Data Protection Declaration According to the GDPR
I. The name and contact details of the Controller and the appointed Data Protection Officer
This information on data protection applies to data processing by
Lukas Meindl GmbH & Co. KG
Lukas-Meindl-Strasse 5-9, D-83417 Kirchanschöring / Germany
Tel.: +49(0)8685-7709-0, E-mail: [email protected]
Data Protection Officer of Lukas Meindl GmbH & Co. KG
Mr. Dominik Fünkner
Friedrichstrasse 22, 80801 Munich / Germany
Tel.: +49 (0)89-21768841, E-Mail: [email protected]
Court of Registry: Munich Local Court, HRB 237262
Managing Directors: Alexander Ingelheim, Isabelle Hatz, Dominik Fünkner
II. Name and address of the Data Protection Officer
The Data Protection Officer of Lukas Meindl GmbH & Co. KG is at your disposal at the address stated above.
III. General information on data processing
1. Scope of processing of personal data
We generally only process personal data of our users if this is necessary to provide a functional website as well as our contents and services. The processing of personal data of our users routinely only occurs upon the user’s consent. An exception applies in such cases where prior consent cannot be obtained for factual reasons and processing of the data is permitted by law.
2. Legal basis for the processing of personal data
Insofar as we obtain the data subject’s consent for the processing of personal data, Art. 6 Para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.
In the processing of personal data required for the performance of a contract to which the data subject is a party, Art. 6 Para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 Para. 1 lit. c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6 Para. 1 lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 Para. 1 lit. f GDPR serves as the legal basis for processing.
3. Data erasure and storage period
The data subject’s personal data are erased or made unavailable as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be made unavailable or erased if a storage period prescribed by the aforementioned standards expires unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
When you visit our website www.meindl.de, information from the browser used on your device is automatically sent to the server of our website. This information is temporarily stored in a so-called log file.
Without any action on your part, the following information is collected or recorded and stored until it is automatically erased:
(a) information about the browser type and version used,
(b) the user’s operating system,
(c) the user’s Internet service provider,
(d) the user’s IP address,
(e) date and time of access,
(f) websites from which the user’s system visits our website,
(g) websites accessed by the user’s system via our website.
The above-mentioned data is processed by us for the following purposes:
(a) to ensure a smooth connection to the website,
(b) to ensure comfortable use of our website,
(c) to evaluate system security and stability; and
(d) for other administrative purposes.
2. Legal basis for data processing
Art. 6 Para. 1 lit. f GDPR constitutes the legal basis for the temporary storage of data and log files.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this, the user’s IP address must remain stored for the period of the session.
To safeguard the website’s functionality, the data are stored in log files.
In addition, the data serve us in the optimisation of the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. If the data are stored in log files, this is the case for seven days at the longest. Further storage is possible. In this case, the users’ IP addresses are erased or alienated, meaning that it is no longer possible to assign the visiting client.
These purposes are also in our legitimate interest in data processing pursuant to Art. 6 Para. 1 lit. f GDPR.
4. Storage period
The data are erased as soon as they are no longer necessary to achieve the purpose for which they were collected. Data collected to make the website available are erased when the respective session has ended.
5. Possibility of objection and elimination
The collection of data to make the website available and the storage of data in log files is absolutely necessary for the website’s operation. Consequently, there is no possibility for the user to object.
a) Description and scope of data processing
In each case, information is stored in the cookie in context with the specifically used terminal device. However, this does not mean that we become directly aware of your identity.
In addition, to optimise user-friendliness, we also use temporary cookies that are stored on your terminal device for a specified period of time. If you visit our site again to use our services, it automatically recognises that you have already been with us and which entries and settings you have made so that you do not have to enter them again.
b) Legal basis for data processing
Art. 6 Para. 1 lit. f GDPR constitutes the legal basis for the processing of personal data using technically necessary cookies.
Art. 6 Para. 1 lit. a GDPR constitutes the legal basis for the processing of personal data using cookies for analytical purposes when the user has consented to this.
c) Purpose of data processing
We need cookies for the following applications:
(1) shopping cart,
(2) accepting language settings,
(3) remembering search terms.
