Blutsgeschwister GmbH
Data Protection Statement
1. Introductory Remarks
Thank you for your interest in our business. We take data protection seriously.
Fundamentally, you can use our website without providing any personal data. If you would like to make use of our business website, we may need to process your personal data.
The processing of personal data (e.g. name, address, email address or telephone number of the person concerned) is always carried out in accordance with the General Data Protection Regulation (GDPR) and in accordance with the current country-specific data protection regulations.
As data controllers, we have implemented numerous technical and organisational measures to ensure that as far as possible there are no gaps regarding the protection of the personal data processed through our website. However, there can, fundamentally, be security gaps whenever data is transferred over the internet. Therefore, 100% protection cannot be guaranteed. As a result, you can instead communicate your personal data to us by other means, such as by telephone.
2. Name and contact data of the Responsible Person and the Data Protection Officer
a) Responsible Person
The Responsible Person for the purposes of the General Data Protection Regulation and other national data protection legislation in the Member States, as well as data protection laws elsewhere is:
Blutsgeschwister GmbH
Kreuzbergstrasse 28
10965 Berlin
Germany
Tel.: +49 (0)30 - 5557181-91
Email: service@blutsgeschwister.de
Website: www.blutsgeschwister.de
b) Data Protection Officer
The contact details for the Data Protection Officer of the Responsible Person are as follows:
datenschutz nord GmbH
Branch Berlin-Charlottenburg
Kurfürstendamm 212
10719 Berlin
E-Mail: office@datenschutz-nord.de
3. Collection and storing of personal data; types and purposes of personal data use
a) Visiting our website
Fundamentally, you can use our website without having to disclose your identity. If you wish to use our website purely to get information, and so do not register with us or otherwise transfer information to us, the browser on your device will automatically send information to the server for our website. This information will be stored temporarily in a log file and then automatically deleted after 30 days. Where these log files need to be stored for a longer period of time as evidence, they are exempted from deletion until the specific situation has finally been clarified, and this information can be, on a case by case basis, passed to investigative authorities. The following information is collected and saved until the automatic deletion, without requiring your input:
- The IP-Adresse of the accessing computer;
- Date and time of access;
- Name and URL of the accessed file;
- Website through which it was accessed (referrer URL);
- The browser used and if necessary, the operating system of your computer, as well as the name of your access provider; and
- The volume of data transferred.
We process the data described below for the following purposes:
- To guarantee that a smooth connection to our website is established;
- To guarantee that our website is comfortable to use;
- To investigate faults and for reasons of security;
- To protect and defend our rights;
- To evaluate the system security and stability; and also
- For other administrative purposes.
The legal basis for the processing of data is Article 6(1)(f) of the GDPR. Our legitimate interest for the collection of data follows from the purposes itemised above. We never use the data collected to draw any conclusions about you as an individual.
Furthermore, we use cookies and other technologies (hereinafter “cookies“)
when you visit our website. Further information is available under point 5 of this data protection statement.
b) Other functions and offers on our website
Besides using our website for purely informational purposes, you may wish to use some of our other services. These services will generally require you to enter additional personal data, which we use to deliver that particular service and to which the aforementioned principles of data processing apply.
Sometimes, we use external service providers when processing your data. We have carefully selected and authorised these providers and they abide by our policies.
Furthermore, we may pass on your personal data to a third party, in circumstances where we are offering you the opportunity to take part in special offers, competitions, the conclusion of a contract, or similar services that we are offering jointly with our partners. You can find out more information about this at the point that you supply your personal data, or further down in the description of that offer.
Where the registered office of our service provider or partner is based in a country outside the European Economic Area (EEA), we will explain the implications of this in the description of the offer.
c) Withdrawing or objecting to the use of your personal data
1. THE RIGHT TO WITHDRAW
If you have granted consent for the processing of your data as per Article 6(1)(a) of the GDPR, you may withdraw this consent at any time. Once you have informed us, this withdrawal affects the legitimacy of processing your personal data.
2. RIGHT TO OBJECT
Provided that your personal data is being processed based on legitimate interests as per Article 6(1)(f) of the GDPR, you have the right, as per Article 21 of the GDPR, to raise an objection to the processing of your personal data, where grounds for this exist, either arising from your particular circumstances or from an objection to direct marketing. If it is the latter, you have a general right to object without making reference to a particular situation that we have carried out.
