master data required in order to identify and inform you to the Bricks-and-Mortar Store, which will put aside the article(s) desired by you. We will then inform you by email that the article(s) has been successfully reserved.

If you make use of the option described in Part C clause 2.4.4 of the T&Cs to place online orders in the German country store on a device in the Bricks-and-Mortar Stores, the employees in the Bricks-and-Mortar Stores can view the customer master data and participant’s details stored in the customer account in order to assist you during the order process and/or when logging on to your customer account.
Article data, customer master data, participant’s details. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Bricks-and-mortar stores.
Provision of the functions of the customer account and a more convenient order process in the German country store.

We use the email address and password specified during your registration as log-in details for your customer account.

You can conveniently maintain the customer master data, participant’s details and advertising preferences specified by you and your wish list in your customer account.

When you are automatically logged on to your customer account during the order process in the German Country Shop, information requested during the order process (e.g. the invoice address) is automatically pre-filled using the data saved in the customer database, in order to make the order process even more convenient for you.

On the basis of your purchase history we give you an overview of your previous purchases in the Participating Stores in your customer account and show you the processing and delivery status of orders placed in the German Country Shop.
Customer master data, participant’s details, purchase history, HTTP data, payment data. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Hosting service provider, Online Shop developer.
Recording the purchase history in the Participating Stores in order to calculate your latest points on this basis for the issue of vouchers and to show them in your customer account. Purchase history, customer master data. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Participating stores.
Calculating your latest points, issuing and sending the voucher acquired with the points by post. Customer master data, purchase history. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Post service provider, communications agency.
Provision of a customer hotline over which you can request your latest points and other information, for instance regarding your membership, special events and offers or new collections. Employees of the customer hotline can access data saved in the customer database in order to provide you with the best possible individual advice. All the data referred to in Section E.1. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Customer service provider.
Sending information material on the components of the Customer Loyalty Programme and relevant personalised advertising for your own offers (e.g. information about MARC O‘POLO, product information, newsletters, invitations to take part in customer surveys and exclusive offers or invitations to take part in competitions, events and special offers by the Participating Stores) by post. For this purpose, we use the postal address which you have specified when registering for the Customer Loyalty Programme or you have saved in your customer account as your billing address.

We use the title specified in your registration and your name to address you personally and to determine gender-specific contents in our advertising material.

We use the date of birth specified by you in order to send you personalised birthday greetings and information appropriate to your age.

We save the store where you registered, stores which are close to any address specified by you and the store specified as your favourite store in your customer account to send you invitations to store-relevant events and special offers.

We use your participant’s details, purchase history, online usage profile data, service usage data and segment profile data to send you contents reflecting your personal preferences.
Customer master data, participant’s details, online usage profile data, purchase history, service usage data, segment profile data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is the use of the postal address for direct advertising. Post service provider, communications agency.
Provision of information by post, email or phone, to the extent that this is necessary to carry out the Customer Loyalty Programme or services provided in connection with it (referred to jointly below as “Programme Communication”). The Programme Communication includes in particular but not exclusively emails, telephone calls or postal information confirming your registration, messages on your latest points or information on the organisational processing of your purchases or the services used by you, such as messages on that an order has arrived or has been reserved in a Bricks-and-Mortar Store, clarification of complaints or payment errors, information on the alteration service or exclusive shopping appointments. Customer master data, participant’s details, article data. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Bricks-and-mortar stores, system and service mail provider, communications agency.
Carrying out customer surveys for market research purposes and pseudonymised analysis of the market research data in order to further develop and improve the functions of the Customer Loyalty Programme. Market research data No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to develop and improve the Customer Loyalty Programme. Survey agency, hosting service provider, Online Shop developer.
Ensuring the security of the IT infrastructure used for the provision of the Online Shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).

For this purpose, data is temporarily stored and evaluated in log files on our web server.
HTTP data No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the Online Shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting service provider, Online Shop developer.
Storage for evidence purposes for the possible establishment, exercise or defence of legal claims. Customer master data, email opt-in data, registration protocol data, participant’s details, customer service request data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
Customer service provider
Proper accounting and storage in order to comply with contractual and statutory requirements, in particular commercial and tax law document retention obligations. Customer master data, participant’s details. No automated decision-making takes place. Compliance with a legal obligation (point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation), in particular compliance with statutory requirements regarding proper accounting and other statutory requirements, in particular professional, commercial and tax law document retention obligations.

The legal basis is also the performance of a contract, the other party being the data subject (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation).
Customer service provider

b) Processing of personal data on the basis of your consent

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Sending information material on the components of the Customer Loyalty Programme and relevant personalised advertising for your own offers (e.g. information on MARC O‘POLO, product information, newsletters, invitations to take part in customer surveys and exclusive offers or invitations to take part in competitions, events and special offers by the Participating Stores) to the communication channels selected by the participant (email, SMS, WhatsApp or by telephone call). We use the latest details saved by you in your customer account for these purposes.

You can select or change the communication channels at any time in your customer account.

We use the title specified in your registration and your name to address you personally and to determine gender-specific contents in our advertising material.

We use the date of birth specified by you in order to send you personalised birthday greetings and information appropriate to your age.

We save the store where you registered, stores which are close to any address specified by you and the store specified as your favourite store in your customer account to send you invitations to store-relevant events and special offers.

We use your participant’s details, purchase history, online usage profile data, service usage data and segment profile data in order to send you content reflecting your personal preferences.

