Data Privacy Policy

Sect. 1   General

We will process your personal data (e.g. title, name, address, e-mail address, phone number) solely in accordance with the provisions of the German data protection law and the data protection law of the European Union (EU). The following provisions will inform you, besides the information about the processing purposes, recipients, legal bases and storage periods, also about your rights and the controller for your data processing. This privacy policy applies only to our company and our websites. If you are directed to other sites via links on our pages, please familiarise yourself with the respective use of your data there.

Sect. 2   Data processing for the performance of contracts

(1) Purpose of data processing
Your personal data you provide us during the ordering process are necessary for the conclusion of a contract with us. You are not obliged to provide your personal data. However, we would not be able to send you the goods without your address. For some payment methods we ask for the necessary payment data in order to pass them on to a payment service provider commissioned by us. Hence, the processing of your data collected during the ordering process is soley for the purpose of contract performance.
If you send us a request by e-mail or by using the contact form, etc. before concluding the contract, we process the obtained data to carry out pre-contractual measures and answer your questions about e.g. our products.
(2) Legal basis
The legal basis for such processing is set out in Article 6 (1) (b) of the GDPR.
(3) Recipient categories
Payment service provider, shipping service provider, hosting provider, if necessary merchandise management system, suppliers if necessary (drop-shipping).
(4) Duration of Storage
We store the data required for contract execution until the statutory warranty and, if applicable, contractual warranty periods expire.
We store the data required under commercial and tax law for the statutory periods, generally ten years (cf. § 257 German Commercial Code (HGB), § 147 Regulation of Taxation (AO)).
The data processed for the execution of pre-contractual measures will be deleted as soon as the measures have been carried out and the contract cannot be concluded.

Sect. 3   Web analysis with Google Analytics

(1) Purpose of data processing
This website uses Google Analytics, a web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. (“Google”). Google Analytics uses so-called “cookies”, small text files, which are placed on your computer to analyze how you use the website. The information generated by the cookie about your use of this website will be transmitted and saved on server in the United States by Google. If the anonymizeIP function is activated on this website, Google will shorten your IP address in advance within the member states of the European Union or in other states which are parties to the Agreement on the European Economic Area. Only in exceptional cases Google will transmit the full IP address on server in the United States and will shorten there. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activities and providing other services related to website and internet usage for the website operators.
(2) Legal basis
The legal basis for such processing is set out in Article 6 (1) (f) of the GDPR.
(3) Legitimate interest
Our legitimate interest is the statistical analysis of user behavior for optimization and marketing purposes. For your interest in data protection, this website uses Google Analytics with the extension “anonymizeIP()”, so that the IP addresses are only processed in an abridged form in order to exclude direct personal reference.
(4) Recipient categories
Goolge, Partner companies
(5) Transfer to a third country
Google LLC, located in the USA, is certified for the EU-US Data Protection Agreement “Privacy Shield”, which guarantees compliance with the data protection rates applicable in the EU.
(6) Duration of Storage
Unlimited
(7) Right of objection
You can prevent the installation of the cookies in your browser settings. If you choose to change your settings you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link: optout
You may also generate blocking by setting an opt-out cookie. If you want to prevent the future collection of your data when you visit this website, please click here: Disable Google Analytics

Sect. 4   Information about cookies

(1) Purpose of data processing
This website uses technically necessary cookies. These are small text files that are stored in or by your Internet browser on your computer system. These cookies enable, for example, the inserting of several products in a shopping basket.
(2) Legal basis
The legal basis for such processing is set out in Article 6 (1) (f) of the GDPR.
(3) Legitimate interest
Our legitimate interest is the functionality of our website. The user data collected by technically necessary cookies are not used to create user profiles. This preserves your interest in data protection.
(4) Duration of Storage
The technically necessary cookies are usually deleted when the browser is closed. Persistent cookies have different validity period from a few minutes to several years.
(5) Right of objection
If you do not wish these cookies to be stored, please deactivate the use of cookies in your Internet browser. However, this may cause a functional limitation of our website. You can also delete persistent cookies at any time by changing your browser settings. 

Sect. 5   Rights of the data subject

If your personal data is being processed, you are the ‘data subject’ in terms of GDPR and you have the following rights towards the controller:

1. Right of access by the data subject

You may ask the controller to confirm whether your personal data is processed.
In the case of such processing, you may request the following information from the controller:
(1) the purposes of the processing of the personal data;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) the estimated period of time for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the right to request from the controller to rectify or erase the personal data or the right to restrict the processing of personal data concerning the data subject or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) the right to all available information on the source of the data if the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling in accordance with Article 22 (1) and (4) of the GDPR and – at least in these cases – meaningful information for your about the logic involved, as well as the consequences and intended effects of such processing.
As a data subject, you have the right to be informed whether the personal data concerning you are transferred to a third country or to an international organisation. In this regard, you may request to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification

You have the right to have corrected and/or completed your personal data from the controller if your personal data processed is incorrect or incomplete. The controller has to make the correction without delay.