If you wish to make use of your right to withdraw or object, simply email us at: service@blutsgeschwister.de
d) Contacting us
You can use our website to contact our customer services for all your questions about online orders, invoices or returns. When you make contact with us, if it is necessary for the processing of your request, we may record personal data such as your name, email address and telephone number. This data is stored and used purely for the purposes of responding to your request, and more specifically to establish contact and for the related technical administration. The legal basis for this data processing, where it concerns a service provision and no contract arises from it, is our legitimate interest to respond to your concern as well as to market and improve our products and services, provided that this is carried out in accordance with the requirements of data protection regulations and competition law, as per Article 6(1)(f) of the GDPR. If that contact leads to you performing a transaction, then the additional legal basis for the data processing is Article 6(1)(b).
We also use the following third-party system to contact customers and provide customer services:
Freshdesk
Freshdesk is a ticketing system i.e. customer service system by Freshworks Inc. Customer Support, 2950 p. Delaware Street, Suite 201, San Mateo, CA 94403, USA; Data Protection Declaration for the provider: https://www.freshworks.com/privacy/
Customer data may also be transmitted to this third party for the purposes of customer inquiries and responses. In particular, the data being transferred will include the customer’s first name, last name, e-mail address, telephone number and when necessary for processing the ticket, communication data (such as e-mails, processing instructions, and ticket data such as the start date or processing comments). Freshdesk is a cloud application hosted on the servers of Amazon Web Services EMEA SARL, which are located exclusively within the European Union, and which in our case is exclusively in Frankfurt am Main. There are no connections to other applications and no merging of data from other sources. Transmission of data to Freshdesk is secured by TLS encryption.
The standard contract clauses as concluded with Freshworks can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en
The legal basis for the processing of your personal data is balanced with our interests in line with Article 6(1)(f) GDPR, and is based on our legitimate economic interest to provide you with efficient, economic and user-friendly services. Your personal data will only be transferred to the extent that it is required by the service provider Freshworks, who as our data processors (Art. 28 GDPR) will only process the data on our behalf and in accordance with our instructions.
e) Ordering through our website — Data processing registrations and processing contracts
You can order from our website as a guest, or you can register as a customer for future orders. The advantage of registering with us is that for future orders, you can simply log into our online shop directly using your email address and password, without needing to enter your contact details again. Your personal data will be entered into an input mask and then transferred to us and stored.
When you place an order with us, both for guest orders as well as registrations for the online shop, we initially collect the following data:
- Title, first name, surname;
- A current email address;
- Address;
- Telephone number (landline and/or mobile).
The collection of this data is:
- To identify you as our customer;
- To be able to process, fulfil and settle your order;
- To correspond with you;
- For invoicing purposes;
- For the settling of any existing liability claims, as well as the enforcement of any claims against you;
- To ensure the technical administration of our website;
- For the management of our customer information.
This data processing is part of the ordering process and/or is necessary as per Article 6(1)(b) of GDPR for the named purposes of processing your order and the mutual fulfilment of obligations that arise from the sales agreement. Additionally, we may pass your payment data to our payment services providers. The legal basis for this is also Article 6(1)(b).
Moreover, we can process the data provided by you to provide you with technical information by email, or to let you know about more interesting products from our range, since this promotional marketing follows from our justifiable interests in Article 6(1)(f) GDPR for a simple and cost-effective approach to our registered customers, while taking into consideration the stringent requirements of Section 7 para. 3 of German unfair competition law.
4. Transfer of data
a) General information
aa) Transfer to a third party inside the European Union
We will only transfer your personal data to those third parties who require it for the fulfilment of particular legitimate purposes.
Where our assigned external service providers receive personal data for these purposes, we make sure that when we select our partners that appropriate technical and organisational measures have been implemented, and the necessary agreements are concluded, so that the processing is carried out in line with the current data protection regulations and the protection of the rights of the individual person concerned can be guaranteed.
In light of this, we will only transfer your personal data to third parties, other than the service providers named below under b), if:
- You have explicitly given your consent for this as per Article 6(1)(a) of the GDPR;
- The transfer is necessary as per Article 6(1)(f) of the GDPR for the enforcement, exercise or defence of a legal claim, and there is no reason to assume that you have a dominant legitimate interest regarding the transfer of your data;
- There exists a legal obligation for the transfer as per Article 6(1)(c) of the GDPR;
- This is legally permissible and is required as per Article 6(1)(b) of the GDPR for the processing of contractual relationships with you.
bb) TRANSFERS TO THIRD COUNTRIES
Personal data will only be transferred to a third country or an international organisation if we inform you of this, and the conditions of Article 44 ff of the GDPR are met.