We also send you reminder emails if you have not completed an order in the Online Shop or if articles are still listed in your wish list in the customer account.
Customer master data, participant’s details, online usage profile data, purchase history, service usage data, segment profile data. No automated decision-making takes place. Consent (point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation). Email service provider, survey agency, communications agency.
Personalised analysis of the affinity of participants in the Customer Loyalty Programme to MARC O‘POLO products for the purpose of personalising and structuring advertising content reflecting the user’s needs. For this purpose, we use different analysis methods allowing us to individualise the advertising contents as well as possible and to tailor them to your personal interests, which we derive from the information saved in our customer database. By individualising the advertising contents in this way, we wish to ensure that you mainly receive information which we regard as being particularly interesting for you. All data referred to in E.1. No automated decision-making takes place. Consent (point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation). Survey agency.
Displaying personalised banner advertising on our website and on third-party websites on the basis of your online usage profile data and the segment profile data.

The behaviour of users on our website is recorded and analysed for (re-)targeting participants of the Customer Loyalty Programme through advertisements. Users of the website are marked in pseudonymised form so that they can be recognised again on the website or another website. The objective of this process is to draw the attention of a user who has already shown interest in a website or a product to this website or product again to increase the advertising relevance and therefore the click rate and conversion rate (e.g. order rate).

For these purposes, cookies are used on our website, provided that the participant has consented to this. You will find more information on this when you visit the website, where you have the possibility to consent to the placing of the cookies for these purposes.
Online usage profile data and segment profile data based on this. No automated decision-making takes place. Consent (point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation). -
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting CRM currently:

Microsoft Ireland Operations Ltd (South County Business Park, Dublin, D18, Ireland)
Processor EU -
Hosting e-shop currently:

Salesforce.com, inc. (The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Email service provider

(currently: Cheetah Digital Germany GmbH, Speditionsstraße 1, 40221 Düsseldorf, Germany)
Processor Germany (EU) -
System and service mail provider

(currently: Amazon SES, Amazon Web Services EMEA SARL, 5 rue Plaetis, Luxembourg, L-2338, Luxembourg)
Processor Luxembourg (EU) -
Bricks-and-mortar stores/Participating Stores (if operated by sales partners)

A list of currently participating Bricks-and-Mortar Stores can be found in our store finder under www.marc-o-polo.com/stores. You can look for the nearest stores at a specified location or post code here. We mark the Bricks-and-Mortar Stores which take part in the Customer Loyalty Programme in the list of your search results in the store finder with graphic icons.
Processors, provided they assist in provision of the services of the Customer Loyalty Programme described in Part C of the T&Cs and on the website, in particular the additional options for ordering and reserving articles according to Part C, clause 2.4.1, 2.4.2 or 2.4.4 of the T&Cs or Programme Communications.

When recording and forwarding the purchase history to us, the Bricks-and-Mortar Stores act as controllers.
Germany (EU) -
Survey agency

(currently: SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland).
Processor Dublin (Ireland) - European Union (EU) -
Customer service provider

(currently: arvato direct services Dortmund GmbH, Schleefstr. 1, 44287 Dortmund, Germany)
Processor Germany (EU) -
Post service provider

(currently: Deutsche Post AG (Charles-de-Gaulle-Str. 20, 53113 Bonn, Germany) und UPS, United Parcel Service (Germany S.à r.l. & Co. OHG, Görlitzer Str. 1, 41456 Neuss, Germany)
Controller Germany (EU) -
Communications agency

(currently: Defacto relations GmbH, Am Pestalozziring 1-2, 91058 Erlangen, Germany)
Processor Germany (EU) -
Online shop developer:

MOBIZCORP EUROPE LTD. Viernheim branch, August-Bebel-Straße 26, 68519 Viernheim, Germany
Processor Germany (EU) -

F. Information on the processing of personal data of our subscribers to postal advertising

From time to time, we offer you the option to sign up for advertising communications by post on our website (www.marc-o-polo.com) and/or in our Bricks-and-Mortar Stores. In our postal advertising we inform you for example about new outfits and current product trends as well as our special events, special offers and competitions.
When you sign up for our postal advertising, we record your name and postal address and process them for delivering the postal advertising. Apart from this, we store this data for evidence purposes for the establishment, exercise or defence of any legal claims.

When the subscription and unsubscription forms for our postal advertising on the website are used, certain information, for example your IP address, is sent to the server on our website by the browser used on your device for technical reasons. We process this information in order to provide the subscription and unsubscription forms for our postal advertising on our website.

You will find more detailed information on this below:

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
Registration form HTTP data Protocol data which accrues when you access the form for signing up for and cancelling our postal advertising on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Subscription data Data which we collect when users sign up for postal advertising.

This includes the following details: first name and surname and your postal address.
Subscribers to postal advertising. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide you with any postal advertising.
We store this data for as long as you are signed up to our postal advertising.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you have unsubscribed and in the event of any legal disputes until such have been concluded.
Registration protocol data Protocol data which accrues when you sign up for postal advertising on our website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons. This includes: date and time of registration and IP address of the device used.

Protocol data which we collect for evidence purposes when you sign up for postal advertising in our Bricks-and-Mortar Stores. This includes: date and time of registration.
Generated by us. - We store this data for as long as you are signed up to our postal advertising.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you have unsubscribed and in the event of any legal disputes until such have been concluded.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the form to sign up for and cancel our postal adverting on the website:

For this purpose, HTTP data is temporarily processed on our web server.
Registration form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the website content requested by the user.
Hosting provider.
Ensuring the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data is temporarily stored and evaluated in log files on our web server.
Registration form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for provision of the form, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider.
Sending the postal address specified by the subscriber. The postal advertising contains information about products and services of Marc O’Polo Einzelhandels GmbH (e.g. Clothing, Shoes & Accessories, Bags, Junior, Living or the MARC O’POLO MEMBERS programme including cross-channel services), also covering information on current product trends, special events, invitations to take part in customer surveys, special offers or competitions.

