Data Protection Information of MARC O’POLO Einzelhandels GmbH

In connection with the presentation, sale and marketing of our goods we, MARC O’POLO Einzelhandels GmbH, Hofgartenstraße 1, 83071 Stephanskirchen, Germany (“MARC O’POLO” or “we”), process personal data. This covers in particular:

· visitors to our website www.marc-o-polo.com

· customers of our Online Shop

· subscribers to our newsletter

· participants in our Customer Loyalty Programme MARC O’POLO MEMBERS

· subscribers to our mail advertising

· participants in our competitions.

The protection of personal data is important to us. We process personal data only in accordance with the applicable data protection requirements, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

A. Information on the controller

I. Identity and contact details of the controller

MARC O’POLO Einzelhandels GmbH
Hofgartenstraße 1, 83071 Stephanskirchen
E-Mail: service@marc-o-polo.de
Telephone: 00 800 10221022 (free service number)
Fax: +49 (0) 231 96677889

II. Contact details of the controller’s data protection officer

Hofgartenstraße 1, 83071 Stephanskirchen
Data Protection Officer
E-Mail: datenschutz@marc-o-polo.com
Telephone: 00 800 10221022 (free service number)

B. Information on the processing of personal data of users of our website www.marc-o-polo.com

I. Informational use of the website

When the use of the website is for informational purposes, certain information, for example your IP address, is sent to our server by the browser used on your device for technical reasons. We process this information in order to provide the website content requested by you. To ensure the security of the IT infrastructure used to provide the website, this information is also stored temporarily in a so-called web server log file.

In order to provide the search functions of our website, data that you enter into our search functions is temporarily processed on our web server.

In order to provide the administrative functions for cookie consent for this website, data is temporarily processed on our web server in order to determine whether you have already given your consent the next time you visit the website. Data is also temporarily processed on our web server in order to provide the website’s language selection function, so that we can provide you with the contents of the website you have requested in the language of your choice.

You will find more detailed information on this below:

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
HTTP data Protocol data which accrues when visiting the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), and date and time of visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of six weeks, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Search function data Data that you enter into the search functions of our website.

This includes all information that you enter as search terms in the relevant search form on the website.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested content of the website.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of six weeks, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Cookie opt-in data Data we store for the management of cookie consents for this website.

This includes, in particular, your consent and, where applicable, your individual selection for the use of cookies on your device.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot take any cookie consents on this website into account.
We do not store this data on our systems on a longer-term basis, but only temporarily at the time of providing our website. Data is only stored on a longer-term basis locally in the user’s browser for a maximum of two weeks.
Language selection data Data stored to provide the language selection function.

This includes the language you have selected.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested contents of the website in the language of your choice.
We do not store this data on our systems on a longer-term basis, but only temporarily at the time of providing our website. Data is only stored on a longer-term basis locally in the user’s browser for a maximum of two weeks.
Purpose of processing the personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the website content requested by the user:

For this purpose, data is temporarily processed on our web server.
HTTP data No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the website content requested by the user.
Hosting provider.
Providing the search functions of our website:

For this purpose, data that you enter into our search functions is temporarily processed on our web server.
Search function data No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the search function of the website.
Hosting provider.
Providing the cookie consent management function for this website.

For this purpose, data is processed temporarily on our web server in order to identify, when the site is visited again, whether you have already given consent.
Cookie opt-in data No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to manage the cookie consents given by the user for this website.
Hosting provider.
Provision of the website's language selection function:

For this purpose, data is temporarily processed on our web server in order to provide you with the contents of the website you have requested in the language of your choice.
Language selection data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the contents of the website accessed by the user in the language selected by the user.
Hosting provider.
Ensuring the security of the IT infrastructure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data is temporarily stored and evaluated in log files on our web server.
HTTP data, search function data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider.
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting provider

(currently: Salesforce.com, inc., The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
II. Use of web analysis technologies

We use the web analysis technologies Google Analytics and Metapeople Metalyzer to improve the website and better achieve the website’s objectives (e.g. to increase the number of page visits) and to calculate the compensation for advertising partners (affiliates). For this purpose we use cookies (Section H).

You will find more detailed information on this below:

Google Analytics

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Google Analytics HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web analysis tool Google Analytics is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.

In addition, links from our advertising partners to our website may contain certain parameters with which we can better identify where our users come from (e.g. identification numbers of certain advertising media or campaigns).
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out a web analysis by means of Google Analytics.
IP anonymisation is used on this website for the use of the web analysis tool Google Analytics. This means that the IP address transmitted via the browser for technical reasons is anonymised before being stored by shortening the IP address (by deleting the last octet of the IP address).

We store the other data for 38 months.
Google Analytics cookie data Data stored on the user’s device in cookies for the web analysis tool Google Analytics.

This includes a unique visitor ID for recognising returning visitors.

(Section H.III for more detailed information about the contents of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out a web analysis by means of Google Analytics.
38 months.

(Section H.III for information on the validity period of the cookies used.)
Google Analytics profile data Data generated by the web analysis tool Google Analytics and stored in pseudonym usage profiles.

This includes data about the use of the website, in particular page visits, frequency of visits and time spent on the pages visited as well as where the visitor comes from (i.e. through which advertising partner/advertising campaign a user came to the website), allocating it to a unique visitor ID of the relevant user contained in the Google Analytics cookie data.
Generated by us. - 38 months.

Metapeople Metalyzer

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Metalyzer HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web analysis tool Metalyzer is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.

In addition, links from our advertising partners leading to our website may contain certain parameters with which we can better identify where our users come from (e.g. identification numbers of certain advertising media or campaigns).
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out a web analysis by means of Metalyzer.
IP anonymisation is used on this website for the use of the web analysis tool Metalyzer. This means that the IP address transmitted via the browser for technical reasons is anonymised before being stored by shortening the IP address (by deleting the last octet of the IP address).
Metalyzer cookie data Data stored on the user’s device in cookies for the web analysis tool Google Analytics.

This includes a unique visitor ID for recognising returning visitors and for example the following parameters: page type (e.g. thank you page after placing an order), order number, value of order, quantity of products ordered, currency, language, product numbers, product categories, size of products, payment method, discount, value of discount and gender.

(Section H.III for more detailed information about the contents of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out a web analysis through Metalyzer.
We do not save the cookies themselves on our systems, but the data contained in the cookies is fed into the Metalyzer profile data.

(Section H.III for information on the validity period of the cookies used.)
Metalyzer profile data Data generated by the web analysis tool Metalyzer and stored in pseudonym usage profiles.

This includes data about the use of the website, in particular page visits, frequency of visits and time spent on the pages visited as well as where the visitor comes from (i.e. through which advertising partner/advertising campaign a user came to the website), allocating it to a unique visitor ID of the relevant user contained in the Metalyzer cookie data.
Generated by us. - We store the data until the purpose of processing of this data referred to below has been achieved.

Google Analytics and Metapeople Metalyzer

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Improvement of the website and further achievement of the objectives of the website (e.g. to increase the number of page visits) and calculating the compensation due to advertising partners (affiliates).

For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised again on the website. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to examine where users come from (e.g. from which advertising partner and which advertising campaign), which areas of the website they visit and how often and how long which subpages and categories are looked at. In this way we can improve our website by gearing it to our users’ needs, manage campaigns better and calculate the value of the compensation due to our advertising partners (affiliates).

For these purposes we use the following web analysis tools:

· Google Analytics, offered by Google

· Metalyzer, offered by Metalyzer

For these purposes, cookies of the web analysis tools are used.

(Section H.III for more detailed information about the purposes of the cookies used.)
For Google Analytics:
Google Analytics HTTP data,
Google Analytics cookie data,
Google Analytics profile data.

For Metapeople Metalyzer:
Metalyzer http data,
Metalyzer-cookie data,
Metalyzer profile data.
No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to improve the website, further achieve the objectives of the website (e.g. to increase the number of page visits) and calculate the compensation due to advertising partners (affiliates).
For Google Analytics:
Google LLC.

For Metapeople Metalyzer:
Metapeople GmbH.

Google Analytics

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA Processor USA Google is certified under the EU-U.S. Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:
http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

Metapeople Metalyzer

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Metapeople GmbH

Philosophenweg 21, 47051 Duisburg, Germany
Processor EU -
III. Use of web tracking technologies and advertising networks

Upon your consent, we use web tracking technologies for the following purposes:

· conversion tracking, segmentation of visitors and evaluation of campaign performance

· targeted advertising messages to users of the website ((re-)targeting), including invoicing of ad placements with our retargeting partners

· participation by our website in various advertising networks (affiliate networks) in order to promote our products as well as possible, including presenting personalised advertising that is more tailored to the user’s interests and invoicing advertising campaigns with our advertising partners.

For this purpose we use cookie (Section H).

You will find more detailed information on this below:

Google Double Click / Google Ads Conversion Pixel / Google Ads Remarketing

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Google Double Click HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web tracking tool Google Double Click is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking.
IP anonymisation is used on this website for the use of the Google web tracking tools. This means that the IP address transmitted via the browser for technical reasons is anonymised before being stored by shortening the IP address (by deleting the last octet of the IP address).
Google Double Click cookie data Data stored on the user’s device in cookies for the web analysis tool Google Double Click.

This includes a unique visitor ID with which Google can recognise returning visitors, but which we cannot associate with any visitor, and for example the following parameters: partner identification number of the advertising partner Google (e.g. thank you page after placing an order, detailed product page or basket), product numbers of the products accessed, order number and order value.

(Section H.III for more detailed information about the contents of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking.
We do not save the cookies themselves on our systems, but the data contained in the cookies is fed into the Google Double Click profile data (see below).

(Section H.III for information on the validity period of the cookies used.)

mediards

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
mediards cookie data Data that is stored in a cookie on the user’s device for advertising purposes.

The information collected includes the language setting for the website, product and order numbers, the order value, the currency setting and the URLs of the pages accessed.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking or provide the user with any personalised advertising.
1 year.

Awin

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Awin HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web tracking tool Awin is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Awin.
IP anonymisation is activated on this website for the use of the web tracking tool Awin. This means that the IP address transmitted by the browser for technical reasons is made anonymous by shortening the IP address (by deleting the last octet of the IP address) before it is saved.

We do not store this data ourselves. Storage of this data is the responsibility of Awin. We do not know how long the data is stored.
Awin cookie data Data stored in cookies for the web tracking tool Awin on the user’s device.

This includes a unique ID with which Awin can recognise returning visitors, but which we cannot associate with any visitor, and for example the following parameters: partner identification number of the advertising partner Awin (e.g. thank you page after placing an order, detailed product page or basket), URL of the page(s) visited, product numbers/names/prices for the products accessed, number of products in basket, currency, order number and order value.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Awin.
The cookies themselves are not stored by us or by Awin. However, the data contained in the cookies is fed into the Awin profile data (see below).

(Section H.III for information on the validity period of the cookies used.)
Awin profile data Data generated by the web tracking tool Awin and stored in user profiles under a pseudonym.

This includes information on the use of the website, in particular page visits, frequency of visits and time spent on the pages visited as well as where the visitor comes from (i.e. through which advertising partner/advertising campaign a user came to the website), allocating it to a unique visitor ID of the relevant user contained in the Awin cookie data.
Generated by Awin. - We do not store this data ourselves. Storage of this data is the responsibility of Awin. We do not know how long the data is stored.

Daisycon (only relevant for our Dutch Country Shop)

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Daisycon HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web tracking tool Daisycon is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Daisycon.
IP anonymisation is activated on this website for the use of the web tracking tool Daisycon. This means that the IP address transmitted by the browser for technical reasons is made anonymous by shortening the IP address (by deleting the last octet of the IP address) before it is saved.

We do not store this data ourselves. Storage of this data is the responsibility of Daisycon. We do not know how long the data is stored.
Daisycon cookie data Data stored in cookies for the web tracking tool Daisycon on the user’s device.

This includes a unique ID with which Daisycon can recognise visitors, but which we cannot associate with any visitor, and for example the following parameters: partner identification number of the advertising partner Daisycon, page type (e.g. thank you page after placing an order, detailed product page or basket), order number and order value.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Daisycon.
The cookies themselves are not stored by us or by Daisycon. However, the data contained in the cookies is fed into the Daisycon profile data (see below).