A country is designated to be a third country if it is outside the European Economic Area (EEA), where GDPR does not directly apply. A third country is deemed to be insecure, if the EU Commission has not enacted any adequate arrangements for this country as per Article 45(1) of the GDPR, for which it is has been confirmed that there is reasonable protection for personal data in that country.
The current adequacy decision of the EU Commission has determined that since the new EU-US data protection framework (EU-U.S. Data Privacy Framework (DPF)) came into effect, the USA, as a GDPR third country, now has an appropriate level of data protection if the receiving US company has successfully completed the DPF certification process. The large US companies we use (Meta (Facebook, Instagram, WhatsApp), Google, Microsoft) have already achieved DPF certification, so do not need to implement additional data protection measures. The US companies we use that have not yet been certified have ongoing contractual clauses in place that meet the DPF regulations and so ensure a level of data protection that corresponds to Art. 46 of the GDPR.
If you only activate ‘technically necessary cookies’, the transfer of data described above does not take place.
We will tell you when and how we transfer your personal data to the USA or to other insecure third countries. We will only transfer your personal data, if:
- The receiver provides an adequate guarantee for the protection of personal data as per Article 46 of the GDPR;
- You have explicitly given your consent to the transfer, after we have informed you of the risks in relation to Article 49(1)(a) of the GDPR;
- The transfer is necessary for the fulfilment of contractual obligations between you and us; or
- Another exception from Article 49 of the GDPR applies.
Guarantees that meet the requirements of Article 46 of the GDPR can be called standard contractual clauses. In these standard contractual clauses, the receiver of the data ensures that the data will be sufficiently protected and so guarantees a level of protection comparable to the GDPR.
b) Transfer of data for order processing
A transfer of your personal data from us to a third party for the order processing is exclusively carried out for the purposes of the service partners concerned with implementing the contract: for example, transfers to logistics companies to whom the delivery has assigned, and transfers to the payment service providers who are processing payments. Where your personal data is transferred to a third party, the amount of data transferred is kept to a bare minimum. The legal basis for this transfer of data is always Article 6(1)(b) of the GDPR.
aa) Transfer of personal data to shipping providers
If the delivery of the goods is undertaken by a transport service provider who will coordinate the delivery dates and in particular where they supply delivery notifications, we will pass on your email address as per Article 6(1)(a) of the GDPR before the shipment of the goods, for the purposes of coordinating a delivery date and particularly for the delivery notification, provided that you have granted explicit consent for this during the ordering process. Otherwise, we will only pass on the names of the recipients and the delivery address to the transport service provider as per Article 6(1)(b) of the GDPR, for the purposes of the delivery. This transfer is only carried out insofar as it is necessary for the shipment of the goods.
bb) Use of payment providers
Your payment details will be transferred to the payment provider determined by your choice of payment method. Article 6(1)(b) of the GDPR provides the legal basis for the processing of your payment. The processing of your personal data is necessary for the fulfilment of your order; you have free choice over your method of payment. Responsibility for your payment details lies with the payment provider. Information pertaining specifically to the responsible authority for your payment provider, the contact details for the data protection officer for the payment provider and the types of personal data processed by the payment provider can be accessed at the internet addresses below.
If you decide to pay using credit card or instant transfer, we will transfer your payment details to the payment service provider BS PAYONE GmbH, Lyoner Straße 9, D-60528, Frankfurt/Main, Germany, www.bspayone.com (henceforth referred to as “PAYONE”), for the purposes of processing your payment. Credit card details entered at shop.blutsgeschwister.de will be directly and securely received by PAYONE. PAYONE is PCI DSS certified and complies with the most stringent requirements for the secure handling and storage of credit card details. In addition, where the chosen payment method is PayPal or instant transfer, no information is held on the servers of Blutsgeschwister GmbH. When using the instant transfer method of payment, that payment is processed by the payment services provider SOFORT GmbH, Theresienhöhe 12, 80339 München, Germany (henceforth referred to as “SOFORT”), and to whom we will transfer the information you disclose as part of the order process, together with information about your order. SOFORT GmbH is part of the Klarna group (Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden). Your data will only be transferred for the sole purpose of processing your payment through the payment services provider SOFORT and only insofar as required for this purpose. Further information about SOFORT’s privacy policy can be accessed from the following website: https://www.klarna.com/sofort/datenschutz. You can obtain further information about data protection regulations from PAYONE’s data protection basic principles: https://www.payone.com/data-protection-regulations.