We use your name to address you personally and to determine gender-specific contents in our advertising content.
Subscription data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Communications agency, delivery service provider.
Storage and processing for evidence purposes for the possible establishment, exercise or defence of legal claims. Subscription data, registration protocol data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
-
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting CRM currently:

Microsoft Ireland Operations Ltd (South County Business Park, Dublin, D18, Ireland)
Processor EU -
Hosting e-shop currently:

Salesforce.com, inc. (The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Communications agency

(currently: Defacto relations GmbH, Am Pestalozziring 1-2, 91058 Erlangen, Germany)
Processor Germany (EU) -
Delivery service provider Controller Germany (EU) -

G. Information on the processing of personal data of people entering our competitions

From time to time, we offer you the option to enter various competitions on our website and by other channels (e.g. entry postcards). We process the information provided by you in the relevant entry form (which is pre-filled for reminder mail subscribers, where applicable) in order to carry out the competition concerned and to hand over the prizes in line with the applicable entry terms and conditions accepted by you.

In some competitions, we also offer you the possibility on the website to sign up for reminder mails in which we inform you about our competitions, as explained in more detail in the relevant entry form. We process the information accruing in this context in order to confirm your subscription and to provide reminder mails.

We also store the information accruing in connection with participation in competitions or subscriptions to reminder mails for evidence purposes for the establishment, exercise or defence of any legal claims and, where applicable, to meet statutory, in particular commercial and tax law document retention obligations.

If you enter competitions or sign up for reminder mails on our website (e.g. competition or subscription forms) information, for example your IP address, is sent to our website server by the browser used on your device for technical reasons. We process this information in order to provide the website content requested by you. We process this information in order to provide the forms on our website. To ensure the security of the IT infrastructure used to provide the website, this information is also stored temporarily in a so-called web server log file. When you use such forms on our website, you often also have the option to sign up for our newsletter. You will find more detailed information on the processing of personal data in connection with the newsletter in Section A of this Data Protection Information.

You will find more detailed information on the processing of personal data in connection with entering competitions and signing up for reminder mails on our website below:

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
Form HTTP data Protocol data which accrues when requesting forms to enter a competition and to sign up for competition reminder mails on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), and date and time of visit.
Competition entrants (only for entering competitions through an online form on our website, e.g. competition or subscription forms). Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of six weeks, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Entry form data Data which you provide us with in the entry form for the competition concerned.

This includes information you provide us with in the relevant entry form and which we need in order to carry out the competition in line with the entry terms and conditions.

The actual data requested depends on the specific competition you wish to enter. We typically collect at least your name and your address. Depending on the type of competition, this also includes other data, which we will inform you about in the relevant entry form.
Competition entrants. Provision of the data is a requirement to enter the competition concerned. There is no obligation to provide the data.

If the data is not provided, you cannot enter the competition.
Data is stored until the end of the relevant competition.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provided us with the data and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Prize winner data Data which you additionally provide us with if you are a winner in a competition.

This includes information which we need for providing the prize, such as your full name, address, clothing or shoe size and information on whether you have accepted the prize concerned.
Competition winners. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot send your prize to you.
Data is stored until the end of the competition concerned.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provided us with the data and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Prize data Data on the prizes won by the various winners.

This includes information on which winner won which prize.
Generated by us. - Data is stored until the end of the competition concerned.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provided us with the data and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Reminder mail subscription data Data which we collect when users sign up for possible competition reminder mails for our competitions.

This includes the following details: email address, title, first name and surname.
Reminder mail subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If these required details are not provided, we cannot provide you with reminder mails.
We save this data for the time period stated in the subscription form for the relevant reminder mail, which normally corresponds to the time period specified in the entry terms and conditions of the relevant competition campaign.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you unsubscribed or in which the period of the reminder mails ended and in the event of any legal disputes until such have been concluded.
Reminder mail opt-in data. Protocol data which accrues when signing up for and cancelling reminder mails via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes the date and time of registration for the reminder mail, date and time the subscription notification is sent in the double opt-in process, date and time subscription is confirmed in the double opt-in process and the IP address of the device used to confirm, and the date and time of any unsubscription from the reminder mails.
Reminder mail subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide you with any reminder mails.
We save this data for the time period stated in the subscription form for the relevant reminder mail, which normally corresponds to the time period specified in the entry terms and conditions of the relevant competition campaign.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you unsubscribed or the time period of the reminder mails ended and in the event of any legal disputes until such have been concluded.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Only for entering competitions through an online form on our website, e.g. competition or subscription forms:

Provision of the (where applicable pre-filled) forms for taking part in a competition and the form for registering for reminder mails on the website:

For this purpose, data is temporarily processed on our web server.