(Section H.III for information on the validity period of the cookies used.)
Daisycon profile data Data generated by the web tracking tool Daisycon and stored in user profiles under a pseudonym.

This includes information on the use of the website, in particular page visits, frequency of visits and time spent on the pages visited as well as where the visitor comes from (i.e. through which advertising partner/advertising campaign a user came to the website), allocating it to a unique visitor ID of the relevant user contained in the Daisycon cookie data.
Generated by Daisycon. - We do not store this data ourselves. Storage of this data is the responsibility of Daisycon. We do not know how long the data is stored.

Tracdelight

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Tracdelight HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web tracking tool Tracdelight is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Tracdelight.
IP anonymisation is activated on this website for the use of the web tracking tool Tracdelight. This means that the IP address transmitted by the browser for technical reasons is made anonymous by shortening the IP address (by deleting the last octet of the IP address) before it is saved.

We do not store this data ourselves. Storage of this data is the responsibility of Tracdelight. We do not know how long the data is stored.
Tracdelight cookie data Data stored in cookies for the web tracking tool Tracdelight on the user’s device.

This includes a unique ID with which Tracdelight can recognise visitors, but which we cannot associate with any visitor, and for example the following parameters: partner identification number of the advertising partner Tracdelight, page type (e.g. thank you page after placing an order, detailed product page or basket), currency, order number and order value.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Tracdelight.
The cookies themselves are not stored by us or by Tracdelight. However, the data contained in the cookies is fed into the Tracdelight profile data (see below).

(Section H.III for information on the validity period of the cookies used.)
Tracdelight profile data Data generated by the web tracking tool Tracdelight and stored in user profiles under a pseudonym.

This includes information on the use of the website, in particular page visits, frequency of visits and time spent on the pages visited as well as where the visitor comes from (i.e. through which advertising partner/advertising campaign a user came to the website), allocating it to a unique visitor ID of the relevant user contained in the Tracdelight cookie data.
Generated by Tracdelight. - We do not store this data ourselves. Storage of this data is the responsibility of Tracdelight. We do not know how long the data is stored.

Criteo

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Criteo HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web tracking tool Criteo is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Criteo.
IP anonymisation is activated on this website for the use of the web tracking tool Criteo. This means that the IP address transmitted by the browser for technical reasons is made anonymous by shortening the IP address (by deleting the last octet of the IP address) before it is saved.

We do not store this data ourselves. Storage of this data is the responsibility of Criteo. We do not know how long the data is stored.
Criteo cookie data Data stored in cookies for the web tracking tool Criteo on the user’s device.

This includes a unique ID with which Criteo can recognise visitors, but which we cannot associate with any visitor, and for example the following parameters: partner identification number of the advertising partner Criteo, page type (e.g. thank you page after placing an order, detailed product page or basket), product numbers for the products accessed, number of products in basket, order number and order value.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Criteo.
The cookies themselves are not stored by us or by Criteo. However, the data contained in the cookies is fed into the Criteo profile data (see below).

(Section H.III for information on the validity period of the cookies used.)
Criteo profile data Data generated by the web tracking tool Criteo and stored in user profiles under a pseudonym.

This includes information on the use of the website, in particular page visits, frequency of visits and time spent on the pages visited as well as where the visitor comes from (i.e. through which advertising partner/advertising campaign a user came to the website), allocating it to a unique visitor ID of the relevant user contained in the Criteo cookie data.
Generated by Criteo. - We do not store this data ourselves. Storage of this data is the responsibility of Criteo. We do not know how long the data is stored.

Escome Container (conversion tracking by Adition, Appnexus and Facebook)

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Esome HTTP data Protocol data which accrues when the web tracking tools Adition, Appnexus and Facebook implemented on the website via the Esome Container are used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking.
IP anonymisation is activated on this website for use of the web tracking tools Adition, Appnexus and Facebook implemented on the website via the Esome Container. This means that the IP address transmitted by the browser for technical reasons is made anonymous by shortening the IP address (by deleting the last octet of the IP address).

The other protocol data is deleted after a year at the latest.
Esome cookie data Data that is stored in cookies on the user’s device for the web tracking tools Adition, Appnexus and Facebook implemented on the website via the Esome Container.

This includes a unique ID for recognising returning visitors.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking.
The cookies themselves are not stored by us or by providers of the web tracking tools. However, the data contained in the cookies is fed into the Esome profile data (see below).

(Section H.III for information on the validity period of the cookies used.)
Esome profile data Data that is generated by the web tracking tools Adition, Appnexus and Facebook implemented on the website via the Esome Container and stored in user profiles under a pseudonym.

This includes information on the use of the website, in particular page visits, frequency of visits and time spent on the pages visited.

The information is saved in separate profiles for the data collected via the web tracking tools Adition, Appnexus and Facebook.
Generated by us. - Deleted after a year at the latest.

Dynamic Yield

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Dynamic Yield HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the web tracking tool Dynamic Yield is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Dynamic Yield.
IP anonymisation is activated on this website for use of the web tracking tool Dynamic Yield. This means that the IP address transmitted by the browser for technical reasons is made anonymous by shortening the IP address (by deleting the last octet of the IP address) before it is saved.

We do not store the other data. It is only saved in the user’s browser in Dynamic Yield cookies (see below Dynamic Yield cookie data).
Dynamic Yield cookie data Data stored in cookies for the web tracking tool Dynamic Yield on the user’s device.

This includes details of the types of page visited by the user (e.g. thank you page after placing an order, detailed product page or basket), product numbers for the products accessed, number of products in basket.

(Section H.III for more detailed information about the purposes of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out any web tracking by means of Dynamic Yield.
We do not store either the cookies themselves or the information contained in the cookies.

(Section H.III for information on the validity period of the cookies used.)

Google Double Click / Google Ads Conversion Pixel / Google Ads Remarketing

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Conversion tracking:

For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised again on the website. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to measure the effectiveness with which a targeted group is motivated to carry out desired actions.

For these purposes we use the web tracking tool Google Double Click provided by Google.

For these purposes cookies of the web tracking tool are used.

(Section H.III for more detailed information about the purposes of the cookies used.)
Google Double Click HTTP data, Google Double Click cookie data, Google Double Click profile data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Google LLC
(Re-)targeting users of the website through advertisements.

For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised on our website and the websites presenting adverts from our advertising partner Google (the “Publisher”) and on Google’s own websites. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to draw the attention of a user who has already shown interest in a website or a product to this website or product again to increase the advertising relevance and therefore the click rate and conversion rate (e.g. order rate).

For these purposes we use the web tracking tool Google Double Click provided by Google.

For these purposes cookies of the web tracking tool are used.

(Section H.III for more detailed information about the purposes of the cookies used.)
Google Double Click HTTP data, Google Double Click cookie data, Google Double Click profile data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Google LLC

mediards

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
(Re-)targeting users of the website through advertisements.

For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised on our website and the websites presenting adverts from our advertising partner mediards (the “Publisher”) or another website. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to draw the attention of a user who has already shown interest in a website or a product to this website or product again to increase the advertising relevance and therefore the click rate and conversion rate (e.g. order rate).

In addition to this, the data collected is used for predictive targeting. For this purpose, mediards calculates statistical twins between the user and their preferences in order to draw their attention to our website and to products that may be especially interesting for them.

For these purposes we use the web tracking tool tr.mediards.com provided by mediards GmbH.

For these purposes cookies of the web tracking tool are used.

(Section H.III for more detailed information about the purposes of the cookies used.)
mediards cookie data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). mediards GmbH.

Participation in the advertising networks of Awin, Daisycon (only relevant for our Dutch Country Shop) and Tracdelight

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Participation by our website in various advertising networks (affiliate networks) in order to promote our products as well as possible, including presenting personalised advertising tailored to the user’s interests and invoicing the advertising campaigns with our advertising partners:

We participate in the advertising networks of the following advertising partners:

· Awin (formerly Affilinet)

· Daisycon (only for the Dutch Country Shop of our website)

· Tracdelight

Tracking pixels of our advertising partners are implemented in our website for the participation of our website in the relevant advertising network. For these purposes cookies of our advertising partners are also used. (Section H.III for more detailed information on the purposes of the cookies used.)

Tracking pixels allow our advertising partners to collect information about the activities of users of our website.

The information gained is used to evaluate the adverts which lead from the relevant advertising partner to our website so that it can measure in pseudomised form the number of times our website is accessed via these adverts for invoicing purposes.

In addition, our advertising partners record the behaviour of users on our website and analyse this behaviour in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised again on our website and other websites participating in the relevant advertising network. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to determine the user’s interests on the basis of their surfing behaviour in order to allocate the user to certain advertising target groups. In this way, the advertising partners are able to present the users with personalised advertising that is more tailored to the user’s interests and therefore more interesting.

The relevant advertising partners are jointly responsible with us under data protection law for the processing of personal data in this context. For information from our advertising partners on the processing of personal data, we additionally refer to their data protection information:

https://www.awin.com/de/rechtliches/privacy-policy-DACH
https://www.daisycon.com/de/datenschutzhinweis/
https://www.tracdelight.io/datenschutz/

We will be happy to provide you with the main points of the agreement between us and the other controllers upon request (for contact details see Section A.I.).
For Awin:
Awin HTTP data,
Awin cookie data,
Awin profile data.

For Daisycon:
Daisycon HTTP data,
Daisycon cookie data,
Daisycon profile data.

For Tracdelight:
Tracdelight HTTP data,
Tracdelight cookie data,
Tracdelight profile data.
No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). For Awin:
AWIN AG

For Daisycon:
Daisycon B.V.

For Tracdelight:
tracdelight GmbH

Criteo

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
(Re-)targeting users of the website through advertisements, including invoicing the placing of advertisements with our advertising partner Criteo.

For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised on our website and the websites presenting adverts from our retargeting partner Criteo (the “Publisher”). Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to draw the attention of a user who has already shown interest in a website or a product (e.g. by looking at a product or placing a product in the basket) to this website or product again to increase the advertising relevance and therefore the click rate and conversion rate (e.g. order rate).

For these purposes we use the web tracking tool Criteo Pixel offered by Criteo AG.

The information gained via Criteo Pixel is also used by Criteo to evaluate the adverts which lead via Criteo to our website so that Criteo can measure in pseudomised form the number of times our website is accessed via these adverts for invoicing purposes.

For these purposes cookies of the web tracking tool are used. (Section H.III for more detailed information about the purposes of the cookies used.)

Criteo is also jointly responsible with us under data protection law for the processing of personal data in this context. For information from Criteo on the processing of personal data, we additionally refer to their data protection information: https://www.criteo.com/de/privacy/

We will be happy to provide you with the main points of the agreement between us and Criteo upon request (for contact details see Section A.I.).
Criteo HTTP data,

Criteo cookie data,

Criteo profile data.
No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Criteo SA

Escome Container (conversion tracking via Adition, Appnexus and Facebook)

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Conversion tracking, segmentation of visitors and evaluation of campaign performance:

For conversion tracking purposes, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised again on the website. Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to measure the effectiveness with which a targeted group is motivated to carry out desired actions. For these purposes we use the web tracking tools provided by Adition, Appnexus and Facebook which we embed in our website using the tag manager of our advertising partner Esome. Adition, Appnexus and Facebook process data for the provision of the tool on our behalf.

For these purposes cookies of the web tracking tools are used. (Section H.III for more detailed information about the purposes of the cookies used.)
Esome HTTP data,

Esome cookie data,

Esome profile data.
No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Esome advertising technologies GmbH

For Adition:
Adition technologies AG,
Active Agent AG

For Appnexus:
AppNexus Inc.

For Facebook:
Facebook Ireland Limited

Dynamic Yield

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
(Re-)targeting users of the website through advertisements.

For this purpose, the behaviour of users on our website is recorded and analysed in pseudonymised form. Users of the website are marked in pseudonymised form so that they can be recognised on our website and the websites presenting adverts from our retargeting partner Dynamic Yield (the “Publisher”). Pseudonymised usage profiles are created from this information. The pseudonymised usage profiles are not combined with data regarding the bearer of the pseudonym. The objective of this process is to draw the attention of a user who has already shown interest in a website or a product to this website or product again to increase the advertising relevance and therefore the click rate and conversion rate (e.g. order rate).

For these purposes we use the web tracking tool provided by Dynamic Yield.

For these purposes cookies of the web tracking tools are used.

