Below we give you an overview of data processing on our Retail Portal, as well as all other services we offer. We would like to give you a transparent insight into how we manage your personal data.
1 Name and Address of Responsible Persons
As we continually develop our website and implement new technologies to improve our service to you, we may need to make changes to this privacy statement. Therefore, we encourage you to review this privacy statement from time to time.
The person responsible within the scope of the fundamental data protection regulation, other national data protection laws of the member states as well as other provisions of data protection law is the data protection authority:
Vor dem Bardowicker Tore 49
Telephone Number: +49 4131 220 95 0
E-Mail Address: firstname.lastname@example.org
Telephone Number: +49 4131 220 95 77
E-Mail Address: email@example.com
2 Your Information at Vonmählen
2.1 What Information Does Vonmählen Use?
Vonmählen offers you various services and possibilities to get in contact with us through our website. Depending on which channel you choose, i.e. through our online shop, our Retail Portal, by telephone or e-mail, we will receive data from you through these various sources. In addition to the information you provide yourself, technical device and access data can also be read, which we automatically record when you access our site. If the processing of personal data is necessary and there is no legal basis for such processing, we will always obtain your consent.
If we obtain the consent of the person concerned for the processing of personal data, Art. 6 Para. 1 lit. a EU Data Protection Basic Regulation (GDPR) is used as the legal basis.
However, we process personal information of our users only to the extent necessary to provide a functioning website with our content and services. The processing of personal data of our users takes place regularly only with their consent.
Exceptions apply in cases where prior consent cannot be acquired for factual reasons and the processing of the data is authorized by law.
It is important to us to protect your personal data that has been entrusted to us from unintentional use or unauthorized disclosure.
“Personal Information” means any personal information that relates to all information that can identify you or any other person. For example, this includes your name, date of birth, your (e-mail) address, IP address or your order number.
2.1.1 Personal Data
Your personal data is profile or log-in data, which is demographic information about you or your company. This includes the name of your company, your company’s adress, your company headquarters, your first and last name, your title, contact details, your age and place of residence.
If you contact us via the enquiry form, by e-mail or by telephone, we will record your contact data. Depending on how you contact us, the data collected may include the company name, your first and last name, postal address, telephone number or e-mail address. We also record the content of your message and, if necessary, forward it internally to the responsible department.
The data is stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical administration. It will not be forwarded to third parties.
The processing of personal data required for the fulfillment of a contract to which you are a contracting party as the person concerned is governed by Art. 6 Para. 1 lit. b GDPR. The same also applies to processing data that is necessary to carry out pre-contractual activities.
If the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal framework.
When you place a sample order in the Retail Portal, we record the related purchasing data, such as the order number, your shopping cart, your chosen payment method and the various statuses of your order.
When you make a payment, however, we only collect the payment details you have provided us with – processing is done through external service providers – receiving information from external payment service providers that is necessary for the execution of the payment and passing on your payment details to the bank commissioned to process the payment, e.g. for PayPal the PayPal ID, however, we do not store any payment details ourselves, except for your preferred method of payment.
2.1.2 Device and Access Data
The use of online and mobile services generates technical data which we process and use. This data includes the following points:
- General device information, such as device type, operating system version, IP address and operating system used by your device, configuration settings, browser type, date and time of access to each page of our Retail Portal.
- When you interact with our services, we also receive data that we can analyze to determine what content you are interested in. On this basis we can optimize our Retail Portal. This data are not stored together with other personal data of the user. The data will be deleted after a maximum of 14 days.
The legal framework for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
2.2 What Does Vonmählen Use your Data for?
Vonmählen processes your data in compliance with all legal regulations.
The purpose of the data processing is within the scope of the contract agreed with you (including our general terms and conditions) or the service requested by you. This includes, for example, the availability of our services, the execution of sales contracts or customer service and the execution of promotions and competitions.
In addition, the temporary storage of the IP address by the system is necessary to enable delivery of the website to your PC. To do this, your IP address must remain stored for the duration of the session.
These purposes also include our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f GDPR.