If you have signed up for a reminder mail and have requested the entry form via the entry link in you reminder mail, we already fill out the entry form with the details specified by you when you sign up for the reminder mail. For this purpose, we add a randomly generated (hash) value to the entry link which we can use to match it to your consent mail subscription data. You can modify this data at any time before sending off the entry form.
Form HTTP data, reminder mail subscription data (where applicable). No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

If the data is not provided, we cannot provide the requested website content.
Hosting provider.
Only for entering competitions through an online form on our website, e.g. competition or subscription forms:

Ensuring the security of the IT infrastructure used for the provision of the forms for entering a competition and signing up for reminder mails, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data is temporarily stored and evaluated in log files on our web server.
Form HTTP data No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the forms, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider.
Registration for the relevant competition and selection of winners in line with the entry terms and conditions for the competition concerned which have been accepted by you. Participation form data, prize data. The winner is drawn by random selection. This selection takes place automatically without human intervention. Point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation (performance of a contract or steps prior to entering into a contract). Hosting provider.
Notifying prize winners and providing the prizes in line with the entry terms and conditions for the competition concerned which have been accepted by you. Participation form data, prize winner data, prize data. No automated decision-making takes place. Point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation (performance of a contract or steps prior to entering into a contract). Delivery service provider (where applicable).
“Double opt-in” to confirm a possible ubscription:

For this purpose, we send an email address requesting confirmation of the email address specified in the subscription. A subscription only becomes effective when the subscriber confirms their email address by accessing the confirmation link contained in the email.
Reminder mail subscription data, reminder mail opt-in data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the legally conclusive documentation of your consent to receipt of the reminder mails.
Hosting provider.
Sending the reminder mails to reminder mail subscribers.

We use the optional details specified by you when signing up to address you by name in the reminder mails.
Reminder mail subscription data, reminder mail opt-in data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Hosting provider.
Storage and processing for evidence purposes for the possible establishment, exercise or defence of legal claims. Participation form data, prize winner data, prize data, reminder mail subscription data, reminder mail opt-in data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation.

Our legitimate interest is the establishment, exercise or defence of legal claims.
-
Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Participation form data, prize winner data, prize data. No automated decision-making takes place. Compliance with a legal obligation (point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation). -
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting provider

(currently: Salesforce.com, inc., The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Delivery service provider

Arvato distribution GmbH, Carl-Bertelsmann-Str. 32, 33330 Gütersloh, Germany
Controller EU -

H. Information about the use of cookies

We use cookies in connection with our website and the products and services provided on our website. We use the processing and storage features of the browser on your device and collect information from your browser cache.

More detailed information about this is available below.

I. General information about cookies

Cookies are small text files containing information which can be stored on your device by your browser when you visit a website. If you visit a website again using the same device, the cookie and the information stored in it can be read.

1. First-party and third-party cookies

First-party cookies and third-party cookies differ depending on where the cookie originated from:

First-party cookies

Cookies which are stored and read by the operator of the website as the controller or by a processor engaged by the operator of the website.

Third-party cookies

Cookies which are stored and read by other controllers than the operator of the website who are not acting as processors on behalf of the operator of the website.

2. Session and persistent cookies

Session and persistent cookies also differ in terms of their period of validity:

Session cookies

Cookies which are erased automatically when you close your browser.

Persistent cookies

Cookies which remain on your device for a period of time after you close your browser.

3. Cookies which require and are exempt from consent

Depending on their function and purpose, the use of certain cookies can be subject to the consent of the user. As such, cookies differ depending on whether or not their use requires the consent of the user:

Cookies which are exempt from consent

Cookies whose sole purpose is to transmit a communication over an electronic communications network.

Cookies which are exempt from consent

Cookies which are strictly necessary in order to provide an information society service explicitly requested by the subscriber or user (“strictly necessary cookies”).

Cookies which require consent

Cookies for all other purposes than those described above.

II. Administration of the cookies used on this website

1. Consent to the use of cookies and administration of cookies through the privacy and cookie settings

Where the use of certain cookies requires the consent of the user, we shall only use those cookies when you use the website if you have previously consented to it. For information about whether the use of a cookie requires consent, see the information about the cookies used on this website in section H.III of this privacy policy.

When you visit our website, a cookie banner will appear in which you can click on a button to consent to the use of cookies on this website. By clicking on the designated button, you can consent to the use of all cookies described individually in section H.III of this privacy policy. Alternatively, you can click on the button Cookie Settings to make a custom selection of cookies and make changes to your selection at a later date. Likewise, we shall store your consent and any individual selection of cookies you make in the form of a cookie (an opt-in cookie) on your device in order to determine whether you have already granted consent if you visit the website again in future. The opt-in cookie has a limited validity period of six months.

Strictly necessary cookies cannot be deactivated using the cookie administration tool on this website. However, you can deactivate such cookies at any time through your browser settings.

2. Administration of cookies through browser settings

You can also manage the use of cookies in your browser settings. Different browsers provide different means of configuring the cookie settings in the browser. For example, you can find more detailed information about this on http://www.allaboutcookies.org/ge/cookies-verwalten/.

However, please note that some of the features of the website might no longer work properly or at all if you deactivate all cookies in your browser.

3. Cookies used on this website

The following cookies can be used on this website:

These cookies do not require consent.