(Section H.III for more detailed information about the purposes of the cookies used.)
Dynamic Yield HTTP data,

Dynamic Yield cookie data
No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Dynamic Yield

Google Double Click / Google Ads Conversion Pixel / Google Ads Remarketing

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Google LLC

1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Processor USA Google is certified under the EU-U.S. Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:
http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

mediards

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
mediards GmbH

Im Mediapark 8, 50670 Cologne, Germany
Processor EU -

Awin

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
AWIN AG

Eichhornstraße 3, 10785 Berlin, Germany
(Joint) controller EU -

Daisycon (nur relevant für unseren niederländischen Länder-Shop)

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Daisycon B.V.

Alnovum Gebäude, P.J. Oudweg 5, 1315 CH Almere, Netherlands
(Joint) controller EU -

Tracdelight

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
tracdelight GmbH

Arabellastraße 23, 81925 Munich, Germany
(Joint) controller EU -

Criteo

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Criteo SA

32 Rue Blanche, 75009 Paris, France
(Joint) controller EU -

Escome Container (Conversion Tracking über Adition, Appnexus und Facebook)

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Esome advertising technologies GmbH Processor EU -
Adition technologies AG, Oststrasse 55, 40211 Düsseldorf and its sub-contractors

Active Agent AG, Ellen-Gottlieb-Strasse 16, 79106 Freiburg
Processor EU -
AppNexus Inc., 28 W. 23rd Street, New York, New York, 10010, USA Processor USA Appnexus is certified under the EU-U.S. Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt0000000GnlTAAS&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:
http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.
Facebook Ireland Limited, 4 GRAND CANAL SQUARE, D2 Dublin, Ireland Processor EU -

Dynamic Yield

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Dynamic Yield

Prinzessinnenstraße 8-14, 10969, Berlin
Processor EU -
IV. Use of the Facebook Pixel

Upon your consent, we will use the so-called Facebook Pixel. For this purpose, cookies provided by Facebook (Section C)are used.

The Facebook Pixel enables Facebook to collect information about the activities of users of our website. The information gained is used to evaluate the effectiveness of our Facebook ads and to form target audiences for our Facebook ads. In addition, Facebook may use the information for its own purposes or for the purposes of third parties, for example for creating target groups for other advertisement clients.

By integrating the Facebook Pixel we enable Facebook to collect personal data. Facebook is responsible for collecting and processing this data. Facebook provides us with evaluations or further information based on the data collected only in aggregated, anonymised form. We cannot associate the information provided to us with any natural person. We have no knowledge of the details of the processing of personal data within Facebook’s area of responsibility. For information about Facebook’s processing of personal information, please see Facebook’s Privacy Policy: https://www.facebook.com/about/privacy/.

You will find more detailed information on the use of the “Facebook Pixel” below:

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage duration
Facebook Pixel HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the Facebook Pixel on our website is used.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, the functioning of the Facebook Pixel is impossible.
We do not collect or store this data ourselves.

Facebook is responsible for the collection and processing of this data. Facebook stores this data for six months.

(Section H.III for information on the validity period of the cookies used.)
Facebook Pixel cookie data Data which is stored in cookies on the user’s device for the Facebook Pixel.

This includes, in particular, a unique visitor ID for recognising returning visitors.

In addition, we record the following information in the cookies via our data layer which help Facebook to present the right advertising media to the user concerned:

· order value
· products purchased (product IDs)
· products viewed (product IDs)
· products searched for (product IDs)
· page type (which page the user was on, e.g. category or thank you page, detailed product page or search results).

(Section H.III for more detailed information about the contents of the cookies used.)
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, the functioning of the Facebook Pixel is impossible or only possible to a limited extent.
We do not collect or store this data ourselves.

Facebook is responsible for the collection and processing of this data. We have no knowledge of the storage duration.

(Section H.III for information on the validity period of the cookies used.)
Facebook Pixel event data Data that Facebook collects through the Facebook Pixel.

This includes actions that take place on the website (known as events). These include, for example, completing a purchase or a registration, the addition of payment information, initiating the checkout process, adding objects to the basket, adding them to wish lists, performing searches, and viewing content.

This also includes information related to the actions recorded in each case (known as “parameters”). These include, for example, the value and currency in which purchases are made.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, the functioning of the Facebook Pixel is impossible or only possible to a limited extent.
We do not collect or store this data ourselves.

Facebook is responsible for the collection and processing of this data. We have no knowledge of the storage duration.
Facebook Pixel analysis data Data that Facebook generates based on the information collected by the Facebook Pixel.

This includes information about the effectiveness of Facebook ads and user allocation to target groups for Facebook ads.

Facebook may use the information collected to generate additional information for its own purposes or for the purposes of third parties. We have no knowledge of the details of the data generated by Facebook.
Independently generated by Facebook. - Facebook provides us with evaluations or further information based on the data collected only in aggregated, anonymised form. We cannot associate the information provided to us with any natural person.

Facebook is responsible for the collection and processing of this data. We have no knowledge of the storage duration.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Evaluation of the effectiveness of our Facebook ads and creation of target groups for our Facebook ads:

The “Facebook Pixel” records actions that users perform on our website (e.g. completing a purchase) and reports these actions to Facebook. If you are registered with a Facebook service, Facebook may be able to associate a visit with your account. It is possible that Facebook will find out and save your IP address and other identifying features even if you are not registered with Facebook or not logged on.

Based on the information collected by Facebook, Facebook provides us with aggregated, anonymised measurement results for our Facebook ads. In particular, this enables us to know whether users who receive our Facebook advertisements execute certain actions on our website, such as making a purchase (known as “conversions”).

In addition, Facebook will allow us to reach people who have visited our website or performed a specific action on our website within six months of their last visit on the basis of information collected by Facebook again via Facebook ads and to optimise our types of target groups (“audiences”). Such ads may be shown to the users of our website when they visit the social network Facebook or other websites which also use this method.

Facebook provides us with evaluations or further information based on the data collected only in aggregated, anonymous form. We cannot associate the information provided to us with any natural person. Facebook is responsible for the collection and processing of personal data. We have no knowledge of the details of the processing of data in Facebook's area of responsibility.
Facebook Pixel HTTP data, Facebook Pixel cookie data, Facebook Pixel event data, Facebook Pixel analysis data. We do not make automated decisions in our area of responsibility.

We have no knowledge of the details of the processing of data in Facebook’s area of responsibility, in particular of any automated decision-making.
Legal basis for the enablement of collecting personal data through our website by Facebook:

Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent).

We do not process personal data in our area of responsibility. We have no knowledge of the details of the processing of data in Facebook’s area of responsibility, in particular of the legal basis used by Facebook for the processing.
Facebook Inc.
Evaluation of activities of users of our website for use for Facebook’s own purposes or for the purposes of third parties:

Facebook may also use the information collected via “Facebook Pixel” for its own purposes or for the purposes of third parties, for example to create target groups for other advertisement clients.

Facebook is responsible for the collection and processing of personal data. We have no knowledge of the details of the processing of data in Facebook's area of responsibility.
Facebook Pixel HTTP data, Facebook Pixel cookie data, Facebook Pixel event data, Facebook Pixel analysis data. We do not make automated decisions in our area of responsibility.

We have no knowledge of the details of the processing of data in Facebook’s area of responsibility, in particular of any automated decision-making.
The legal basis enabling the collection of personal data through our website by Facebook:

Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent).

We do not process personal data in our area of responsibility. We have no knowledge of the details of the processing of data in Facebook’s area of responsibility, in particular of the legal basis used by Facebook for the processing.
Facebook Inc.
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Facebook:

Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA
Controller regarding the collection and processing of personal data through the Facebook Pixel. USA Facebook is certified under the EU-US Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016D1250.
V. Use of online contact forms

We offer you the possibility on the website to contact us using contact forms. We process the information provided by you in the contact forms to process your request, for example regarding the availability of certain articles. Where applicable, we also store the information for evidence purposes for any establishment, exercise or defence of legal claims or in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

When the contact forms on our website are used certain information, for example your IP address, is sent to our server by the browser used on your device for technical reasons. We process this information in order to provide the contact forms on our website and to ensure the security of the IT infrastructure used to provide the contact form.

You will find more detailed information on this below:

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
Contact form HTTP data Protocol data which accrues via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the contact forms on our website are accessed.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Contact form data Data you provide us with in contact forms on the website.

This includes the information provided to us in the relevant website contact form, in particular your name, date of birth, address, telephone number, email address and the content of your request.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot process your request.
Data is stored until your request has been dealt with.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO, section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the contact forms on the website.

For this purpose, HTTP data is processed temporarily on our web server.
Contact form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the website content requested by the user.
Hosting provider.
Ensuring the security of the IT infrastructure used for the provision of the contact forms, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).

For this purpose, data is temporarily stored and evaluated in log files on our web server.
Contact form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used to provide the contact form, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).
Hosting provider.
Processing your request. Contact form data. No automated decision-making takes place. If your request concerns a contract to which you are party or the performance of pre-contractual measures:

Point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation (performance of a contract or steps prior to entering into a contract).

Otherwise:

Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

In this case, our legitimate interest is to process your request.
Customer service provider.
Storage and processing for evidence purposes for any establishment, exercise or defence of legal claims. Contact form data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
Customer service provider.
Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch– HGB)).
Contact form data. No automated decision-making takes place. Point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation (compliance with a legal obligation). Customer service provider.
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting provider

(currently: Salesforce.com, inc. The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Hosting provider

(currently: arvato direct services Dortmund GmbH, Schleefstr. 1, 44287 Dortmund, Germany)
Processor EU -

C. Information on the processing of personal data of the customers of our Online Shop

On our website you have the possibility to use our MARC O’POLO online shops, which are available in different country versions through country-specific URLs (e.g. for Germany under www.marc-o-polo.com/de-de/) (the “Country Shops”). You will find a list of the individual Country Shops in Part A, clause 1.1 of our T&Cs. The Country Shops are referred to jointly below as “Online Shop”.

We process various personal data, for example the data you communicate to us in your order form, in order to provide various functions in our Online Shop, to enter into, fulfil and reverse sales contracts, to send emails containing advertising for our own similar products under the conditions set out in section 7(3) German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG), ensure the security of the IT infrastructure used to provide the Online Shop, manage and assert claims for payment, provide the review function, conduct a fraud credit check during and after you have completed your order, carry out customer surveys for market research purposes and evidence purposes and meet statutory retention obligations.

You can place orders in our Online Shop “as a guest” or alternatively through a customer account. In our customer shop for Germany, use of our customer account is exclusively limited to participants in our Customer Loyalty Programme MARC O’POLO MEMBERS. The details on processing of personal data of participants in the Customer Loyalty Programme, including use of the customer account, are described in Section E of this Data Protection Information.

You will find more detailed information on this below:

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
HTTP data Protocol data which accrues when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), and date and time of visit.
Users of the Online Shop. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Basket data Data on the products you place in the basket of the Online Shop.

This includes article description, article number, quantity, size, colour, price and currency.
Users of the Online Shop. Provision of the data is required for a purchase. There is no obligation to provide the data.

If the data is not provided, you will not be able to purchase any articles in our Online Shop.
Before an order is completed:
We do not store this data on our systems on a longer-term basis, but only temporarily at the time of providing our website (e.g. to show the contents of a basket). It is stored on a temporary basis locally in the user’s browser for the duration of the user’s session.

After an order is completed:
Data is saved until your order has been processed in full, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Contact details Data you provide us with during the order process so that we can contact you in order to process your order.

This can include above all the following information: title, surname, first name, postal address, telephone number and email address.
Users of the Online Shop. The provision of the data described in the order process as required is necessary to be able to enter into a contract. There is no obligation to provide the data.

If the data is not provided, it is not possible to enter into a contract.
Data is saved until your order has been processed in full, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Shipping data Data you provide us with during the order process for the delivery of the articles you order.

This includes the shipment method selected, where applicable, and any delivery address you have specified which is different from the billing address.
Users of the Online Shop. Provision of the data is required for a purchase. There is no obligation to provide the data.

If the data is not provided, you will not be able to purchase any articles in our Online Shop.
We store the data until you order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Payment data Data you provide us with to pay for the articles you order. This depends on which payment method you select.

Depending on the payment method, this covers for example your IBAN number, BIC numbers or billing address.
Users of the Online Shop The provision of the data described in the order process as required is necessary to be able to enter into a contract. There is no obligation to provide the data.