If we make use of the services of third parties for the implementation and execution of processing, the provisions of the Federal Data Protection Act and the GDPR are observed:
2.3 Where does Vonmählen store your data?
Some of the servers used for hosting services are located in the data centers in Frankfurt. Space in the data center have been rented by Digital Ocean LLC, New York. Digital Ocean operates a cloud platform for virtual servers there, which we use as our hosting platform. In addition, DigitalOcean is subject to the EU-US Privacy Shield Agreement. Further information can be found at: https://www.digitalocean.com/legal/gdpr-faq/.
We use Amazon Web Services’ “S3”, “Cloudfront” and “Lambda” services for hosting and distributing website content. Amazon Web Services Inc, 410 Terry Avenue North, Seattle WA 98109, USA, (“AWS”) is a cloud computing provider. AWS hosts the images on our website for us. When you click on an image on our website, AWS can track the IP addresses of your device.
The Hosting takes place exclusively at the AWS computer centre in Frankfurt a.M. AWS is also Privacy Shield certified and thus guarantees that personal data outside the European Economic Area is also processed in accordance with European data protection laws.
The inclusion of AWS is based on our justified interests in the secure and efficient operation and optimization of our website and our Retail Portal pursuant to Art. 6 Para. 1 lit. f. GDPR in conjunction with Art. 28 GDPR (order processing).
We also use functions from CloudFlare Inc. 665 3rd St. #200, San Francisco, CA 94107, USA. CloudFlare offers a worldwide distributed content delivery network with DNS. Technically, the information transfer between your browser and our website is routed through the CloudFlare network. CloudFlare is thus able to analyze the data traffic between users and our website, for example to detect and fend off attacks on our services. In addition, CloudFlare may store cookies on your computer for optimization and analysis purposes. This serves to safeguard our interest in an optimal marketing of our services in accordance with article 6 Para. 1 S. 1 lit. f GDPR.
Cloudflare collects statistical data about the visit of this website. The access data includes: Name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider. Cloudflare uses the log data for statistical evaluations for the purpose of operation, security and optimization of the offer.
2.4 When does Vonmählen delete your data?
We will only store your personal data for as long as is necessary for the purposes stated in this data protection declaration. This is done primarily to fulfill our contractual and legal obligations, but also for other purposes if necessary, such as when the law allows us to further store for certain purposes. In the case of collecting data for the provision of the website, this is the case when your respective session has ended. To the extent that commercial and tax retention periods have to be observed, the duration of the storage of certain data can be up to 10 years.
Your data, in particular your IP address, will not be stored in log files. If you deactivate your customer account with us, we will delete any of your stored data, or if it is not possible or not necessary to completely delete your data for legal reasons, the relevant data will be prevented from being processed further.
The data shall also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless it is necessary for further storage of the data for the conclusion or performance of a contract.
It is imperative to collect and save data in order to operate the website. Therefore, there can be no objection to this processing.
We set up password-protected personal access for users who register for a customer account. If you do not log out again after logging in with your login data, you will usually remain logged in automatically until you close your browser. We use a so-called “session cookie” for this purpose. This function allows you to use your customer account for the entire duration of your session without having to log in again each time.
3.1 Scope of Data Processing
You will be given the option in our Retail Portal to register by providing personal data. This data is entered into an entry form and transmitted to us and stored. During the registration process, the following data will be collected:
- Company Name
- First name and last name
- Email address
- phone number
- job title
At the time of registration, the date and time of registration are also stored. As part of the registration process, your consent to the process this data will be requested.
If you have given your consent, the legal basis for processing the data is Art. 6 Para. 1 lit. a GDPR.
3.2 Purpose of Data Processing
Registering or providing data on your part is necessary to fulfill a contract, as we require information because regarding your billing or delivery address. In addition, your e-mail address is necessary for sending the order confirmation and the delivery confirmation.
3.3 Duration of Storage, Revocation and Deletion
Data will be deleted as soon as they are no longer required for the purpose for which they were collected.
During the registration process, data is used to fulfil a contract or to carry out pre-contractual measures if the data is no longer required for the performance of the contract. Even after the contract has been concluded, it may be necessary to store your personal data in order to comply with contractual or legal obligations.