Salesforce cookies

Name First party / third party Purpose and content Period of validity
cqcid First party Hashed IDs for unregistered shoppers Session
dwsid First party To identify the current session Session
sid First party To identify the current session Session
__cq_bc First party First-party version of the bc cookie. Contains activity history, such as the last 10 products viewed by the shopper. 30 days
__cq_uuid First party First-party version of the UUID cookie of a third-party provider. Contains a randomly generated user ID. Is used to collect information about the activity of the buyer on the website of the retailer. This information is also used for analytical purposes, including Commerce Cloud reports and dashboards. 1 year
uuid Third-party version of the first-party cookie __cq_uuid used on .cquotient.com. Contains a randomly generated user ID. Is used to track data for analytical purposes, including the analyses of Commerce Cloud as described in the trust and compliance documentation, e.g. Commerce Cloud reports and dashboards. 1 year
dwanonymous_* First party A random ID to identify an unregistered buyer or a buyer who has not yet registered regardless of the session. For example, it is used to track basket and ordering activity as well as for analytics. It is not used for activities which take place after the buyer has created an account. The * in the cookie name is a unique value for the site. 180 days
privacy First party Cookie banner 3 months

Fit Analytics GmbH

Name First party / third party Purpose and content Period of validity
connect.sid third party Session cookie which improves functionality and identifies the user
fita.config third party Cookie which stores the local user preferences for opting out
fita.sid.marcopolo First party Copy of the cookie connect.sid yet contains our domain name
__cfduid third party Cookie from our hosting provider Cloudflare (Cloudflare Inc.) which protects the server, defends against hackers and optimises performance

These cookies require your consent.

Google Ads Remarketing-Cookies

Name First party / third party Purpose and content Period of validity
NID

SID

DIE

IDE

ANID

DSID

FLC

AID

TAID

exchange_uid

__gads

gac
First party These cookies are used by the Google Ads remarketing pixel, a web tracking tool which strategically targets users of the website (this is known as (re)targeting; see section B).

We have incorporated the Google Ads remarketing pixel into our shop; when a visitor visits our shop, the pixel is loaded and it stores a cookie (tag) in the user’s browser to tag that user.

Information is stored in the cookie depending on what pages of the shop the customer has visited; if, for example, the customer has viewed various products, this information is stored so product adverts can be shown to the customer on other websites. In this case, the product IDs are stored in the cookie.

In general, we add the product ID, the price, the page type and the number of products to the cookies for this reason.

Besides the cookie settings on our website, the user can deactivate personalised advertising from Google in general: https://adssettings.google.com/authenticated?hl=de
Persistent:
60 days

Microsoft Advertising

Name First party / third party Purpose and content Period of validity
MUID

MUIDB
third party Like Google Ads (text) 1 year

Criteo-Cookies

Name First party / third party Purpose and content Period of validity
ASP.NET_Sessionid third party The session ID is used to identify a browser on the server unequivocally. Session
r.ack third party EBS cookie which is mainly used for Safari. 1 hour
uid third party Identifies users for the purposes of remarketing (displaying dynamic banners with the most important product-specific recommendations on the basis of statistical data and data collected through surfing) 1 year
optout third party Opt-out cookie. Enables the user to opt out of the Criteo service. 5 years
uic third party Identifies the context of the user, e.g. what stage of the purchase process the user is in, if the user has viewed one or more products or if a product has been added to the basket. It enables us to evaluate, for example, how likely the user is to make a purchase on the basis of his or her browser history and actions on the website. 6 months
evt third party Event cookie. This contains information about the last page visited on the customer’s website. It is used in the product recommendation during the banner display process. 6 months
udc third party Dynamic inventory selection. It contains a list of sellers where the user is profitable and supports tagging and de-tagging functionality. Criteo works with a very large number of sellers in Germany. A seller usually has one or more websites on which Criteo displays its adverts. De-tagging a user means that a user who, for example, has purchased a product is de-tagged for that product. 6 months
acdc third party Advanced Criteo data collection. It contains (optional) additional data in connection with the user, e.g. whether the user is visiting the website from a mobile or stationary end device. It is used to improve campaign performance continuously. 6 months
zdi third party Passback loop detection. This registers how often a user triggers a passback in a zone of a publisher. Publishers are a variety of marketers within our network where we display adverts for our customers. 6 months
eid third party External ID. This contains the user ID of our publishers/marketers. It is used to sell our mid-market inventory. We have a variety of marketers in our network. If it is not used, the inventory we have purchased is sold on programmatically. 6 months
opt third party The opt cookie contains information about whether a user has opted out of our service or the service of one of the marketers on our network and therefore no longer wishes to receive personalised adverts. 1 year

Mediards-Cookies

These cookies are used by the web tracking tool Mediards which strategically targets users of the website for the purposes of (re)targeting.

Name First party / third party Purpose and content Period of validity
Tr.mediards.com third party This cookie stores the following:
—PageLanguageCode (dede) – Product IDs
– OrderID
– OrderValue
– Currency and
— the page URL.
Transient.

Facebook Pixel-Cookies

These cookies are used on our website for the Facebook pixel (see section B).

Name First party / third party Purpose and content Period of validity
c_user First party Is used together with the xs cookie to authenticate your identity with Facebook (user ID). 90 days
datr First party Browser ID and time stamp

Identifies the browser for the purposes of security and website integrity, including account restoration and the identification of potentially compromised accounts.
Persistent:
2 years
sb First party Browser ID and time stamp

Identifies the browser for the purposes of log-in authentication
Persistent:
2 years
wd First party Screen or window dimensions

Makes it possible to optimise the display on the user’s monitor
Persistent:
7 days
xs First party Session ID, creation time, authentication value, secure session status, caching group ID. Is used together with the C_user cookie to authenticate the identity of the user with Facebook. Persistent:
90 days

Flashtalking

Name First party / third party Purpose and content Period of validity
_D9J third party 1 year
flashtalkingad1 third party 2 years

Stylight

Name First party / third party Purpose and content Period of validity
.stats-bq.stylight.net third party 1 year / 2 years

Esome container (conversion tracking with Adition, Appnexus and Facebook)

These cookies are used by the web tracking tools Adition, Appnexus and Facebook which are incorporated into the website by means of the Esome container to evaluate user actions (conversion tracking), segment visitors and evaluate campaign performance (see section section B).