If the required information is not provided, you will not be able to enter into a contract.
Data is saved until your order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Order data Information about your order.

This includes information on the articles purchased (article description, price, currency, order number), store version used, date and time of purchase, payment method selected and shipment method, and status of your order.
Generated by us. - Data is saved until your order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Receivables data Data we process for managing our claims for payment in our internal accounts receivable management system.

This includes in particular information on currently outstanding items, incoming payments, dunning levels, ongoing collection processes and returns.
Payment service providers, debt collection agencies, generated by us. - Data is saved until your order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Transaction email data Information from transaction emails which we send in order to process/reverse your order (e.g. order acknowledgements).

This includes the content and time of the transaction emails.
Generated by us. - Data is saved until your order has been fully processed. This also includes possibly reversing the order.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Order and return values Any reasons for return specified in a return. Users of the Online Shop. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot take into account the reasons for the return when calculating and assessing the return rate.
We do not store the reasons for a return on our systems.

We store the return rate for 24 months.
Order and return values Order value and prices of the returned goods and the contact details used by you, which we need for determining your return rate.

To calculate your return rate, we determine the percentage share of your returns on the basis of the total order value which you have generated as a whole from orders in our Online Shop.
Generated by us. - We do not store the reasons for a return on our systems.

We store the return rate for 24 months.
Review data Information which you provide to us when reviewing products.

This includes your email address and a user name which you are free to choose.
Users of the Online Shop. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the site’s review function.
Data is stored as long as your review is shown on our website.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Creditworthiness data Information on the creditworthiness of our customers. This includes in particular the credit reports provided by credit reference agencies based on data in the insolvency and debtors’ registers at the local courts (Amtsgerichte) and registrations of payment behaviour that is in breach of contract by creditors and creditors’ representatives. Credit reference agencies. - We store the data until you order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Creditworthiness data This also includes information generated by us about the timely settlement of our claims and knowledge we have gained from previous fraud and credit checks, such as limits set for your purchases. Generated by us. - We store the data until you order has been fully processed, i.e. until the goods are shipped.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Market research data Information we collect in connection with customer surveys for market research purposes, in order to analyse in particular customer satisfaction and the contents of our product range in pseudonymised form. Users of the Online Shop. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out surveys and analyses for market research purposes.
We store this data in pseudonymised form for a maximum of 38 months.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of our online shop functions on the website.

For this purpose, HTTP data is temporarily processed on our web server.
HTTP data, basket data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the website content requested by the user.
Hosting provider.
Completion and fulfilment of sales contracts entered into via the Online Shop.

DieThis includes in particular processing payments, delivering the goods ordered by you and sending transaction emails in order to inform you about the status of your order.
Basket data, contact details, shipping data, payment data, order data, transaction email data. No automated decision-making takes place. Point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation (performance of a contract or steps prior to entering into a contract). Hosting provider, Arvato Distribution, parcelLab, system and service mail service provider, delivery service provider, payment service providers.
Carrying out a fraud and credit check before fulfilling your order in order to avoid the risk of a payment default as far as possible. We decide on the basis of mainly automated checks whether we can offer you payments methods and which ones, and/or the extent to which we can fulfil your order to the desired extent.

The fraud and credit check is performed by informa Solutions GmbH (part of Arvato Financial Services, Rheinstraße 99, 76532 Baden-Baden) on our behalf (“informa Solutions”).
Contact details, basket data, shipping data, order data, accounts receivable data, order and return values and creditworthiness data. Automated decision-making takes place based on the following logic:

The fraud and credit check begin when you enter your contact and shipping details and click on “Next”, before we show certain payment methods for your order.

informa Solutions checks on the basis of predefined rules whether fulfilment of the order entails a risk of payment default, meaning that only secure payment methods should be offered, i.e. no purchase on account.

For this purpose, informa Solutions first checks your contact and delivery details to verify your age and your contact and delivery details and whether the specified address(es) are correct.

In addition, informa Solutions analyses the number and values of the orders over a certain time period. It checks in particular the extent to which your contact and delivery details were used for previous orders, for example whether different email addresses were used for the same billing address within a short period of time. In addition, informa Solutions checks the information generated by us regarding timely settlement of our payment claims and knowledge we have gained from previous fraud and credit checks, such as limits set for your purchases. informa Solutions examines in particular whether the maximum configured order limit is reached, checks your return rate generated from the order and return values and calculates from our accounts receivable data whether and to what value outstanding items, dunning levels or ongoing collection processes exist.

To calculate your return rate, we determine the percentage share of your returns on the basis of the total order value you have generated as a whole from orders in our online shop.

In addition, informa Solutions obtains a credit report from a credit reference agency and transmits your contact and shipping data to the agency for this purpose. The credit report contains a score which is calculated on the basis of a scientifically recognised mathematical-statistical method and can be used to assess the credit risk.

On the basis of the score provided by the credit reference agency and the other checks described above, informa Solutions assesses the payment default risk. informa Solutions then sends the results of the fraud and credit check to us in automated form, which we interpret on the basis of default rules and determines which payment methods we show in the next step of the order process.
Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to reduce the risk of a payment default as far as possible.
informa Solutions, credit reference agency.
Carrying out a fraud check after you have completed your order.

Depending on the result of the automated fraud and credit check described above and before fulfilment of the order, informa Solutions additionally carries out a manual fraud check on our behalf upon completion of the order, i.e. after you click on “BUY”, for certain orders.

We have defined rules for selecting the orders we check manually in order to automatically select all orders on the basis of predefined criteria. The criteria for manual checks are in particular the specific payment method selected, the value of the order, your place of residence or the total order value during the last 168 hours using the same contact and shipping data.

During the manual fraud check informa Solutions checks whether an increased suspicion of fraud should be presumed to exist in the specific case, taking into account (apart from our internal data) information from publically accessible sources such as Yellow Pages or publically accessible websites. Taking into account informa Solutions’ recommendation, we either approve the order or decide to cancel the order in individual cases.
Contact details, basket data, shipping data, order data, accounts receivable data, order and return values, creditworthiness data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests). Our legitimate interest is to reduce the risk of a payment default as far as possible. informa Solutions.
Sending emails containing advertising for similar products to customers who have given us their email address during an order in the Online Shop and who have been clearly informed when their email address was collected that they can object to this use of their email address at any time, without any costs arising beyond the basic cost of transmission. We also point out this right to object again every time we use the email address, i.e. in every email containing product recommendations.

We use the information about your previous purchases which is contained in the transaction email data for the promotion of similar products in order to ensure that you only receive advertising which is suited to your interests.
Contact details, transaction email data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to use the email address for direct advertising for our own similar articles under the conditions of section 7(3) German Act Against Unfair Competition.
Cheetah Digital.
Carrying out customer surveys for market research purposes and pseudonymised analysis of the market research data in order to further develop and improve the contents of our product range. Market research data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to further develop and improve our product range. Survey agency
Ensuring the security of the IT infrastructure used for the provision of the Online Shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).

For this purpose, data is temporarily stored and processed in log files on our web server.
HTTP data, basket data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the Online Shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider.
Managing and asserting our claims for payment. Contact details, accounts receivable data. No automated decision-making takes place. Point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation (compliance with a legal obligation). Debt collection agency.
Reversing sales contracts in the event of a cancellation or other reasons for reversing orders. Contact details, shipping data, payment data, order data, transaction email data, accounts receivable data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to reverse sales contracts.
Delivery service provider.
Provision of the review function.

For this purpose, the details entered by you and your review will be checked and, once they have been successfully verified, published on our website. The review will be shown exclusively under the user name chosen by you.

We will inform you by email that your review has been published.
Review data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the function of the website requested by the user.
Hosting provider.
Storing and processing for evidence purposes for the possible establishment, exercise or defence of legal claims. HTTP data, contact details, payment data, order data, basket data, shipping data, transaction email data, accounts receivable data, creditworthiness data, review data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
Hosting provider.
Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch– HGB)).
Contact details, payment data, order data, basket data, shipping data, transaction email data, accounts receivable data, review data. No automated decision-making takes place. Point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation (compliance with a legal obligation). Hosting provider.
Recipient Recipient’s location Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting provider

(currently: Salesforce.com, inc. The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Payment service provider Controller EU -
Delivery service provider Controller EU -
parcelLab GmbH

Schillerstr. 23a, 80336 Munich, Germany
Processor EU -
Arvato Distributions GmbH

An der Autobahn 22, 33333 Gütersloh, Germany
Processor EU -
informa Solutions GmbH

part of Arvato Financial Services
Rheinstraße 99, 76532 Baden-Baden
Processor EU -
Credit reference agency

(currently: Infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden, Germany)
Controller EU -
Debt collection companies

(currently: Germany and Netherlands: InFoScore, Forderungsmanagement GmbH & Co. KG, Rheinstraße 99, 76532 Baden-Baden
Processor EU -
Austria: infoscore austria GmbH, Weyringergasse 1, 1040 Vienna Processor EU -
Switzerland: infoscore Inkasso AG, Ifangstrasse 8, 8952 Schlieren) Processor Switzerland Adequacy declaration of the EU Commission for personal data in Switzerland: http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32000D0518&from=DE
Cheetah Digital Germany GmbH,

Speditionsstraße 1, 40221 Düsseldorf, Germany
Processor EU -
Survey agency

(currently: SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland)
Processor Dublin (Ireland) - European Union (EU) -

D. Information on the processing of personal data of subscribers to our email newsletter

We offer you the possibility on the website to sign up for our email newsletter. The newsletter informs you about new outfits and current product trends as well as our special events, special offers and competitions.

When you sign up for our email newsletter, certain information is collected, for example your email address. We process this information to confirm your subscription and to provide the email newsletters. Apart from this, we store this data for evidence purposes for the establishment, exercise or defence of any legal claims. If you also take part in customer surveys, we will process the data collected in the survey for market research purposes.

When the subscription and unsubscription forms for our newsletter on the website are used, certain information, for example your IP address, is sent to our server by the browser used on your device for technical reasons. We process this information in order to provide the subscription and unsubscription forms for our newsletter on our website.

You will find more detailed information on this below:

Purpose of the processing of personal data Categories of personal data processed Sources of the data Obligation to provide the data Storage data
Newsletter form HTTP data Protocol data which accrues when you access the form to sign up for and cancel our newsletter on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons

This includes IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), and date and time of visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Newsletter subscriber data Data that we collect for subscription to our newsletters.

This includes the following details: email address, first name and surname and, where appropriate, whether you would like to receive newsletters with content for women or men.
Newsletter subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide you with any newsletters.
We store this data for as long as you are signed up to for our newsletter.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Newsletter opt-in data Protocol data which accrues for technical reasons when you sign up for and cancel the newsletter.