If you decide to pay using PayPal / PayPal Express, both being payment services provided by PayPal (Europe) S.à.r.l. et Cie, S.C.A. (22-24 Boulevard Royal L-2449, Luxemburg, then all Paypal Translation are subject to the PayPal data protection statement, which can be found at the following web address: https://www.paypal.com/ua/webapps/mpp/ua/privacy-full
payolution GmbH (an Unzer GmbH business, Vangerowstraße 18, 69115 Heidelberg, https://www.unzer.com/en): If you chose to pay by purchase on account and instalments, where this option is offered, the processing will be undertaken by payment service provider payolution Gmbh, Stiege 1 / 5. Stock, Columbusplatz 7-8, 1100 Wien, Austria. As a result, we will assign the existing payment claim to payolution once your purchase agreement is complete. Within the context of the ordering process, you consent to the related transfer of your personal data for the purposes of identity checks and credit checks, as well as for the execution of the contract.
The end customer data protection statement for payolution GmbH, who is a responsible person for processing your personal data can be found here: https://a.storyblok.com/f/118211/x/36efb2d796/datenschutz-payolution-gmbh-endkunden-21122021.pdf.
For purchases on account, the additional data protection statement for payolution GmbH, who is a responsible person for processing your personal data, can be found here.
When buying on account, and payment by instalments where it is offered, we transfer the required personal information (first name, surname, address, email address, telephone number, date of birth, IP address, gender) together with data necessary to carry out the transaction (product, invoice total, interest, instalment payments, due dates, total amount due, invoice number, amount of tax, currency, date and time of the order) to payolution GmbH, as well as to Bank Frick & Co AG, Landstrasse 14, 9496 Balzers, Liechtenstein, to whom we assign our purchase price claim against you. The aforementioned companies carry out credit checks for the purposes of making a decision about the purchase of the claim, as their own responsible person. The legal basis for us carrying out this transfer is our legitimate interest for economic protection when using these payment methods, as well as to fulfil our obligations under civil law to release the required information to the debt purchaser as per Article 6(1)(f) of the GDPR. Our interests are compulsory with the selection of this payment method, since carrying out a creditworthiness check and therefore also the purchase of the debt would otherwise no longer be possible. It is therefore not possible to withdraw your consent for this data processing (Article 21(1) of the GDPR) if you wish to select this payment method; you can however select another payment method.
Klarna: If you decide to pay by Klarna invoice, the data processing will be undertaken by payment services provider Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden (henceforth referred to as “Klarna”). General information about Klarna can be found here. As part of the data processing, your personal details will be passed on to Klarna. The personal data transferred to Klarna will usually be your first name, surname, address, date of birth, gender, email address, IP address, telephone number and mobile telephone number, as well as other data that is necessary for the processing of a purchase on account. Personal data associated with the corresponding order will also be required to process the purchase contract. This particularly covers the mutual exchange of payment information, such as bank details, card number, expiry date and CVC code, number of items, product number, goods and services data, prices and taxes due, information about your previous purchasing behaviour and other information about your financial situation. This transfer of data is primarily for the purposes of identity verification, payment administration and fraud prevention. We will then transfer personal data if a legitimate interest has been given for this transfer. The personal data shared between us and Klarna will be transferred to credit agencies, for the purposes of verifying identity and making credit checks. Klarna also transfers personal data to its affiliated companies (Klarna Group), as well as service providers and subcontractors, insofar as this is necessary to fulfil contractual obligations or where the data is to be processed on their behalf. In order to make a decision about the initiation, provision or cessation of a contractual relationship, Klarna reviews and uses data and other information about your previous purchasing behaviour, as well as probability assessment values for your future behaviour (known as scoring). The scoring is calculated on the basis of a mathematical-statistical method that is scientifically proven. You have the opportunity to withdraw your consent for the handling of your personal data by Klarna at any time. This withdrawal does not affect any personal data that (contractually) must be processed, used or transferred in order to process the payment. You can access Klarna’s current privacy policy at https://cdn.klarna.com/1.0/shared/content/policy/data/de_de/data_protection.pdf.
You can also use "Manage tracking settings" on the footer of our website to withdraw your consent at any time, either for a particular tracking technology category or for individual services, or instead use the consent withdrawal option for the respective service. In each case, this will affect your future use of the service. .
b) Types of tracking technology
The cookies used on our website can originate from us or from third-party providers.