As a user you have the right to cancel the user registration at any time. The data stored about you can be changed or deleted at any time in our Retail Portal under your profile.
4.1 Scope of Data Processing
You can subscribe to a free newsletter on our website. When you subscribe to the newsletter, your e-mail will be sent to us from the entry form.
In addition, the date and time will be collected when you register.
If you purchase products on our website and enter your e-mail address, this may subsequently be used by us to send you a newsletter. Should this be the case, the newsletter will only be used to promote our own products.
Your Data will be passed on to Mailchimp in connection with data processing for the purpose of sending newsletters. The data will be used exclusively for the mailing of the newsletter.
The legal basis for the processing of your data after registration for the newsletter is Art. 6 Para. 1 lit. a GDPR. The legal basis for sending of the newsletter as a result of the sale of goods or services is § 7 Abs. 3 UWG.
4.2 Purpose of Data Processing
The collection of your e-mail address is used to send the newsletter. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used.
Our newsletters also contain so-called tracking pixels. A pixel-code is a miniature graphic embedded in emails sent in HTML format in order to enable log file recording and analysis. This allows us to evaluate the success of our online marketing campaigns.
The embedded pixel-code tells us if and when you opened an email and which links in the email you viewed. Such personal data collected via the tracking pixels contained in the newsletters will be stored and evaluated by the person responsible for the analyzing data to improve the performance of the newsletter and to adapt the content of future newsletters to better fit your interests.
This personal data will not be passed on to third parties.
4.3 How do I log in?
We use the so-called double opt-in procedure when you register for the Vonmählen newsletter, i.e. we activate this service for you only after your express consent and confirm your e-mail address..
To do this, you will receive a notification email from us asking you to click on a link in that email to confirm that you are the owner of the email address provided. We will not take this step if you have already confirmed to us for another purpose that you are the owner of this e-mail address.
4.4 Mailing of the newsletter by Mailchimp
Our newsletter is sent by “Mailchimp”, the mail service provider of the US Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The email addresses of our newsletter recipients, as well as the other data described in this notice, are stored on Mailchimp’s servers in the United States. Mailchimp uses this information to send and evaluate the newsletter on our behalf. Furthermore, according to its own information, Mailchimp may use this data to optimize or improve its own services, e.g. for the technical optimization of the sending and viewing of the newsletter or for economic purposes in order to determine from which countries the recipients come. However, Mailchimp does not use the data of our newsletter recipients to contact them or pass them on to third parties.
4.5 Duration of Storage, Revocation and Deletion
If you do not want to receive our newsletter later, you can unsubscribe at any time. For this purpose you will find a link in each newsletter with the purpose to unsubscribe from the double opt-in procedure. Unsubscribing from the newsletter will automatically be considered as a revocation.
This also enables the revocation to the consent of the storage of personal data collected during the registration process.
Your data will be deleted as soon as it is no longer needed to achieve the purpose for which it was collected. Your email address will be stored as long as the newsletter subscription is active.
All other personal information collected as part of the registration process will be deleted after a maximum period of seven days.
5 Contact Forms and Email Contact
5.1 Scope of Data Processing
There is a contact form on our website which you can use to contact us electronically. If you make use of this possibility, the data entered in the entry form will be transmitted to us and stored. This includes:
- Company Name
- First name and last name
- Email address
- Phone number
- Your contact message
At the time of sending your message, the date and time are also stored by us.
Your consent will be requested when processing data during the submission process and reference will be made to this data protection declaration.
Alternatively, you can contact us by using the e-mail address provided. If you do so, the personal data transmitted with the email will be stored by you.
The data will not be passed on to third parties in this context. The data will only be used for the processing of the conversation.
The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given his consent.
Art. 6 para. 1 lit. f GDPR is the legal basis for the processing of data transmitted in the course of sending an e-mail. If the purpose of the e-mail contact is to conclude a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
5.2 Purpose of Data Processing
The processing of the personal data from the entry form serves us solely to facilitate contact. If you contact us by e-mail, this is also the necessary legitimate interest in the processing of the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
5.3 Duration of Storage, Revocation and Deletion
The data will be deleted as soon as they are no longer necessary to achieve their intended purpose. The personal data from the entry form of the contact form and those sent by e-mail are deleted when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the relevant facts have been conclusively clarified. If the conversation is a relevant matter for conducting business, the storage period of 6 years specified by law applies.