This includes the data and time you sign up for the newsletter, date and time the subscription notification is sent in the double opt-in process, date and time subscription is confirmed in the double opt-in process and the IP address for confirming the device used, and the date and time of any cancellation of the newsletter.
Newsletter subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to provide you with newsletters.
We store this data for as long as you are signed up to our newsletter.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Market research data Information which we collect in connection with customer surveys for market research purposes in order to analyse the satisfaction of our customers in pseudonymised form and improve the contents of our product range. Newsletter subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out and surveys and analyses for market research purposes.
We store this data in pseudonymised form for a maximum of 38 months.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the form to sign up for and cancel our newsletter on the website:

For this purpose, data is temporarily processed on our web server.
Newsletter form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the website content requested by the user.
Hosting provider, email newsletter provider, system and service mail provider.
Ensuring the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data is temporarily stored and evaluated in log files on our web server.
Newsletter form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider, email newsletter provider, system and service mail provider.
“Double opt-in” to confirm the subscription:

For this purpose, we send an e-mail message containing a request to confirm the email address specified when subscribing. A subscription only becomes effective once the subscriber confirms their email address by accessing the confirmation link contained in the email.
Newsletter subscription data, newsletter opt-in data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the legally conclusive documentation of your consent to receipt of the newsletter.
System and service mail provider.
Sending the newsletter to the email address specified by the newsletter subscriber. The newsletter contains information about products and services of MARC O’POLO Einzelhandels GmbH (e.g. Clothing, Shoes & Accessories, Bags, Junior, Living or the MARC O’POLO MEMBERS programme including cross-channel services), also covering information on current product trends, special events, invitations to take part in customer surveys, special offers or competitions. We use your name to address you personally and to determine gender-specific contents in our email newsletter. Newsletter subscription data, newsletter opt-in data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Email newsletter provider, communications agency.
Carrying out customer surveys for market research purposes and pseudonymised analysis of the market research data in order to further develop and improve the contents of our product range. Market research data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to further develop and improve our product range. Survey agency.
Storing and processing for evidence purposes for the possibly establishment, exercise or defence of legal claims. Newsletter subscription data, newsletter opt-in data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
Email newsletter provider, system and service mail provider.
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting CRM currently:

Microsoft Ireland Operations Ltd (South County Business Park, Dublin, D18, Ireland)
Processor EU -
Hosting e-shop currently:

Salesforce (Salesforce.com, inc. The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States).
Auftragsverarbeiter. USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Email newsletter provider

(currently: Cheetah Digital Germany GmbH, Speditionsstraße 1, 40221 Düsseldorf, Germany)
Processor Germany (EU) -
System and service mail provider

(currently: Amazon SES, Amazon Web Services EMEA SARL, 5 rue Plaetis, Luxembourg, L-2338, Luxembourg)
Processor Luxembourg (EU) -
Survey agency

(currently: SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland)
Processor Dublin (Ireland) - European Union (EU) -
Communications agency

(currently: Defacto relations GmbH, Am Pestalozziring 1-2, 91058 Erlangen, Germany)
Processor Germany (EU) -

E. Information on the processing of personal data of the participants in the Customer Loyalty Programme

We operate the Customer Loyalty Programme MARC O’POLO MEMBERS (the “Customer Loyalty Programme”). In connection with the operation of the Customer Loyalty Programme we process personal data of the programme’s participants, in particular to provide the web applications in the Online Shop in which participants can provide their data in order to sign up for the Customer Loyalty Programme, to perform the double opt-in process, to operate a customer database, to provide the Customer Loyalty Programme services described in Part C of the T&Cs and on the website, to carry out customer surveys, to send advertising content by post, to send programme-related communications by post, email or telephone, to ensure IT security in the Online Shop and for evidence purposes or to meet statutory retention obligations. We also process your data in order to send personalised advertising content to the communication channels selected by you, for a personalised analysis of your affinity to MARC O’POLO products and to show personalised banner advertising if you have consented to this.

Bricks-and-mortar stores which are run by us or our sales partners take part in the Customer Loyalty Programme (participating bricks-and-mortar stores referred to jointly below as “Bricks-and-Mortar Stores”). A list of current Bricks-and-Mortar Stores can be found in our store finder under www.marc-o-polo.com/stores. You can look for the nearest stores at a specified location or post code here. We mark the Bricks-and-Mortar Stores which take part in the Customer Loyalty Programme in the list of your search results in the store finder with graphic icons. The Country Shop in Germany operated by us also takes part in the Customer Loyalty Programme and is available on the website www.marc-o-polo.com/de-de/ or on the devices in the Bricks-and-Mortar Stores (the version of the German Country Shop available on the devices in the Bricks-and-Mortar Stores is referred to below as the “store version”). The Bricks-and-Mortar Stores and the German Country Shop, including the store version, are also referred to jointly as “Participating Stores”.

You will find more detailed information on this below:

Categories of personal data processed Personal data included in the categories Sources of data Obligation to provide the data Storage data
Customer master data Required data that you specify when registering for the Customer Loyalty Programme: title, first name, surname, date of birth, postal address, email address and password. If you have been given a provisional customer card (“pre-card”) in a Bricks-and-Mortar Store, this also includes: customer card number and Bricks-and-Mortar Store through which you provisionally registered. Participants in the Customer Loyalty Programme. Provision of the customer master data is required in order to take part in the Customer Loyalty Programme.

If these required details are not provided, you will not be able to take part in the Customer Loyalty Programme.
We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of four years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Customer master data We will save the Bricks-and-Mortar Store where you registered for the Customer Loyalty Programme as your “favourite store” in your customer account.

We also determine your nearest Bricks-and-Mortar Store and nearest factory outlet on the basis of your postal address and store them in our customer database.

In addition, we allocate a personal membership number to every participant in the Customer Loyalty Programme.
Generated by us. - We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of four years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Email opt-in data Protocol data which accrues for technical reasons when managing your consent to the receipt of email advertising.

This includes the date and time of subscription for email advertising, date and time the subscription notification is sent in the double opt-in process, date and time subscription is confirmed in the double opt-in process and the IP address of the device used to confirm, and the date and time of any cancellation of the email advertising.
Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to provide you with email advertising.
We store this data for as long as you are signed up to email advertising or our newsletter.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Registration protocol data Protocol data which we collect when you register for the Customer Loyalty Programme. This includes: country, language used, date of your registration and the Participating Store where you registered. Generated by us. - We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of four years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
Participant’s details Information which the participant specifies in their customer account or when placing orders in the German country store. This includes your contact details (first name and surname), your telephone number, your date of birth, your email address, the delivery and billing addresses and payment methods you use, your preferred communication channels and advertising content, your favourite store, your statement on whether you would like to collect points as part of the Customer Loyalty Programme and the wish list you have compiled in the German country store. Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If this data is not provided, we cannot provide certain functions of the customer account and cannot individualise our advertising content on the basis of your participant’s details.
We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Purchase history Information on your purchases, if you identify yourself as a participant in the Customer Loyalty Programme in a Bricks-and-Mortar Store or identify yourself as a participant in the German country store by entering your log-in details. This includes details of the articles purchased (article description, article number, number, size, colour, price, currency and number of points collected) as well as the location (Online Shop or country, town/city and branch for Bricks-and-Mortar Stores) at the time of the purchase and delivery status. Participating stores - We store this data for as long as you are signed up to the Customer Loyalty Programme.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.
Article data Information on your selection of products, which we need in order to process the additional options for ordering and reserving articles described in our T&Cs.

This includes information on the article selected by you (article number, colour, size, price) and the transaction number.
Generated by us. - We store this data as part of your purchase history for as long as you are signed up to the Customer Loyalty Programme.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.
Customer service request data Information you provide us with in your queries to customer service over the phone or using the online contact form, e.g. subject and background of your query. Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to individualise our advertising content and sales advice on the basis of this data.
We store this data for as long as you are signed up to the Customer Loyalty Programme.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of four years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.
HTTP data Protocol data which accrues when accessing the Online Shop via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons: IP address, type and version of your internet browser, operating system used, page accessed, last site accessed before visiting the site (referrer URL), and date and time of access. Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Online use profile data Data in usage profiles which we create by analysing the usage behaviour of participants in the Customer Loyalty Programme in the Country Shop for Germany. This includes: data about the use of the website, in particular page visits, frequency of visits and time spent on the pages visited, information about articles you have viewed and/or placed in the basket or placed in the wish list in your customer account, technical information on the device used by you (in particular browser version and device number) and your (click) reactions to our advertising. Generated by us. - We store this data for as long as you are signed up to the Customer Loyalty Programme.
Service usage data Information on the nature and scope of the services used by you in connection with the Customer Loyalty Programme, in particular the additional options for ordering and reserving articles and the vouchers redeemed by you. Generated by us - We store this data for as long as you are signed up to the Customer Loyalty Programme.
Segment profile data Allocation to participant segments which we create by analysing customer master data, purchase history, customer service request data, online usage profile data and service usage data. This includes the following segment categories: purchasing activities (lead, new, active, inactive, lost), willingness to pay (zero, basic, full return, good, top, unknown), frequency of purchases (zero order, single order, slow shopper, medium shopper, heavy shopper), discount affinity, channel preference, product preference and latest purchase category. Generated by us. - We store this data for as long as you are signed up to the Customer Loyalty Programme.
Market research data Information we collect in connection with customer surveys for market research purposes, in order to analyse in particular the satisfaction of our customers in pseudonymised form and to improve the contents of our programme. Participants in the Customer Loyalty Programme. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot carry out surveys and analyses for market research purposes.
We store this data in pseudonymised form for a maximum of 38 months.

In addition, we store this data in anonymised form in order to evaluate it for internal statistical purposes.

a) Processing of personal data on legal bases

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the web applications in the Online Shop where you can notify us of your data for registering for the Customer Loyalty Programme. HTTP data, customer master data, registration protocol data. No automated decision-making takes place. Balancing of interests (Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to provide the website content requested by the participants. Hosting service provider, Online Shop developer
“Double opt-in” to confirm your consent to the receipt of email advertising.

For this purpose, we send an email message requesting that you confirm the email address specified when signing up. A subscription to email advertising only becomes effective once the participant confirms their email address by accessing the confirmation link contained in the email.
Customer master data, email opt-in data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is the legally conclusive documentation of your consent to the receipt of email advertising. System and service mail provider.
Operation of a customer database in which we maintain and the customer master data and participant’s details and keep it up to date. Customer master data, participant’s details. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to operate a well-ordered database as the basis for optimum maintenance of the customer database. Hosting service provider, communications agency.
Provision of the additional options for ordering and reserving articles.

In connection with the options for reserving and collecting articles described in Part C clauses 2.4.1 and 2.4.2 of the T&Cs which you have selected in the German country store, we forward the article data required for putting aside the article(s) (article number, colour, size, price, transaction number, article price) and the customer master data required in order to identify and inform you to the Bricks-and-Mortar Store, which will put aside the article(s) desired by you. We will then inform you by email that the article(s) has been successfully reserved.

If you make use of the option described in Part C clause 2.4.4 of the T&Cs to place online orders in the German country store on a device in the Bricks-and-Mortar Stores, the employees in the Bricks-and-Mortar Stores can view the customer master data and participant’s details stored in the customer account in order to assist you during the order process and/or when logging on to your customer account.
Article data, customer master data, participant’s details. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Bricks-and-mortar stores.
Provision of the functions of the customer account and a more convenient order process in the German country store.

We use the email address and password specified during your registration as log-in details for your customer account.

You can conveniently maintain the customer master data, participant’s details and advertising preferences specified by you and your wish list in your customer account.

When you are automatically logged on to your customer account during the order process in the German Country Shop, information requested during the order process (e.g. the invoice address) is automatically pre-filled using the data saved in the customer database, in order to make the order process even more convenient for you.

On the basis of your purchase history we give you an overview of your previous purchases in the Participating Stores in your customer account and show you the processing and delivery status of orders placed in the German Country Shop.
Customer master data, participant’s details, purchase history, HTTP data, payment data. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Hosting service provider, Online Shop developer.
Recording the purchase history in the Participating Stores in order to calculate your latest points on this basis for the issue of vouchers and to show them in your customer account. Purchase history, customer master data. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Participating stores.
Calculating your latest points, issuing and sending the voucher acquired with the points by post. Customer master data, purchase history. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Post service provider, communications agency.
Provision of a customer hotline over which you can request your latest points and other information, for instance regarding your membership, special events and offers or new collections. Employees of the customer hotline can access data saved in the customer database in order to provide you with the best possible individual advice. All the data referred to in Section E.1. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Customer service provider.
Sending information material on the components of the Customer Loyalty Programme and relevant personalised advertising for your own offers (e.g. information about MARC O‘POLO, product information, newsletters, invitations to take part in customer surveys and exclusive offers or invitations to take part in competitions, events and special offers by the Participating Stores) by post. For this purpose, we use the postal address which you have specified when registering for the Customer Loyalty Programme or you have saved in your customer account as your billing address.

We use the title specified in your registration and your name to address you personally and to determine gender-specific contents in our advertising material.

We use the date of birth specified by you in order to send you personalised birthday greetings and information appropriate to your age.

We save the store where you registered, stores which are close to any address specified by you and the store specified as your favourite store in your customer account to send you invitations to store-relevant events and special offers.