Within our company, we will only pass on your personal data to those places and persons, who require this data to fulfil their contractual and legal obligations or to pursue our legitimate interests. No individual decisions, in the sense of Article 22 of the GDPR, are made.
The following four categories of cookies are used: namely technically necessary, functional, statistical and marketing cookies.
The following information explains these different categories::
- Technically necessary cookies
These cookies are necessary for technical reasons: to enable the optimal navigation and operation of our website. They ensure the proper operation of the essential functions of our website (e.g. the shopping basket function, meaning that the items in your shopping basket remain saved while you continue shopping). Furthermore, these cookies serve to save the particular inputs and settings that you have made, so that you do not need to constantly repeat them. When you visit and use our website, you must always keep these cookies activated. Without technically necessary cookies our website either cannot be used, or only in a restricted way. The legal basis for the use of technically necessary cookies is Section 25 para. 2 of the Telecommunications-Telemedia Data Protection Act (abbreviated in German to TTDSG). You can find out from the respective service which legal basis they are using each time for the processing for personal data, based on the data protection regulations.
- Functional cookies
We use functional cookie technology to add more functions to our website. This upgrades our website, meaning that it gets better and more user friendly. These cookies can be blocked without the navigation and operation of the website being affected. The legal basis for the use of functional cookies is Section 25 para. 1 of the Telecommunications-Telemedia Data Protection Act (abbreviated in German to TTDSG), meaning that you have given your consent. You can find out from the respective service which legal basis they are using each time for the processing for personal data, based on the data protection regulations.
- Statistical Cookies
We use these cookie and tracking technologies to analyse the use of our website. It is how we gather device and access data, and this information optimises our website. These cookies only contain anonymous or pseudonymous information and are only used for the purposes of improving our website and to find out what interests our users, as well as measuring how effective our advertisements are. Statistical cookies can be blocked without the navigation and operation of our website being affected. The legal basis for the use of statistical cookies is Section 25 para. 1 of the Telecommunications-Telemedia Data Protection Act (abbreviated in German to TTDSG), meaning that you have given your consent. You can find out from the respective service which legal basis they are using each time for the processing for personal data, based on the data protection regulations.
- Marketing Cookies
We and our advertising partners (including social media platforms such as Google, Facebook and Instagram) use marketing cookie and tracking technologies to show you personalised adverts. It also helps us show you personalised adverts that match your interests on other websites (called retargeting). Marketing cookies can be blocked without the navigation and operation of our website being affected. It is possible that the advertisements are not personalised at times. The legal basis for the use of statistical cookies is Section 25 para. 1 of the Telecommunications-Telemedia Data Protection Act (abbreviated in German to TTDSG), meaning that you have given your consent. You can find out from the respective service which legal basis they are using each time for the processing for personal data, based on the data protection regulations.
6. Using your data for direct advertising
a) Newsletter
You can give your consent to subscribe to our newsletter, where we tell you about our current interesting offers. The products and services being promoted are named in the declaration of consent.
We use the double opt-in process when you register for our newsletter. That means that once you have registered, we send an email to the email address you entered, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration, we automatically delete your information. We also save the IP address you used each time and the times of your registration and confirmation. This is to confirm you want to register, and to check for possible misuse of your personal data, when applicable.
The only mandatory data required to receive the newsletter is your email address. Disclosing additional data, which is marked separately, is voluntary, and it is gathered so that we can address you personally. After you confirm your registration, we save your email address for the purposes of receiving our newsletter. The legal basis for this is Article 6(1)(a) of the GDPR.
You can withdraw your consent as used for the receipt of our newsletter and can unsubscribe from the newsletter. There is a link included in every newsletter email that allows you to withdraw your consent. Alternatively, you can instead use the form on our website, email service@blutsgeschwister.de or send us a message using the contact details given on the masthead.
Please note that we analyse your user behaviour through the distribution of the newsletter. We can perform this analysis because the emails being sent contain web beacons, or tracking pixels, which are one pixel image files that are then saved on our website. To analyse the data, we connect the named data listed under number 3 a) and the web beacons with your email address and an individual ID. The links in the newsletter also contain this ID. With the data this provides, we can create a user profile, which then tailors the newsletter to your individual interests. We collect data about when you read our newsletter and which links you click through from it, and from that we can infer your personal interests. We connect this data with your activity on our website.