The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.
It is possible to revoke your consent to processing your personal data at any time. If you contact us by e-mail, you can object to the storage of your personal data at any time. In such a case, communication cannot be continued.
In this case, all personal data stored in the course of establishing contact will be deleted.
6 Your Rights
If personal data is processed by you, you are the data subject within the meaning of the GDPR and you are entitled to the following rights in respect of Vonmählen GmbH:
6.1 Right to Information
You may request confirmation from the person responsible as to whether personal data concerning you will be processed by us.
In the event of similar use, you can ask the person responsible for the following information:
(1) Purposes for which the personal data are processed;
(2) The categories of personal data that will be processed;
(3) The recipients or categories of recipients to whom the personal information about you has been or will be disclosed to; and
(4) The planned duration of the storage of personal data concerning you or, if it is not possible to provide specific information in this regard, relevant information to determine the storage period;
(5) There is a right to correct or delete personal data concerning you, a right to limit the processing carried out by the responsible person or a right to object to such processing;
(6) The right to challenge decisions to a regulatory authority.
You have the right to request information as to whether the personal data concerning you will be disclosed to a third country or to an international organisation. Furthermore, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.
6.2 Right to Amendment
You have the right to have your personal data corrected and/or completed by the responsible person if it is incorrect or incomplete. The person in charge must carry out the amendment immediately.
6.3 Right to limitation of processing
Under the following conditions, you may request that the processing of your personal data be restricted:
(1) If you dispute the accuracy of the personal data concerning you for a period of time that allows the responsible person to verify the accuracy of the personal data;
(2) The processing is unlawful and you refuse the deletion of the personal data and instead request the restriction of the use of the personal data;
(3) the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims,
(4) If you have filed an appeal against the processing in accordance with Art. 21 para. 1 GDPR and it has not yet been confirmed whether the legitimate reasons of the person responsible outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data may be processed only with your consent or for the purpose of asserting, exercising or defending a right or protecting the rights of another individual or legal entity or for reasons of an important public interest of the Union or of a Member State, with the exception of their storage.
If the limitation of the processing has been restricted in accordance with the above conditions, you will be informed by the person responsible before the restriction is withdrawn.
6.4 The Right to Delete
6.4.1 Obligation to Delete
You may request the data controller to delete the personal data concerning you immediately and the data controller is obliged to delete this data immediately if one of the following reasons applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or processed in any other way.
(2) You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
(4) The personal data concerning you has been processed unlawfully.
(5) It is necessary to delete personal data concerning you in order to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
(6) The personal data relating to you has been collected in relation to information society services offered in accordance with Art. 8 Para. 1 GDPR.
6.4.2 Information to Third Parties
If the person responsible has made the personal data concerning you public and is obliged to delete them pursuant to Art. 17 para. 1 GDPR, he shall take appropriate measures, also of a technical nature, taking into account the available technology and the implementation costs, to inform the persons responsible for data processing who process the personal data that you, as the person concerned, have requested them to delete all links to this personal data or copies or replications of this personal data.
This right to delete does not exist if the processing is necessary.
(1) to exercise freedom of expression and information;
(2) to fulfil a legal obligation required by the law of the Union or of the Member States to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for public interest reasons in the field of public health according to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
(4) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes according to Art. 89 para. 1 GDPR, as far as the law mentioned under section a) probably makes the realisation of the objectives of this processing impossible or seriously impairs it, or
(5) to assert, exercise or defend legal claims.
6.5 Right to Information
If you have exercised the right to correct, cancel or limit the processing, the data controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction, cancellation or limitation of the processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of such recipients by the person responsible.
6.6 Right to Data Transferability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to communicate this data to another data controller without being hindered by the controller to whom the personal data was provided, provided that
(1) such processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR, and
(2) processing is carried out using automated procedures.
In exercising this right, you also have the right to request that the personal data concerning you be transmitted directly by one responsible person to another responsible person, as far as this is technically feasible. Freedoms and rights of other persons must not be affected by this.