We use your participant’s details, purchase history, online usage profile data, service usage data and segment profile data to send you contents reflecting your personal preferences.
Customer master data, participant’s details, online usage profile data, purchase history, service usage data, segment profile data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is the use of the postal address for direct advertising. Post service provider, communications agency.
Provision of information by post, email or phone, to the extent that this is necessary to carry out the Customer Loyalty Programme or services provided in connection with it (referred to jointly below as “Programme Communication”). The Programme Communication includes in particular but not exclusively emails, telephone calls or postal information confirming your registration, messages on your latest points or information on the organisational processing of your purchases or the services used by you, such as messages on that an order has arrived or has been reserved in a Bricks-and-Mortar Store, clarification of complaints or payment errors, information on the alteration service or exclusive shopping appointments. Customer master data, participant’s details, article data. No automated decision-making takes place. Performance of a contract (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation). Bricks-and-mortar stores, system and service mail provider, communications agency.
Carrying out customer surveys for market research purposes and pseudonymised analysis of the market research data in order to further develop and improve the functions of the Customer Loyalty Programme. Market research data No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Our legitimate interest is to develop and improve the Customer Loyalty Programme. Survey agency, hosting service provider, Online Shop developer.
Ensuring the security of the IT infrastructure used for the provision of the Online Shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).

For this purpose, data is temporarily stored and evaluated in log files on our web server.
HTTP data No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the Online Shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting service provider, Online Shop developer.
Storage for evidence purposes for the possible establishment, exercise or defence of legal claims. Customer master data, email opt-in data, registration protocol data, participant’s details, customer service request data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
Customer service provider
Proper accounting and storage in order to comply with contractual and statutory requirements, in particular commercial and tax law document retention obligations. Customer master data, participant’s details. No automated decision-making takes place. Compliance with a legal obligation (point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation), in particular compliance with statutory requirements regarding proper accounting and other statutory requirements, in particular professional, commercial and tax law document retention obligations.

The legal basis is also the performance of a contract, the other party being the data subject (point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation).
Customer service provider

b) Processing of personal data on the basis of your consent

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Sending information material on the components of the Customer Loyalty Programme and relevant personalised advertising for your own offers (e.g. information on MARC O‘POLO, product information, newsletters, invitations to take part in customer surveys and exclusive offers or invitations to take part in competitions, events and special offers by the Participating Stores) to the communication channels selected by the participant (email, SMS, WhatsApp or by telephone call). We use the latest details saved by you in your customer account for these purposes.

You can select or change the communication channels at any time in your customer account.

We use the title specified in your registration and your name to address you personally and to determine gender-specific contents in our advertising material.

We use the date of birth specified by you in order to send you personalised birthday greetings and information appropriate to your age.

We save the store where you registered, stores which are close to any address specified by you and the store specified as your favourite store in your customer account to send you invitations to store-relevant events and special offers.

We use your participant’s details, purchase history, online usage profile data, service usage data and segment profile data in order to send you content reflecting your personal preferences.

We also send you reminder emails if you have not completed an order in the Online Shop or if articles are still listed in your wish list in the customer account.
Customer master data, participant’s details, online usage profile data, purchase history, service usage data, segment profile data. No automated decision-making takes place. Consent (point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation). Email service provider, survey agency, communications agency.
Personalised analysis of the affinity of participants in the Customer Loyalty Programme to MARC O‘POLO products for the purpose of personalising and structuring advertising content reflecting the user’s needs. For this purpose, we use different analysis methods allowing us to individualise the advertising contents as well as possible and to tailor them to your personal interests, which we derive from the information saved in our customer database. By individualising the advertising contents in this way, we wish to ensure that you mainly receive information which we regard as being particularly interesting for you. All data referred to in E.1. No automated decision-making takes place. Consent (point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation). Survey agency.
Displaying personalised banner advertising on our website and on third-party websites on the basis of your online usage profile data and the segment profile data.

The behaviour of users on our website is recorded and analysed for (re-)targeting participants of the Customer Loyalty Programme through advertisements. Users of the website are marked in pseudonymised form so that they can be recognised again on the website or another website. The objective of this process is to draw the attention of a user who has already shown interest in a website or a product to this website or product again to increase the advertising relevance and therefore the click rate and conversion rate (e.g. order rate).

For these purposes, cookies are used on our website, provided that the participant has consented to this. You will find more information on this when you visit the website, where you have the possibility to consent to the placing of the cookies for these purposes.
Online usage profile data and segment profile data based on this. No automated decision-making takes place. Consent (point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation). -
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting CRM currently:

Microsoft Ireland Operations Ltd (South County Business Park, Dublin, D18, Ireland)
Processor EU -
Hosting e-shop currently:

Salesforce.com, inc. (The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Email service provider

(currently: Cheetah Digital Germany GmbH, Speditionsstraße 1, 40221 Düsseldorf, Germany)
Processor Germany (EU) -
System and service mail provider

(currently: Amazon SES, Amazon Web Services EMEA SARL, 5 rue Plaetis, Luxembourg, L-2338, Luxembourg)
Processor Luxembourg (EU) -
Bricks-and-mortar stores/Participating Stores (if operated by sales partners)

A list of currently participating Bricks-and-Mortar Stores can be found in our store finder under www.marc-o-polo.com/stores. You can look for the nearest stores at a specified location or post code here. We mark the Bricks-and-Mortar Stores which take part in the Customer Loyalty Programme in the list of your search results in the store finder with graphic icons.
Processors, provided they assist in provision of the services of the Customer Loyalty Programme described in Part C of the T&Cs and on the website, in particular the additional options for ordering and reserving articles according to Part C, clause 2.4.1, 2.4.2 or 2.4.4 of the T&Cs or Programme Communications.

When recording and forwarding the purchase history to us, the Bricks-and-Mortar Stores act as controllers.
Germany (EU) -
Survey agency

(currently: SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland).
Processor Dublin (Ireland) - European Union (EU) -
Customer service provider

(currently: arvato direct services Dortmund GmbH, Schleefstr. 1, 44287 Dortmund, Germany)
Processor Germany (EU) -
Post service provider

(currently: Deutsche Post AG (Charles-de-Gaulle-Str. 20, 53113 Bonn, Germany) und UPS, United Parcel Service (Deutschland S.à r.l. & Co. OHG, Görlitzer Str. 1, 41456 Neuss, Germany)
Controller Germany (EU) -
Communications agency

(currently: Defacto relations GmbH, Am Pestalozziring 1-2, 91058 Erlangen, Germany)
Processor Germany (EU) -
Online shop developer:

MOBIZCORP EUROPE LTD. Viernheim branch, August-Bebel-Straße 26, 68519 Viernheim, Germany
Processor Germany (EU) -

F. Information on the processing of personal data of our subscribers to postal advertising

From time to time, we offer you the option to sign up for advertising communications by post on our website (www.marc-o-polo.com) and/or in our Bricks-and-Mortar Stores. In our postal advertising we inform you for example about new outfits and current product trends as well as our special events, special offers and competitions.
When you sign up for our postal advertising, we record your name and postal address and process them for delivering the postal advertising. Apart from this, we store this data for evidence purposes for the establishment, exercise or defence of any legal claims.

When the subscription and unsubscription forms for our postal advertising on the website are used, certain information, for example your IP address, is sent to the server on our website by the browser used on your device for technical reasons. We process this information in order to provide the subscription and unsubscription forms for our postal advertising on our website.

You will find more detailed information on this below:

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
Registration form HTTP data Protocol data which accrues when you access the form for signing up for and cancelling our postal advertising on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), and date and time of the visit.
Users of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of seven days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Subscription data Data which we collect when users sign up for postal advertising.

This includes the following details: first name and surname and your postal address.
Subscribers to postal advertising. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide you with any postal advertising.
We store this data for as long as you are signed up to our postal advertising.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you have unsubscribed and in the event of any legal disputes until such have been concluded.
Registration protocol data Protocol data which accrues when you sign up for postal advertising on our website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons. This includes: date and time of registration and IP address of the device used.

Protocol data which we collect for evidence purposes when you sign up for postal advertising in our Bricks-and-Mortar Stores. This includes: date and time of registration.
Generated by us. - We store this data for as long as you are signed up to our postal advertising.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you have unsubscribed and in the event of any legal disputes until such have been concluded.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the form to sign up for and cancel our postal adverting on the website:

For this purpose, HTTP data is temporarily processed on our web server.
Registration form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to provide the website content requested by the user.
Hosting provider.
Ensuring the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data is temporarily stored and evaluated in log files on our web server.
Registration form HTTP data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for provision of the form, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider.
Sending the postal address specified by the subscriber. The postal advertising contains information about products and services of MARC O’POLO Einzelhandels GmbH (e.g. Clothing, Shoes & Accessories, Bags, Junior, Living or the MARC O’POLO MEMBERS programme including cross-channel services), also covering information on current product trends, special events, invitations to take part in customer surveys, special offers or competitions.

We use your name to address you personally and to determine gender-specific contents in our advertising content.
Subscription data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Communications agency, delivery service provider.
Storage and processing for evidence purposes for the possible establishment, exercise or defence of legal claims. Subscription data, registration protocol data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the establishment, exercise or defence of legal claims.
-
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting CRM currently:

Microsoft Ireland Operations Ltd (South County Business Park, Dublin, D18, Ireland)
Processor EU -
Hosting e-shop currently:

Salesforce.com, inc. (The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Communications agency

(currently: Defacto relations GmbH, Am Pestalozziring 1-2, 91058 Erlangen, Germany)
Processor Germany (EU) -
Delivery service provider Controller Germany (EU) -

G. Information on the processing of personal data of people entering our competitions

From time to time, we offer you the option to enter various competitions on our website and by other channels (e.g. entry postcards). We process the information provided by you in the relevant entry form (which is pre-filled for reminder mail subscribers, where applicable) in order to carry out the competition concerned and to hand over the prizes in line with the applicable entry terms and conditions accepted by you.

In some competitions, we also offer you the possibility on the website to sign up for reminder mails in which we inform you about our competitions, as explained in more detail in the relevant entry form. We process the information accruing in this context in order to confirm your subscription and to provide reminder mails.

We also store the information accruing in connection with participation in competitions or subscriptions to reminder mails for evidence purposes for the establishment, exercise or defence of any legal claims and, where applicable, to meet statutory, in particular commercial and tax law document retention obligations.

If you enter competitions or sign up for reminder mails on our website (e.g. competition or subscription forms) information, for example your IP address, is sent to our website server by the browser used on your device for technical reasons. We process this information in order to provide the website content requested by you. We process this information in order to provide the forms on our website. To ensure the security of the IT infrastructure used to provide the website, this information is also stored temporarily in a so-called web server log file. When you use such forms on our website, you often also have the option to sign up for our newsletter. You will find more detailed information on the processing of personal data in connection with the newsletter in Section A of this Data Protection Information.

You will find more detailed information on the processing of personal data in connection with entering competitions and signing up for reminder mails on our website below:

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
Form HTTP data Protocol data which accrues when requesting forms to enter a competition and to sign up for competition reminder mails on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), and date and time of visit.
Competition entrants (only for entering competitions through an online form on our website, e.g. competition or subscription forms). Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data is stored in server log files in a form allowing the identification of the data subject for a maximum period of six weeks, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Entry form data Data which you provide us with in the entry form for the competition concerned.

This includes information you provide us with in the relevant entry form and which we need in order to carry out the competition in line with the entry terms and conditions.

The actual data requested depends on the specific competition you wish to enter. We typically collect at least your name and your address. Depending on the type of competition, this also includes other data, which we will inform you about in the relevant entry form.
Competition entrants. Provision of the data is a requirement to enter the competition concerned. There is no obligation to provide the data.

If the data is not provided, you cannot enter the competition.
Data is stored until the end of the relevant competition.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provided us with the data and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Prize winner data Data which you additionally provide us with if you are a winner in a competition.

This includes information which we need for providing the prize, such as your full name, address, clothing or shoe size and information on whether you have accepted the prize concerned.
Competition winners. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot send your prize to you.
Data is stored until the end of the competition concerned.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provided us with the data and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Prize data Data on the prizes won by the various winners.

This includes information on which winner won which prize.
Generated by us. - Data is stored until the end of the competition concerned.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provided us with the data and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations, exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Reminder mail subscription data Data which we collect when users sign up for possible competition reminder mails for our competitions.