You can opt out of this tracking at any time, by clicking on the special link which appears in every email, or by notifying us by some other means. The information described is stored for as long as you are subscribed to the newsletter. If you unsubscribe, the nature of the data we store will be anonymous and purely statistical.
We use the German service provider “CleverReach" for sending out email campaigns, and in particular for the newsletters.
The service provider is CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. CleverReach is a service that manages and analyses the newsletter distribution. The data that you enter when you subscribe to the newsletter (e.g. email address) is stored on CleverReach’s servers in Germany or Ireland. The newsletter that we send out through CleverReach also enables us to analyse your user behaviour. Further information about the data analysis performed through the CleverReach newsletter can be obtained at: https://www.cleverreach.com/en-de/newsletter-tool/newsletter-reporting/. The data you enter when you subscribe to our newsletter is also stored here at our end until you unsubscribe, after which the data will be deleted from both our servers and the CleverReach servers. Data that has been stored by us for other purposes remains unaffected by this. You can find the full details in the data protection statement for CleverReach at: https://www.cleverreach.com/en-de/datenschutz/. Contract agreement concerning order processing: In order to ensure complete compliance with the strict legal data protection requirements, we have agreed a contract with CleverReach concerning order processing.
Distributing our email newsletter to existing customers: If you have provided us with your email address when you purchased a product, we reserve to the right to periodically email you regular offers about products in our range that are similar to those you have already purchased. This data is processed solely on the basis of our legitimate interests to conduct personalised direct advertising as per Article 6(10(f) of the GDPR. If you initially objected to the use of your email address for this purpose, we will not send you those emails. You are entitled to object at any time to the use of your email address for the aforementioned advertising purposes, being aware that it will affect your future use of the service, by notifying the responsible person named at the beginning of this document. This will mean that you only incur transmission costs at the basic rate. Once we have received your objection, the use of your email address for advertising purposes will immediately cease.
7. Data processing in relation to the VIB Club
The VIB Club is a customer loyalty programme that we offer our customers who are resident in any of the countries served by our online shop, and also in Switzerland in both the online shop and the stores. You can register yourself as a member of the club and take advantage of attractive benefits, such as VIB offers, exclusive gifts (for example, an annual birthday present), free delivery and the exclusive participation in pre-sales and pre-shopping campaigns. You can find out more details in the Conditions of Use.
When you register for the VIB Club, you create a personal customer account. You can register for the VIB Club at any time: either when you are placing an order, or also independently from making a purchase.
a) This is the data we process:
When you register for the VIB Club, we process the following mandatory information :
- Surname, first name;
- Email address;
- Billing address;
- Shipping address.
You can choose to give us the following data:
- Title;
- Date of birth.
b) Purposes for data processing
We process your personal data in line with the current data protection legislation for the following purposes:
- Management of the VIB Club;
- Email advertising, provided that you have given your consent;
- Compliance with legal requirements;
- Contract processing;
- Individualising customer contact;
- Personalisation;
- Date of birth for personalisation.
c) Legal basis
The processing of your data is necessary for the management of the VIB Club to fulfil our contract (Article 6(1)(b) of the GDPR). Insofar as you have given consent for email advertising when registering for the VIB Club, this constitutes the legal basis for processing that data (Article 6(1)(a) of the GDPR). You may of course withdraw this consent at any time. Article 6(1)(c) provides the legal basis for this data processing, in relation to the compliance of this processing with legal obligations. Your right to object to permissible direct advertising pursuant to section 3 c) 2. shall of course remain unaffected.
d) Using the Apple Wallet or Android Wallet apps
You have the option to transfer your VIB Club membership card into your Apple Wallet or an Android wallet app, and to save it as a QR code. If you do, your customer reference number will be processed.
You can of course remove your VIB Club membership card from your wallet app and so delete it.
8. Privacy information for our Instagram/Facebook accounts
a) Information about personal data collection; Contact details for the data controller
Below we explain how your personal data is handled when you engage with or visit our Instagram and Facebook online presence. Personal data (henceforth referred to as data) constitutes any data that makes you personally identifiable. Please consider carefully which personal data you decide to share with us via Instagram and Facebook.
Instagram and Facebook are part of the Meta group, and so share infrastructure, systems and technology with Meta and other Meta companies: https://www.facebook.com/help/111814505650678?ref=dp). We would like to explicitly state that Meta stores the data of the users of its Instagram and Facebook services (e.g. personal information, IP address, etc.) and may also use them for business purposes, where applicable.