Name First party / third party Purpose and content Period of validity
AppNexus Segmentation First party Each of these cookies may store the following:
– Time stamp
– Unique ID to recognise returning visitors
Persistent:
30 to 365 days
Adition Segmentation First party Each of these cookies may store the following:
– Time stamp
– Unique ID to recognise returning visitors
Persistent:
30 to 365 days
Activate Agent Segmentation First party Each of these cookies may store the following:
– Time stamp
– Unique ID to recognise returning visitors
Persistent:
30 to 365 days
Facebook Audiences First party Each of these cookies may store the following:
– Time stamp
– Unique ID to recognise returning visitors
Persistent:
30 to 365 days

Daisycon cookies, only NL

Name First party / third party Purpose and content Period of validity
PHPSESSID third party Guarantees the unique nature of the visitor and measures whether the click generates a transaction for the advertiser during the session. Transient.
DCI,
PDC
third party Guarantees the unique nature of the visitor and measures whether the click generates a transaction for the advertiser during the session. Persistent:
30 days.
ci_{program_ID},
ca_{program_ID},
si_{program_ID}
third party Measures whether the click generates a transaction for the advertiser. Persistent:
30 days.
__cfduid third party This cookie uses the service Cloudflare to capture secure Internet traffic.
It is placed for the advertiser when you click and is retrieved with the conversion pixel.
Persistent:
30 days.

Awin

Name First party / third party Purpose and content Period of validity
bId third party Defines a browser-specific ID in order to identify a new click in the same browser. 1 year
aw*****
(Although the cookie name is different for every advertiser, the letters are “aw” followed by an ID representing the advertiser, e.g. aw1001.)
third party Activates when you click on one of our links. It stores IDs for referring websites, adverts you click on, groups of adverts to which the advert belongs, the time you clicked on it, the ID of the type of advert, the ID of the product and all references which the referring website adds to the click. 30 days
AWSESS third party Stores when you see an advert in order to ensure that we do not always show you the same advert. An ID for the advert you have seen. Expires at the end of the session when you close your browser browser closing
awpv*****
(Although the cookie name is different for every advertiser, the letters are “aw” followed by an ID representing the advertiser, e.g. awpv1001.)
third party Activates when you see an advert. Stores an ID for the website on which the advert is displayed and the time when you saw the advert. 24 hours
_aw_m_*****
(Although the cookie name is different for every advertiser, the letters are “aw” followed by an ID representing the advertiser, e.g. _aw_m_1001.)

Tracking cookies set for AWIN by Advertisers on the Advertiser's domain
third party Activates when you click on one of our links. It stores IDs for referring websites, adverts you click on, groups of adverts to which the advert belongs, the time you clicked on it, the ID of the type of advert, the ID of the product and all references which the referring website adds to the click. 30 days

Tracdelight-Cookies

Name First party / third party Purpose and content Period of validity
Click cookies (parameters: revenue, OID, publisher advertising space, click time, transaction time) First party These cookies are necessary to calculate and pay the remuneration of partners; no personal data are collected Persistent:
30 days.

Google Ads conversion pixel cookies

Name First party / third party Purpose and content Period of validity
Conversion

AID

DSID

TAID
First party These cookies are used the Google Ads conversion pixel, a web tracking tool which evaluates user actions (conversion tracking) (see section B). They contain placeholders for the following information:
– Unique ID to recognise returning visitors [we understood that MOP wanted to clarify this information with Metapeople]
– Page type (e.g. order confirmation page, product details page, basket),
– Order number
– Net basket price (excluding delivery costs, excluding VAT, excluding payment costs, excluding vouchers)
– Product numbers and prices

The conversion pixel stores the purchasing and surfing habits of users. This includes the following information:
– What product the customer purchased and at what price
– What pages the customer navigated to
– What was the total price of products in the basket

This information is used to gauge the success of the adverts (e.g. whether the use of banners and videos generated revenue). Additionally, these data are used to pseudonymised customers and add them to retargeting lists in order to show them personalised adverts or exclude them from campaigns (e.g. excluding men from a campaign for women).

(see also “Google Ads remarketing cookies” below)
Persistent:
60 days.

Doubleclick/Floodlight

Name First party / third party Purpose and content Period of validity
DSID third party 14 days
IDE third party 1 year
vscr_vid third party 1 year
_fbp third party 30 days

Tectumedia

These cookies are used by the web tracking tools Google, Display.me, Mervellousmachine, mpnrs.com and Doubleclick which are incorporated into the website by means of the Tectumedia container (see section B).

Name First party / third party Purpose and content Period of validity
dsply_nth_3749 third party Campaign optimisation. 1 year
dsply_nin_3793 third party Campaign optimisation. 1 year
dsply_dlkl_3793 third party Campaign optimisation. 6 months
dsply_ost_3749 third party Campaign optimisation. 1 year
dsply_ost_3793 third party Campaign optimisation. 6 months
dsply_kc_3749 third party Campaign optimisation. 1 year
dsply_kc_3793 third party Campaign optimisation. 1 year
dsply_dlkl_3749 third party Campaign optimisation. 1 year
dsply_vid third party Campaign optimisation. 1 year
ata third party Campaign optimisation. 1 year

These cookies require your consent.