This includes the following details: email address, title, first name and surname.
Reminder mail subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If these required details are not provided, we cannot provide you with reminder mails.
We save this data for the time period stated in the subscription form for the relevant reminder mail, which normally corresponds to the time period specified in the entry terms and conditions of the relevant competition campaign.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you unsubscribed or in which the period of the reminder mails ended and in the event of any legal disputes until such have been concluded.
Reminder mail opt-in data. Protocol data which accrues when signing up for and cancelling reminder mails via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes the date and time of registration for the reminder mail, date and time the subscription notification is sent in the double opt-in process, date and time subscription is confirmed in the double opt-in process and the IP address of the device used to confirm, and the date and time of any unsubscription from the reminder mails.
Reminder mail subscribers. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide you with any reminder mails.
We save this data for the time period stated in the subscription form for the relevant reminder mail, which normally corresponds to the time period specified in the entry terms and conditions of the relevant competition campaign.

We store this data for evidence purposes for the establishment, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you unsubscribed or the time period of the reminder mails ended and in the event of any legal disputes until such have been concluded.
Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Only for entering competitions through an online form on our website, e.g. competition or subscription forms:

Provision of the (where applicable pre-filled) forms for taking part in a competition and the form for registering for reminder mails on the website:

For this purpose, data is temporarily processed on our web server.

If you have signed up for a reminder mail and have requested the entry form via the entry link in you reminder mail, we already fill out the entry form with the details specified by you when you sign up for the reminder mail. For this purpose, we add a randomly generated (hash) value to the entry link which we can use to match it to your consent mail subscription data. You can modify this data at any time before sending off the entry form.
Form HTTP data, reminder mail subscription data (where applicable). No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

If the data is not provided, we cannot provide the requested website content.
Hosting provider.
Only for entering competitions through an online form on our website, e.g. competition or subscription forms:

Ensuring the security of the IT infrastructure used for the provision of the forms for entering a competition and signing up for reminder mails, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data is temporarily stored and evaluated in log files on our web server.
Form HTTP data No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to ensure the security of the IT infrastructure used for the provision of the forms, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).
Hosting provider.
Registration for the relevant competition and selection of winners in line with the entry terms and conditions for the competition concerned which have been accepted by you. Participation form data, prize data. The winner is drawn by random selection. This selection takes place automatically without human intervention. Point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation (performance of a contract or steps prior to entering into a contract). Hosting provider.
Notifying prize winners and providing the prizes in line with the entry terms and conditions for the competition concerned which have been accepted by you. Participation form data, prize winner data, prize data. No automated decision-making takes place. Point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation (performance of a contract or steps prior to entering into a contract). Delivery service provider (where applicable).
“Double opt-in” to confirm a possible ubscription:

For this purpose, we send an email address requesting confirmation of the email address specified in the subscription. A subscription only becomes effective when the subscriber confirms their email address by accessing the confirmation link contained in the email.
Reminder mail subscription data, reminder mail opt-in data. No automated decision-making takes place. Point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the legally conclusive documentation of your consent to receipt of the reminder mails.
Hosting provider.
Sending the reminder mails to reminder mail subscribers.

We use the optional details specified by you when signing up to address you by name in the reminder mails.
Reminder mail subscription data, reminder mail opt-in data. No automated decision-making takes place. Point (a) of paragraph 1 of Article 6 of the General Data Protection Regulation (consent). Hosting provider.
Storage and processing for evidence purposes for the possible establishment, exercise or defence of legal claims. Participation form data, prize winner data, prize data, reminder mail subscription data, reminder mail opt-in data. No automated decision-making takes place. Balancing of interests (point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation.

Our legitimate interest is the establishment, exercise or defence of legal claims.
-
Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (section 147 German Fiscal Code (Abgabenordnung – AO), section 257 German Commercial Code (Handelsgesetzbuch – HGB)).
Participation form data, prize winner data, prize data. No automated decision-making takes place. Compliance with a legal obligation (point (c) of paragraph 1 of Article 6 of the General Data Protection Regulation). -
Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting provider

(currently: Salesforce.com, inc., The Landmark at One Market, Suite 300, San Francisco, CA 94105, United States)
Processor USA Salesforce is certified under the EU-U.S. Privacy Shield:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.

An adequacy decision by the EU Commission exists for the EU-U.S. Privacy Shield:

https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016D1250.

In addition, the parties have entered in to EU standard contractual clauses in accordance with paragraph 5 of Article 26 of the General Data Protection Regulation, which was issued under paragraph 4 of Article 26 of the previous Data Protection Directive (Directive 95/46/EC). A copy of the standard contractual clauses can be obtained from our data protection officer (see contact details in Section A).
Delivery service provider

Arvato distribution GmbH, Carl-Bertelsmann-Str. 32, 33330 Gütersloh, Germany
Controller EU -

H. Information on the use of cookies

We use cookies in connection with our website and the offers made on the website. We use the processing and storage functions of your device’s browser and collect information from the memory of your device’s browser.

You will find more detailed information on this below.

I. General information on cookies

Cookies are small text files with information that can be placed on a user’s device through its browser when a website is visited. When the website is visited again with the same device, the cookie and the information it contains can be retrieved.

1. First-party and third-party cookies

Depending on where a cookie comes from, a distinction can be made between first-party cookies and third-party cookies:

First-party cookies

Cookies that are placed and accessed by the operator of the website as the controller or by a processor engaged by the controller.

Third-party cookies

Cookies that are placed and accessed by controllers other than the operator of the website that are not processors engaged by the operator of the website.

2. Transient and persistent cookies

A distinction can be made between transient and persistent cookies depending on how long they remain active:

Transient cookies
(Session cookies)

Cookies that are automatically deleted when you close your browser.

Persistent cookies

Cookies that remain stored on your device for a certain period of time after the browser is closed.

3. Consent-free cookies and cookies requiring consent

Users’ consent is required for some cookies depending on their function and purpose of use. Thus, a distinction can be made between cookies that require users’ consent and those that do not:

Consent-free 
cookies

Cookies that have as their sole purpose to transmit a message using an electronic communication network.

Consent-free 
cookies

Cookies that are necessary so that the party offering a service that has been expressly requested by a participant or user can provide this service (“strictly necessary cookies”).

Cookies requiring consent

Cookies for all purposes of use other than the aforementioned.

II. Management of the cookies used on this website

1. Granting consent to the use of cookies and management of cookies using a cookie dashboard

SIf a user’s consent is necessary for the use of certain cookies, we only use these cookies when you use our website if you have previously granted your consent to this. You can find information as to whether the use of a particular cookie requires consent in the information on the cookies used on this website in Section H.III of this Data Protection Information.

When you visit our website, we display a “cookie banner” in which you can declare your consent to the use of cookies on this website by clicking on a button. When you click on the button, you have the option of giving your consent to the use of all of the cookies described in detail in Section H.III of this cookie information. You also have the option, by clicking on the “cookie dashboard” button, to choose individual cookies. In the “cookie dashboard” of this website, you also have the option of changing your individual selections at a later point in time.

We also store your consent and any individual cookies you have selected in the form of a cookie (“opt-in cookie”) on your device in order to determine, when you visit the website again, whether you have granted your consent. The opt-in cookie has a limited maximum effective period of two weeks.

Strictly necessary cookies cannot be deactivated using the cookie management function of this website. However, you can deactivate these cookies in general at any time in your browser.

2. Managing cookies using browser settings

You can also manage the use of cookies in your browser’s settings. Different browsers have different ways to configure cookie settings. You can find more extensive information on this, for example at http://www.allaboutcookies.org/manage-cookies/.

However, we would like to point out that some functions of the website may not work properly or at all if you deactivate cookies in general in your browser.

ChosenGender cookies

The following cookies may be used on this website:

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
chosengender First-party This cookie is strictly necessary to provide the gender area already selected by the customer (Section B).

This cookie is used to directly display the selected gender area when the customer visits the Online Shop again.

This cookie saves the customer’s selected gender navigation when they visit the Online Shop for the first time.
Transient. No.

Google Analytics cookies

These cookies are used by the web analysis tool Google Analytics to record and analyse the usage behaviour on our website, in order to improve the website (Section B).

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
_ga First-party This cookie contains a unique visitor ID and is used to distinguish different users from each other. Persistent: 
2 years. No.
_gid First-party This cookie contains a unique visitor ID and is used to distinguish different users from each other. Persistent: 
24 hours. No.
_gat First-party This cookie is used to throttle the request rate. Transient. No.
__utma First-party This cookie stores the number of each visitor’s visits and the time and date of the first visit, previous visits and the current visit. Persistent: 
2 years. No.
__utmt First-party This cookie is used to throttle the request rate. Transient. No.
__utmb First-party This cookie is used to log how long each visitor stays at a website, i.e. when the visit begins and when it ends.

This cookie stores the moment in time when a visitor enters a site.
Transient. No.
__utmc First-party This cookie is used to log how long each visitor stays at a website, i.e. when the visit begins and when it ends.

This cookie stores the moment in time when a visitor leaves a site.
Persistent:
30 minutes. No.
__utmv First-party This cookie stores the category into which the visitor fits. Persistent: 
2 years. No.
__utmz First-party This cookie stores the source or campaign that explains what route the user used to come to the website. Persistent: 
6 months. No.

Criteo cookies

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
ASP.NET_Sessionid Third-party The session ID is used to clearly identify a browser on the server. Session Yes.
r.ack Third-party EBS cookie used mainly for Safari. 1 hour Yes.
uid Third-party Identifies the user for the purpose of remarketing (displaying dynamic banners with the most important product-specific recommendations on the basis of statistical data and data collected through surfing behaviour). 1 year Yes.
optout Third-party Opt-out cookie. Allows the user to opt out of the Criteo service. 5 years Yes.
uic Third-party Identifies the user’s context, e.g. what stage of the purchase process the user is at, whether they have looked at one product or several or, for example, placed a product in the basket. It enables us to analyse users on the basis of their browser history and actions on the website in relation to purchase probability, for example. 6 months Yes.
evt Third-party Event cookie. This contains information about the site last visited on the customer website. It is used on the product recommendation during the banner display process. 6 months Yes.
udc Third-party Dynamic inventory selection. It contains a list of the marketers with whom the user is profitable and supports the marking and demarketing functionality. Criteo collaborates with a very large number of marketers in Germany. A marketer generally has one or more websites on which Criteo presents its advertising media. Demarking a user means that a user who has for example purchased a product is demarked for this product. 6 months Yes.
acdc Third-party Advanced Criteo Data Collection. It contains (optional) additional data in connection with the user, e.g. whether the user accessed the website using a mobile or stationary device. It is used to continuously improve campaign performance. 6 months Yes.
zdi Third-party Passback loop detection. Records how often a user triggers a passback on a Publisher’s zone. Publishers are a multitude of marketers within our network on whose zones we present the advertising media for our customers. 6 months Yes.
eid Third-party External ID. It contains the user ID of our Publishers/marketers. It is used for reselling our midmarket inventory. We have a multitude of marketers in our network. The inventory purchased by us is resold as part of the programme if not used. 6 months Yes.
opt Third-party The opt cookie contains the information on whether a user has opted out of our service or a service of one of the marketers within our network and therefore no longer wishes to receive personalised advertising. 1 year Yes.

Metapeople Metalyzer cookies

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
meta_{ID KAMPAGNE},

({ID KAMPAGNE} steht für eine Identifizierungsnummer, die für den entsprechenden Markt (z.B. Deutschland, Österreich) steht.)
First-party These cookies are used by the web analysis tool Google Analytics to record and analyse the user behaviour on our website in order to improve the website (Section B). They contain placeholders for the following information:

· country code, e.g. at, de, ch

· unique ID to recognise returning visitors

· order number

· net basket value (excluding delivery costs, excluding VAT, excluding payment charges, excluding vouchers)

· number of products in the basket

· product numbers

· size of products

· details of whether new customer/existing customer

· payment method (invoice, cash on delivery, credit card, Paypal, iDeal)

· details of whether a voucher was used, voucher code, type and value

· details of whether consent was given for the newsletter

· gender
Transient. No.