The right to data transfer does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6.7 Right of Objection
You have the right to object at any time to the processing of personal data concerning you in accordance with Art. 6 para. 1 lit. e or f GDPR for reasons arising from their specific situation.
The controller will no longer process the personal data concerning you unless he can prove compelling reasons for processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you is processed in order to conduct direct advertising, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising, insofar as it is connected with such direct advertising.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the possibility to exercise your right of withdrawal in connection with the use of Information Society services – regardless of the regulation 2002/58/EC – through automated procedures using technical specifications.
6.8 Right to Revoke Consent from the Data Protection Declaration
You have the right to revoke your data protection consent at any time. The revocation of your consent does not affect the legality of the processing that took place on the basis of your consent until you revoke your consent.
6.9 Automated decision in individual cases
you have the right not to be subject to a decision based solely on automated processing which creates legal effects for you or significantly affects you in a similar manner. This does not apply if the decision:
(1) is necessary to conclude or fulfil a contract between you and the person responsible,
(2) is authorized by the laws of the Union or of the Member States to which the person responsible is subject and those laws contain adequate measures to safeguard your rights and freedoms and your legitimate interests, or
(3) with your express consent.
However, these decisions may not be based on special categories of personal data under Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.
In the cases referred to in (1) and (3), the person responsible shall take reasonable steps to protect the rights and freedoms and your rightful interests, including but not limited to the right of the person responsible to intervene, to present his or her point of view, and to challenge the decision.
6.10 Right to Complain to a Regulatory Authority
Irrespective of any other administrative or judicial remedy, you have the right to complain to the Data Protection Officer of the State of Lower Saxony, in particular in the Member State of your residence, workplace or presumed place of infringement, if you consider that the processing of your personal information is contrary to the GDPR. You can find the complaint form here: https://www.navo.niedersachsen.de/navo2/portal/csend/8915/fileget/dsbeschwerdeformular.html
The regulatory authority to which the complaint was submitted shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
We employ cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change. Among other things, the cookies store and transmit items in your shopping cart or your log-in information.
The data collected in this way is pseudonymized with technical measures. That is why it is no longer possible to assign your data to you. The data will not be stored in the same place as other personal data.
You can prevent cookies from being saved by adjusting your browser software accordingly: In addition, you can prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and Google from processing this data by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
You can find further information on the processing of this data at: Google Analytics..
The legal basis for this processing of your personal data using technically necessary cookies is Art. 6 para. 1 lit. f GDPR. For the processing of your personal data using cookies for analytical purposes, Art. 6 para. 1 lit. a GDPR.
7.1 Purpose of Data Processing
We use analysis cookies to improve the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can, thus, constantly, optimize our services. Our legitimate interest in the processing of personal data pursuant to Art. 6 Para. 1 lit. f GDPR also lies in these purposes.
7.2 Duration of Storage, Objection and Removal
8 Analysis and Personalisation
Our website uses the website analysis service “Matomo” (formerly “Piwik”). The provider is InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand. Matomo stores cookies on your terminal device that enable an analysis of your use (time spent on our website, frequency, etc.) of our website. The information collected in this way is stored exclusively on our server. The IP addresses are only processed in abbreviated form, making it impossible to relate them to a specific person. The IP address transmitted by your browser via Matomo is not merged with other data collected by us.
The legal basis for the website analysis by Matomo is our legitimate interest in the user-friendly design of our retail portal pursuant to Art. 6 (1) p. 1 lit. f GDPR.
Further information on data protection can be found at: https://matomo.org/privacy /
8.2 Google Tag Manager
In addition, we use the “Google Tag Manager” on our website, a service of Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as “Google”).
Google Tag Manager allows us as marketers to manage website tags through one interface. The tool itself, which implements the tags, is a cookie-less domain and does not itself collect any personal data. Google Tag Manager takes care of triggering other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.
We use Google Tag Manager based on our legitimate interest in optimizing our online marketing pursuant to Art. 6 para. 1 lit. f. GDPR.
Further information and the applicable data protection provisions of Google can be found at https://policies.google.com/privacy.