Emarsys eMarketing Systems AG

Name First party / third party Purpose and content Period of validity
scarab.visitor First party Browser-ID – Identifies the browser for the purposes of log-in authentication 1 year
cdv third party Browser-ID – Identifies the browser for the purposes of log-in authentication 1 year
scarab.profile First party Information about the user profile, searched products etc. as well as script performance metrics (load/run speed etc.) – these cookies are encrypted 1 year
xp third party Information about the user profile, searched products etc. as well as script performance metrics (load/run speed etc.) – these cookies are encrypted 1 year
scarab.mayAdd & scarab.mayViewed First party Session cookies which we use to track click paths and articles in the basket. Duration of the web session
s third party Session cookies which we use to track click paths and articles in the basket. Duration of the web session

Artefact-Triple-A-Cookies

Name First party / third party Purpose and content Period of validity
meta_{ID KAMPAGNE},

({ID KAMPAGNE} stands for an identification number which represents the corresponding market (e.g. Germany or Austria).)
First party These cookies are used by the web analytics tool Google Analytics to capture and analyse user behaviour on our website in order to improve the website (see section B). They contain placeholders for the following information:
– Country code, e.g. AT, DE, CH
– Unique ID to recognise returning visitors
– Order number
– Net basket price (excluding delivery costs, excluding VAT, excluding payment costs, excluding vouchers)
– Number of products in the basket
– Produktnummern
– Product categories
– Size of the products
– Status as new or existing custome
– Payment method (invoice, cash on delivery, credit card, PayPal, iDeal)
– Whether or not a voucher has been used, voucher code, type and value
– Whether or not the user has subscribed to the newsletter
– Gender
Persistent:
30 days.
meta_{ID KAMPAGNE}s

({ID KAMPAGNE} stands for an identification number which represents the corresponding market (e.g. Germany or Austria).)
First party These cookies are used by the web analytics tool Google Analytics to capture and analyse user behaviour on our website in order to improve the website (see section B). They contain placeholders for the following information:
– Country code, e.g. AT, DE, CH
– Unique ID to recognise returning visitors
– Order number
– Net basket price (excluding delivery costs, excluding VAT, excluding payment costs, excluding vouchers)
– Number of products in the basket
– Produktnummern
– Product categories
– Size of the products
– Status as new or existing custome
– Payment method (invoice, cash on delivery, credit card, PayPal, iDeal)
– Whether or not a voucher has been used, voucher code, type and value
– Whether or not the user has subscribed to the newsletter
– Gender
Transient.

Google Analytics-Cookies

These cookies are used by the web analytics tool Google Analytics to capture and analyse user behaviour on our website in order to improve the website (see section B).

Name First party / third party Purpose and content Period of validity
_ga First party This cookie contains a unique visitor ID and is used to tell users apart. Persistent:
2 years.
_gid First party This cookie contains a unique visitor ID and is used to tell users apart. Persistent:
24 hours.
_gat First party This cookie is used to throttle the demand rate. Transient.
__utma First party This cookie stores the number of visits by every visitor and the date and time of the first visit, earlier visits and the current visit. Persistent:
2 years.
__utmt First party This cookie is used to throttle the demand rate. Transient.
__utmb First party This cookie is used to track how long a visitor spends on a website, i.e. when the visit starts and ends.

The cookie stores the time when a visitor accesses a page.
Transient.
__utmc First party This cookie is used to track how long a visitor spends on a website, i.e. when the visit starts and ends.

The cookie stores the time when a visitor leaves a page.
Persistent:
30 minutes.
__utmv First party This cookie stores the visitor category to which a user belongs. Persistent:
2 years.
__utmz First party This cookie stores the source or campaign which explains how a user has arrived on the website. Persistent:
6 months.
dw_dnt First party Controls client-side JavaScript for Commerce Cloud tracking features Session
__cq_dnt First party SFCC Reco Session
__cq_seg First party SFCC Reco predictive sorting 1 month
dwac_* First party Stores data for analytical purposes. Session

These cookies require your consent.

adnymics GmbH

Name First party / third party Purpose and content Period of validity
AWSALB third party The click and buying behaviour of users is analysed so a parcel insert containing personalised product recommendations can be generated for each user if an order is placed. 13 months
AWSALBCORS third party The click and buying behaviour of users is analysed so a parcel insert containing personalised product recommendations can be generated for each user if an order is placed. 13 months

Dynamic Yield- Cookies

Name First party / third party Purpose and content Period of validity
DYID First party The Dynamic Yield recommendation tool is used to optimise our website in order to make your visit to the site a personal experience through tailored recommendations and content. We use the page content the user has accessed to recommend comparable or related products or other content that may be relevant to them. Persistent:
720 days
DYSES First party The Dynamic Yield recommendation tool is used to optimise our website in order to make your visit to the site a personal experience through tailored recommendations and content. We use the page content the user has accessed to recommend comparable or related products or other content that may be relevant to them. Session
__cfduid First party The Dynamic Yield recommendation tool is used to optimise our website in order to make your visit to the site a personal experience through tailored recommendations and content. We use the page content the user has accessed to recommend comparable or related products or other content that may be relevant to them. Persistent:
365 days

I. Information on the rights of data subjects

As a data subject, you have the following rights with regard to the processing of your personal data:

· Right of access (Article 15 of the General Data Protection Regulation)
· Right to rectification (Article 16 of the General Data Protection Regulation)
· Right to erasure (“right to be forgotten”) (Article 17 of the General Data Protection Regulation)
· Right to restriction of processing (Article 18 of the General Data Protection Regulation)
· Right to data portability (Article 20 of the General Data Protection Regulation)
· Right to object (Article 21 of the General Data Protection Regulation)
· Right to withdraw consent (paragraph 3 of Article 7 of the General Data Protection Regulation)
· Right to lodge a complaint with a supervisory authority (Article 77 of the General Data Protection Regulation)
You may contact us for the purpose of exercising your rights using the contact information in Section A.