Affilinet cookies

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
Affili_0 cookie First Party These cookies are used to record the pages visited, clicks and orders in our Online Shop which were generated on the basis of a visit to a partner’s website. Persistent:
60 days. Yes.
Server Logline First Party These cookies are used to record the pages visited, clicks and orders in our Online Shop which were generated on the basis of a visit to a partner’s website. Persistent:
60 days. Yes.
Affili_0 cookie First Party These cookies are used to record the pages visited, clicks and orders in our Online Shop which were generated on the basis of a visit to a partner’s website. Persistent:
60 days. Yes.
affili_{progid} First Party These cookies are used to record the pages visited, clicks and orders in our Online Shop which were generated on the basis of a visit to a partner’s website. Persistent:
60 days. Yes.
Server Logline First Party These cookies are used to record the pages visited, clicks and orders in our Online Shop which were generated on the basis of a visit to a partner’s website. Persistent:
60 days. Yes.
Azure Cloud First Party These cookies are used to record the pages visited, clicks and orders in our Online Shop which were generated on the basis of a visit to a partner’s website. Persistent:
60 days. Yes.
Data Base First Party These cookies are used to record the pages visited, clicks and orders in our Online Shop which were generated on the basis of a visit to a partner’s website. Persistent:
60 days. Yes.
ASP.NET_SessionId First Party These cookies are used to record the pages visited, clicks and orders in our Online Shop which were generated on the basis of a visit to a partner’s website. Persistent:
60 days. Yes.

Daisycon cookies

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
PHPSESSID Third-party Guarantees that a visitor is unique and measures whether a transaction is generated at the advertiser by the click during a session. Transient. Yes.
DCI, PDC Third-party Guarantees that a visitor is unique and measures whether a transaction is generated at the advertiser by the click during a session. Persistent:
30 days. Yes.
ci_{program_ID} , ca_{program_ID} , si_{program_ID} Third-party Measures whether a transaction is generated at the advertiser by the click. Persistent:
30 days. Yes.
__cfduid Third-party This cookie uses the Cloudflare service in order to record safe internet traffic.

This is placed by a click to the advertiser and is requested with the Conversion Pixel.
Persistent:
30 days. Yes.

Tracdelight cookies

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
Click cookies (parameters: sales, OID, publisher advertising space, click time, transaction time) First-party These cookies are needed to calculate the partners’ remuneration and pay it out to the corresponding partners; no personal data is measured in the process. Persistent:
30 days. Yes.

mediards cookies

These cookies are used by the web tracking tool mediards for targeted advertising messages to users of the website ((re-)targeting).

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
Tr.mediards.com Third-party This cookie stores:

· PageLanguageCode (dede)

product IDs

orderID

OrderValue

currency and

page URLs.
Transient. Yes.

Facebook Pixel cookies

These cookies are used on our website for the Facebook Pixel tool (Section B).

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
c_user First-party Used together with the xs-cookie to verify your identity to Facebook (user ID). 90 days Yes
datr First-party Browser ID and time stamp

Identifies browser for the purposes of security and website integrity, including account recovery and identification of possible compromising accounts.
Persistent:
2 years Yes
sb First-party Browser ID and time stamp

Identifies the browser for purposes of log-in authentication.
Persistent:
2 years Yes
wd First-party Screen or window dimensions

Allows the an optimum experience to be provided on the user’s screen.
Persistent:
7 days Yes
xs First-party Session ID, time created, authentication value, secure session status, caching group ID. It is used together with the C_user cookie to verify the user’s identity to Facebook. Persistent:
90 days Yes

Google Ads Conversion Pixel cookies

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
Conversion

AID

DSID

TAID
First-party These cookies are placed by the web tracking tool Google Ads Conversion Pixel for conversion tracking (Section B). They contain placeholders for the following information:

· unique ID for recognising returning visitors

· page type (e.g. thank you page after placing an order, detailed product page or basket),

· order number

· net basket value (excluding delivery costs, excluding VAT, excluding payment charges, excluding vouchers)

· product numbers and prices

The Conversion Pixel stores the users’ purchasing and usage behaviour. This includes the following information:

· which product did the customer buy and at what price

· which pages did they navigate

· how high was the basket value.

This information is used to measure the success of the advertising media used (e.g. whether the use of banners and videos led to sales). Apart from this, customers are placed on retargeting lists under a pseudonym on the basis of this data in order to present suitable ads to them or to exclude them from campaigns (e.g. exclusion of men for a campaign for women).

(See also Google Ads Remarketing cookies below.)
Persistent:
60 days Yes

Google Ads Remarketing cookies

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
NID

SID

DIE

IDE

ANID

DSID

FLC

AID

TAID

exchange_uid

__gads

gac
First Party These cookies are placed by the web tracking tool Google Ads Remarketing Pixel for targeted advertising messages to users of the website ((re-)targeting) (Section B).

We have placed the Google Adwords Remarketing Pixel in our Online Shop; if a user visits our shop, the Pixel is loaded and places a cookie (tag) in the user’s browser in order to mark them.

Depending on which page the customer has visited in the shop, the information is saved in the cookie. If they have looked at different products, for example, this is saved and the customer can therefore be presented with product adverts on other websites. In this case, the product IDs will be stored in the cookie.

We generally supply the product ID, price, page type and number of products to the cookies.

Apart from the cookie settings on our website, the user can general also deactivate personalised advertising from Google: https://adssettings.google.com/authenticated?hl=de
Persistent:
60 days Yes

Dynamic Yield ookies

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
DYID First-party Using the recommendation tool Dynamic Yield, our internet offer is optimised in order to make the visit to the website into a personalised experience through customised recommendations and content. We use the page contents requested by the user in order to recommend equivalent or thematically linked products or other contents relevant to the users. Persistent:
720 days Yes.
DYSES First-party Using the recommendation tool Dynamic Yield, our internet offer is optimised in order to make the visit to the website into a personalised experience through customised recommendations and content. We use the page contents requested by the user in order to recommend equivalent or thematically linked products or other contents relevant to the users. Session Yes.
__cfduid First-party Using the recommendation tool Dynamic Yield, our internet offer is optimised in order to make the visit to the website into a personalised experience through customised recommendations and content. We use the page contents requested by the user in order to recommend equivalent or thematically linked products or other contents relevant to the users. Persistent:
365 days Yes.

Escome Container (Conversion Tracking via Adition, Appnexus and Facebook)

These cookies are used by web tracking tools Adition, Appnexus and Facebook implemented on the website via the Esome Container for conversion tracking, segmenting visitors and evaluating campaign performance (Section B).

Name First-party / third-party Purpose of use and content Effective term Consent necessary?
AppNexus Segmentation First-party This cookie stores for instance the:

· time stamp

· unique ID for recognising returning visitors
Persistent:
30 to 365 days Yes.
Adition Segmentation First-party This cookie stores for instance the:

· time stamp

· unique ID for recognising returning visitors
Persistent:
30 to 365 days Yes.
Activate Agent Segmentation First-party This cookie stores for instance the:

· time stamp

· unique ID for recognising returning visitors
Persistent:
30 to 365 days Yes.
Facebook Audiences First-party This cookie stores for instance the:

· time stamp

· unique ID for recognising returning visitors
Persistent:
30 to 365 days Yes.
3. Information on the rights of data subjects As a data subject, you have the following rights with regard to the processing of your personal data:

· Right of access (Article 15 of the General Data Protection Regulation)
· Right to rectification (Article 16 of the General Data Protection Regulation)
· Right to erasure (“right to be forgotten”) (Article 17 of the General Data Protection Regulation)
· Right to restriction of processing (Article 18 of the General Data Protection Regulation)
· Right to data portability (Article 20 of the General Data Protection Regulation)
· Right to object (Article 21 of the General Data Protection Regulation)
· Right to withdraw consent (paragraph 3 of Article 7 of the General Data Protection Regulation)
· Right to lodge a complaint with a supervisory authority (Article 77 of the General Data Protection Regulation)
You may contact us for the purpose of exercising your rights using the contact information in Section A.

Where applicable, you find information on any specific modalities and mechanisms which facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, in the information on the processing of personal data in Sections B to F of this Data Protection Information.

Below you will find more detailed information on your rights with regard to the processing of your personal data:

I. Right of access

As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 of the General Data Protection Regulation.

This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in paragraph 1 of Article 15 of the General Data Protection Regulation. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (points (a), (b) and (c) of paragraph 1 of Article 15 of the General Data Protection Regulation).

You can find the full extent of your right to access and information in Article 15 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

II. Right to rectification

As a data subject, you have the right to rectification under the conditions provided in Article 16 of the General Data Protection Regulation.

This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.

You can find the full extent of your right to rectification in Article 16 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

III. Right to erasure (“right to be forgotten”)

As a data subject, you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 of the General Data Protection Regulation.

This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in paragraph 1 of Article 17 of the General Data Protection Regulation applies. This can be the case, for example, if personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed (point (a) of paragraph 1 of Article 17 of the General Data Protection Regulation).

If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (paragraph 2 of Article 17 of the General Data Protection Regulation).

The right to erasure (“right to be forgotten”) does not apply if the processing is necessary for one of the reasons listed in paragraph 3 of Article 17 of the General Data Protection Regulation. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (points (b) and (e) of paragraph 3 of Article 17 of the General Data Protection Regulation).

You can find the full extent of your right to erasure (“right to be forgotten”) in Article 17 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

IV. Right to restriction of processing

As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 of the General Data Protection Regulation.

This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in paragraph 1 of Article 18 of the General Data Protection Regulation applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (point (1) of paragraph 1 of Article 18 of the General Data Protection Regulation).

Restriction means that stored personal data is marked with the goal of restricting their future processing (paragraph 3 of Article 4 of the General Data Protection Regulation).

You can find the full extent of your right to restriction of processing in Article 18 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

V. Right to data portability

As a data subject, you have a right to data portability under the conditions provided in Article 20 of the General Data Protection Regulation.

This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to point (a) of paragraph 1 of Article 6 or point (a) of paragraph 2 of Article 9 of the General Data Protection Regulation or on a contract pursuant to point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation and the processing is carried out by automated means (paragraph 1 of Article 20 of the General Data Protection Regulation).

You can find information as to whether an instance of processing is based on consent pursuant to point (a) of paragraph 1 of Article 6 or point (a) of paragraph 2 of Article 9 of the General Data Protection Regulation or on a contract pursuant to point (b) of paragraph 1 of Article 6 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B to F of this Data Protection Information.

In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (paragraph 2 of Article 20 of the General Data Protection Regulation).

You can find the full extent of your right to limit processing in Article 20 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VI. Right to object

As a data subject, you have a right to object under the conditions provided in Article 21 of the General Data Protection Regulation.

At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object.

More detailed information on this is given below:

1. Right to object on grounds relating to the particular situation of the data subject

As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of paragraph 1 of Article 6, including profiling based on those provisions.

You can find information as to whether an instance of processing is based on point (e) or (f) of paragraph 1 of Article 6 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Data Protection Information.

In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

2. Right to object to direct marketing

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

You can find information as to whether and to what extent personal data is processed for direct marketing purposes in the information regarding the legal basis of processing in Section B to F of this Data Protection Information.

If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VII. Right to withdraw consent

Where an instance of processing is based on consent pursuant to point (a) of paragraph 1 of Article 6 or point (a) of paragraph 2 of Article 9 of the General Data Protection Regulation, as a data subject, you have the right, pursuant to paragraph 3 of Article 7 of the General Data Protection Regulation, to withdraw your consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.

You can find information as to whether an instance of processing is based on point (a) of paragraph 1 of Article 6 or point (a) of paragraph 2 of Article 9 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B to F of this Data Protection Information.

VIII. Right to lodge a complaint with a supervisory authority

As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 of the General Data Protection Regulation.

The supervisory authority responsible for us is the Data Protection Authority of Bavaria:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 27 (Schloss), 91522 Ansbach
poststelle@lda.bayern.de
0981-53-1300

J. Information about the technical terms of the General Data Protection Regulation used in this Data Protection Information

The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation.

The full scope of the definitions of the General Data Protection Regulation can be found in Article 4 of the General Data Protection Regulation, which can be downloaded from the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

You will find more detailed information on the most important technical terms of the General Data Protection Regulation used in this Data Protection Information below:

Detailliertere Informationen zu den wichtigsten in diesen Datenschutzinformationen zugrunde gelegten Fachbegriffen der Datenschutz-Grundverordnung erhalten Sie im Folgenden:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Data subject” means the relevant identified or identifiable natural person to which the personal data refers;

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“International organisation” means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

“Third country” means a country which is not a member state of the European Union (“EU”) or the European Economic Area (“EEA”);

“Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

K. Effective date of and changes to this Data Protection Information

The effective date of this Data Protection Information is 18 February 2019.

It may be necessary to modify this Data Protection Information due to technical developments and/or amendment of statutory or official requirements.

An up-to-date version of this Data Protection Information can be retrieved at any time at www.marc-o-polo.com.