For more information about Meta’s data processing for Facebook and Instagram, see Meta's Privacy Policy at: https://www.facebook.com/privacy/policy/
We have no influence over data collection and further data processing by Meta. Furthermore, we cannot determine to what extent, where and for what duration the data will be stored, to what extent Meta fulfils existing erasure obligations, what evaluations and connections are made with the data and to whom the data will be passed on. If you would like to avoid Meta processing the personal data that you transfer to us, please contact us by other means. You can find our full contact details in the about sections of our Instagram and Facebook pages.
Where we are the sole processors of the data that you transfer to us via Instagram and Facebook, the data controller for the data processing with regards the General Data Protection Regulation (GDPR) is: Blutsgeschwister GmbH, Kreuzbergstrasse 28, 10965 Berlin, Germany, Tel.: +49 (0)30 - 5557181-91, Email: service@blutsgeschwister.de, Website: www.blutsgeschwister.de.
Where the data you transfer via Instagram and Facebook (Insights data) is processed additionally or solely by Meta, as the operator of these two services, the data controller's address with regards the General Data Protection Regulation (GDPR) is, in addition: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Where there is an agreement between jointly responsible persons, data processing is carried out in accordance with Art. 26 of the GDPR, which you can view here:
https://www.facebook.com/legal/terms/page_controller_addendum.
Use of certain Facebook products, such as the "Facebook Business Tools", and the data processing that entails, is covered by an additional agreement between us and Meta Platforms Ireland Ltd., as joint data controllers in line with Art. 26 GDPR, which can be viewed here: https://www.facebook.com/legal/controller_addendum
The data controller for the processing of personal data is the natural or legal person who solely or jointly with others decides on the purposes and means of the processing of personal data (Art. 4(7) of the GDPR).
b) Data Protection Officer
You can contact the data protection officer for Meta, which operates Instagram and Facebook, using the online contact form provided at: https://www.facebook.com/help/contact/540977946302970.
c) Data processing when contacting us
If you contact us via the contact form or message function, for example, we process your data ourselves. The specific data that is processed in the case of the contact form is shown in the contact form itself. This data is stored and used purely for the purposes of contacting you in response to your request and for the technical administration that entails.
The legal basis for the processing of the data is our legitimate interest to answer your request as per Art. 6(1)(f) of the GDPR. If that contact leads to you agreeing a contract, then the additional legal basis for the data processing is Article 6(1)(b). Your data will be deleted after the final processing of your request, provided there exists no legal obligation that prevents this. We will consider the data processing to have finished once the circumstances indicate that the matter has been resolved.
9. Online flipbook tool Paperturn
We use the online flipbook tool Paperturn from the provider Paperturn ApS, Klokkestøbervej 16, 5230 Odense M, Denmark, on our website. Paperturn is a PDF reader that makes it possible to convert PDF pages into an online flipbook. When interacting with Paperturn, personal data is processed to obtain information about how Paperturn is used.
The integration of this flipbook serves to make our website more user-friendly by allowing you, as a visitor to our site, to view brochures and catalogues or other documents and to browse through them interactively. The brochures contain links which, for example, redirect you to offers in our online shop when you click on them.
If you call up a sub-page of our website on which a corresponding online flipbook is integrated by means of an iFrame, your IP address is passed on to Paperturn. This is necessary for the technical integration and display of the flip catalogue as well as for communication between your user device and Paperturn's server. This is also
justified interest in the transfer of data. Beyond this, no further data is collected by us.
We have no influence on the further processing of personal data by Paperturn.
Paperturn provides us with anonymous statistics on the frequency of use of the online catalogue on the basis of web server log data. The data comes from the information transmitted by the browser of the online flipbook visitor and includes the following information:
- the number of views/views of the online flipbooks integrated with our site
- the devices you use and the website from which you came
- the operating systems and browsers you use
- Number of PDF downloads
We use this data to identify trends and to optimise our flipbooks and products for site visitors and make them more attractive.
Our legitimate interest in using the tool pursuant to Art. 6 para. 1 p. 1 lit. f DSGVO lies in the user-friendly and optimised design of our website.