3. Right to restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following applies:
(1) if you contest the accuracy of the personal data relating to you for a period of time that enables the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse to erase the personal data and request the restriction of the use of the personal data instead;
(3) the controller no longer needs the personal data for the purposes of processing, but you need them to establish, exercise or defend legal claims; or
(4) if you have lodged an objection against the processing in accordance with Art. 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh your grounds.
Where processing of personal data relating to you has been restricted, such data may, with the exception of storage, only be processed with your consent or for the purpose of establishing, exercising or defending legal claims or for the protecting of the rights of another natural or legal person or for reasons of an important public interest of the Union or of a Member State.
If the restriction of processing has been restricted in accordance with the conditions mentioned above, you will be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation regarding erasure
You have the right to obtain from the controller the erasure of your personal data immediately and the controller is obliged to erase this data without delay where one of the following reasons applies:
(1) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(2) you withdraw your consent on which the processing is based accordance to point (a) of Article 6 (1), or point (a) of Article 9 (2) GDPR and where there is no other legal ground for the processing;
(3) you submit an objection to the processing accordance to Article 21 (1) of the GDPR, and there are no legitimate reasons for the processing, or you lodge an objection against the processing accordance to Article 21 (2) of the GDPR;
(4) your personal data have been unlawfully processed;
(5) your personal data need to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) your personal data have been collected in relation to the offer information society services referred to Article 8 (1);

b) Obligation to inform other controllers (third parties)
If the controller has made your personal data public and is obliged to erase them accordance to Article 17 (1) of the GDPR, he has to take reasonable steps, taking into account the available technology and the cost of implementation, including technical measures, to inform the controllers who process the personal data that you, as the person concerned, have requested the erasure of any links to, or copy or replication of those personal data.

c) Exceptions
The right to erasure does not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for fulfilment of a legal obligation which requires processing by the law of the Union or of the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or the exercise of official authority transferred to the controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research or for statistical purposes in accordance with Article 89 (1), insofar as the right referred to in paragraph 1 is likely to make it impossible or seriously impair the achievement of the objectives of such processing; or
(5) for the establishing, exercising or defending legal claims.

5. Notification obligation

If you have made use of your right to correct, erase or restrict the processing of your personal data, the controller is obliged to inform all recipients to whom the personal data have been disclosed of this correction or erasure of the data or limitation of the processing, unless this proves to be impossible or involves a disproportionate effort.
You have the right to be informed of these recipients by the controller.

6. Right to data portability

You have the right to receive the personal data relating to you which you have provided to the data controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance by the controller, who has been provided with the personal data, where:
(1) the processing is based on a consent in accordance with the point (a) of Article 6 (1) or point (a) of Article 9 (2) or on a contract in accordance with the point (b) of Article 6 (1); and
(2) the processing is carried out using automated means.
In exercising this right, you also have the right to have your personal data are transmitted directly from one controller to another, as far as this is technically feasible. Freedoms and rights of other persons may not be affected thereby.
The right to data portability is not applicable to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority given to the data controller.

7. Right to object

For reasons arising from your particular situation, you have the right to object at any time to processing of personal data concerning you, which is carried out based on point (e) or (f) of Article 6 (1); this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you, unless the controller can prove that there are compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to establish, exercise or defend legal claims.
Where the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
Where you object to the processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the possibility of exercising your right to object by automated means using technical specifications.

8. Right to withdraw the declaration of consent under Data Protection Act

You have the right to withdraw your declaration of consent under Data Protection Act at any time. The withdrawal of the consent does not affect the legality of the processing carried out on the basis of the consent until the withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effect on you or which significantly impairs you in a similar manner.
This does not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and a data controller;
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, these decisions may not be based on special categories of personal data in accordance with Article 9 (1), unless point (a) or (g) of Article 9 (2) applies and appropriate measures to safeguard the rights and freedoms and your legitimate interests are in place.
Regarding the cases referred to in (1) and (3), the data controller has to take appropriate measures to safeguard the rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of the data controller, to state his or her own position and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes this Regulation.
The supervisory authority with which the complaint has been lodged is to inform the complainant on the progress and the outcome of the complaint including the possibility of judicial remedy accordance to Article 78.

Responsible for data processing:
Erler-Zimmer GmbH & Co. KG
Hauptstr. 27
77886 Lauf
Germany
Phone: +49 (0) 7841 6003-0
info@erler-zimmer.de

Contact details of our data protection officer:
Dr. Klaus Wilke
Dr. Wilke Datenschutz
Hölderlinstraße 11
75334 Straubenhardt
Germany
wilke (at) dr-wilke-datenschutz (dot) de

Contact details of the supervisory authority:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Königstr. 10 a
70173 Stuttgart
Telefon: +49 (0) 711 615541-0

poststelle@lfdi.bwl.de
https://www.baden-wuerttemberg.datenschutz.de/impressum/