Where applicable, you find information on any specific modalities and mechanisms which facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, in the information on the processing of personal data in Sections B to F of this Data Protection Information.

Below you will find more detailed information on your rights with regard to the processing of your personal data:

I. Right of access

As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 of the General Data Protection Regulation.

This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in paragraph 1 of Article 15 of the General Data Protection Regulation. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (points (a), (b) and (c) of paragraph 1 of Article 15 of the General Data Protection Regulation).

You can find the full extent of your right to access and information in Article 15 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

II. Right to rectification

As a data subject, you have the right to rectification under the conditions provided in Article 16 of the General Data Protection Regulation.

This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.

You can find the full extent of your right to rectification in Article 16 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

III. Right to erasure (“right to be forgotten”)

As a data subject, you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 of the General Data Protection Regulation.

This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in paragraph 1 of Article 17 of the General Data Protection Regulation applies. This can be the case, for example, if personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed (point (a) of paragraph 1 of Article 17 of the General Data Protection Regulation).

If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (paragraph 2 of Article 17 of the General Data Protection Regulation).

The right to erasure (“right to be forgotten”) does not apply if the processing is necessary for one of the reasons listed in paragraph 3 of Article 17 of the General Data Protection Regulation. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (points (b) and (e) of paragraph 3 of Article 17 of the General Data Protection Regulation).

You can find the full extent of your right to erasure (“right to be forgotten”) in Article 17 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

IV. Right to restriction of processing

As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 of the General Data Protection Regulation.

This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in paragraph 1 of Article 18 of the General Data Protection Regulation applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (point (1) of paragraph 1 of Article 18 of the General Data Protection Regulation).

Restriction means that stored personal data is marked with the goal of restricting their future processing (paragraph 3 of Article 4 of the General Data Protection Regulation).

You can find the full extent of your right to restriction of processing in Article 18 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

V. Right to data portability

As a data subject, you have a right to data portability under the conditions provided in Article 20 of the General Data Protection Regulation.

This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to point (a) of paragraph 1 of Article 6 or point (a) of paragraph 2 of Article 9 of the General Data Protection Regulation or on a contract pursuant to point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation and the processing is carried out by automated means (paragraph 1 of Article 20 of the General Data Protection Regulation).

You can find information as to whether an instance of processing is based on consent pursuant to point (a) of paragraph 1 of Article 6 or point (a) of paragraph 2 of Article 9 of the General Data Protection Regulation or on a contract pursuant to point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B to F of this Data Protection Information.

In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (paragraph 2 of Article 20 of the General Data Protection Regulation).

You can find the full extent of your right to limit processing in Article 20 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VI. Right to object

As a data subject, you have a right to object under the conditions provided in Article 21 of the General Data Protection Regulation.

At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object.

More detailed information on this is given below:

1. Right to object on grounds relating to the particular situation of the data subject

As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of paragraph 1 of Article 6, including profiling based on those provisions.

You can find information as to whether an instance of processing is based on point (e) or (f) of paragraph 1 of Article 6 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Data Protection Information.

In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

2. Right to object to direct marketing

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

You can find information as to whether and to what extent personal data is processed for direct marketing purposes in the information regarding the legal basis of processing in Section B to F of this Data Protection Information.

If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VII. Right to withdraw consent

Where an instance of processing is based on consent pursuant to point (a) of paragraph 1 of Article 6 or point (a) of paragraph 2 of Article 9 of the General Data Protection Regulation, as a data subject, you have the right, pursuant to paragraph 3 of Article 7 of the General Data Protection Regulation, to withdraw your consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.

You can find information as to whether an instance of processing is based on point (a) of paragraph 1 of Article 6 or point (a) of paragraph 2 of Article 9 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B to F of this Data Protection Information.

VIII. Right to lodge a complaint with a supervisory authority

As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 of the General Data Protection Regulation.

The supervisory authority responsible for us is the Data Protection Authority of Bavaria:

Bayerisches Landesamt For dataschutzaufsicht
Promenade 27 (Schloss), 91522 Ansbach
poststelle@lda.bayern.de
0981-53-1300

J. Information about the technical terms of the General Data Protection Regulation used in this Data Protection Information

The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation.

The full scope of the definitions of the General Data Protection Regulation can be found in Article 4 of the General Data Protection Regulation, which can be downloaded from the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

You will find more detailed information on the most important technical terms of the General Data Protection Regulation used in this Data Protection Information below:

Detailliertere Informationen zu den wichtigsten in diesen dataschutzinformationen zugrunde gelegten Fachbegriffen der dataschutz-Grundverordnung erhalten Sie im Folgenden:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Data subject” means the relevant identified or identifiable natural person to which the personal data refers;

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“International organisation” means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

“Third country” means a country which is not a member state of the European Union (“EU”) or the European Economic Area (“EEA”);

“Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

K. Effective date of and changes to this Data Protection Information

The effective date of this Data Protection Information is 18 February 2019.

It may be necessary to modify this Data Protection Information due to technical developments and/or amendment of statutory or official requirements.

An up-to-date version of this Data Protection Information can be retrieved at any time at www.marc-o-polo.com.