Paperturn processes this personal data exclusively in the European Economic Area. We have concluded an order data agreement with Paperturn including the current standard contractual clauses. Further information on data protection at Paperturn can be found here: https://www.paperturn.com/de/rechtsportal/datenschutz-richtlinien
10. Competitions
You can enter competitions on our website, for which you will need to enter your personal data. The data is entered into an input mask and then transferred to and stored by us. This data will only be transferred to a third party where we are jointly running the competition with our partners.
Your email address will be collected in connection with your participation in the competition.
The processing of this data is undertaken within the context of the precontractual procedures, which are necessary for the running of the competition. The data is subsequently deleted, provided that it no longer needed for the fulfilment of a contract or any precontractual procedures.
The legal basis for this processing of your personal data is Article 6(1)(b) of the GDPR.
11. Data subject rights
You have the right:
- To request the information that we process about you, as per Article 15 of the GDPR. In particular you can request information on: the purposes of the processing; the categories of personal data; the categories of receivers; to whom your data has been or is being disclosed; the planned length of storage; whether you have the right to amend, delete, restrict or withdrawal consent for that processing; whether you have right of appeal; the source of your data, in cases where it was not gathered by us; as well as about the existence of automated decision making, including profiling and where applicable, meaningful, specific information about you;
- To request the immediate amendment of your inaccurate or incomplete personal data that we store, as per Article 16 of the GDPR;
- To request the deletion of the data we hold about you, as per Article 17 of the GDPR, insofar as this processing is not required: for the exercise of the right to free expression and information; for the fulfilment of a legal obligation; for reasons of public interest; or for the enforcement, exercise or defence of a legal claim;
- To request the restriction of this processing of your personal data, as per Article 18 of the GDPR, insofar as: you dispute the accuracy of the data; the processing is unlawful; we no longer need the data but you refuse to allow it to be deleted; you require it for the enforcement, exercise or defence of a legal claim; or you have lodged an objection to the processing, as per Article 21 of the GDPR;
- To request to receive or transfer to another responsible person the personal data which you have made available to us, in an organised, conventional and machine-readable format, as per Article 20 of the GDPR;
- To withdraw consent previously granted at any time, as per Article 7(3) of the GDPR. The consequence of this withdrawing this consent means that we are not longer permitted to continue processing this data in the future, since it was based upon that consent; and
- To complain to the regulatory body, as per Article 77 of the GDPR. Normally, you can do this through the regulatory body for your usual place of residence or work, or for our registered office.
12. Data deletion and archiving obligations
The GDPR measures govern the deletion or restriction of the data we process about you. Unless it is explicitly stated in the context of this data protection statement, the data we hold about you is deleted as soon as it is no longer necessary for its intended purpose – in particular, for the fulfilment of our contractual and legal obligations — and there are no retention obligations that legally prevent its deletion. If the data cannot be deleted, because it is still required for other, and legally admissible, purposes, its processing is restricted. That means the data is locked and is not processed for other purposes. This applies to data, for example, that must be stored for commercial law or tax law reasons.
In accordance with legal requirements, routine storage is for 6 years, as per Section 257 para.1 of the HGB German accounting standards (accounting books, stock taking, opening balance sheets, annual reports, business letters, accounting records, etc.), and 10 years, as per Section 147 para.1 of the AO tax code (accounts, records, management reports, accounting records, business papers and letters, documents relevant for taxation, etc.).
13. Data security
For visits to our website, we use the popular SSL procedure (Secure Socket Layer) in conjunction with the highest encryption that is supported by your individual browser. Normally, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can see whether an individual page of our online presence is encrypted when it is transferred, as there is closed symbol indicated by a key or padlock symbol in the lower status bar of your browser.
We also make use of appropriate technical and organisational security measures, to protect your data against random or deliberate manipulation, partial or complete data loss, destruction, or unauthorised access by a third party. Our security measures are continually being improved in line with technological developments.
14. Validity and amendments to this data protection statement
This data protection policy is currently valid, as of January 2023.
We may need to amend this data protection statement as our website and offers develop and when legislation and official guidelines change. You can always access and print out our current data protection statement from our website at: https://www.blutsgeschwister.de/de/s/datenschutz
Precendence of the German version
In the event of contradictions between the German and the English version of this declaration, the wording of the German version shall prevail.
****************************
b) Advertisements by post
On the basis of our legitimate interests for personalised direct advertising we reserve the right to store your first name and surname, postal address and — where we have received this additional information as part of our contractual relationship with you — your title, academic level, birth year and your occupation, sector or business name, as per Article 6(1)(f) of the GDPR, and use it to send you interesting offers and information about our products by post.