The user data collected by technically necessary cookies are not used to create user profiles.
Analysis cookies are used to improve the quality of our website and its content. By using analysis cookies, we learn how the website is used and can thus continuously optimise our offer.
For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6 Para. 1 lit. f GDPR.
d) Period of storage, possibility of objection and elimination
The transmission of Flash cookies cannot be prevented via the browser settings, but by changing the Flash Player settings.
VI. E-mail contact
1. Description and scope of data processing
You can contact us via the e-mail addresses provided. In this case, the user’s personal data transferred by e-mail are stored.
(a) the user’s IP address
(b) date and time of access
(c) the name of the user
(d) the adress of the user
(e) the user’s E-Mail adress
(f) the user’s phone number
They will not be disclosed to any third parties without your consent. The data are used exclusively for processing the conversation.
2. Legal basis for data processing
Art. 6 Para. 1 lit. a GDPR constitutes the legal basis for processing the data in the event of the user’s consent.
Art. 6 Para. 1 lit. f GDPR constitutes the legal basis for processing any data transferred in the course of sending an e-mail. Art. 6 exp. 1 lit. b GDPR constitutes the additional legal basis for processing data if the aim of the e-mail contact is the conclusion of a contract.
3. Purpose of data processing
The processing of the personal data from the input mask serves us solely for the purpose of establishing contact. In the event of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of data.
Any other personal data processed during the sending process serve to prevent misuse of the contact form and to safeguard the security of our information technology systems.
4. Storage period
The data are erased as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those that were sent by e-mail, this is the case when the respective conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.
The additional personal data collected during the sending process are erased at the latest after a period of seven days.
5. Possibility of objection and elimination
The user has the possibility to revoke his/her consent to the processing of personal data at any time. If the user contacts us by e-mail, s/he can object to the storage of his/her personal data at any time. In such cases, the conversation cannot be continued.
In these cases, all personal data stored in the course of contacting us are erased.
VII. Data analysis tools
1. Tracking tools
The tracking measures listed below and used by us are carried out on the basis of Art. 6 Para. 1 lit. f GDPR. With the tracking measures used, we want to safeguard that our website is designed to meet requirements and is continually optimised. On the other hand, we use the tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimising our offer for you. These interests are to be regarded as legitimate within the meaning of the aforementioned provision.
The respective data processing purposes and data categories can be found in the corresponding tracking tools.
We use Google Analytics ( https://www.google.com/intl/en_uk/analytics/ ) a web analysis service of Google Inc.,
(1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”) for the purpose of designing and continuously optimising our pages according to your needs. In this context, pseudonymised user profiles are created and cookies (see section 4) are used. The cookie generates information about your use of this website, such as
• browser type/version,
• the operating system used,
• referrer URL (the previously visited page),
• host name of the accessing computer (IP address),
• time of the server request
are transferred to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on the website activities and to provide further services associated with the use of the website and the Internet for the purposes of market research and the needs-oriented design of this website. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of the company. Under no circumstances is your IP address be merged with other data from Google. The IP addresses are anonymised so that an assignment is not possible (IP masking).
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en).
As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking on this link. An opt-out cookie is set to prevent future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you erase the cookies in this browser, you must set the opt-out cookie again.
For more information on data protection in connection with Google Analytics, please visit the Google Analytics Help Center at https://support.google.com/analytics/answer/6004245?hl=en.
VIII. Social Media Plug-ins
On the basis of Art. 6 Par. 1 p. 1 lit. f GDPR, we use the social plug-ins of the social networks Facebook and Instagram on our website to make our website (company) better known. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Responsibility for data protection-compliant operation must be safeguarded by the respective provider.
To personalise the use of our website, we use social plug-ins from Facebook. For this, we use the “LIKE” or “SHARE” button. This is an offer from Facebook.
When you access a page of our website that contains such a plug-in, your browser establishes a direct connection to the Facebook servers. The plug-in’s content is transferred directly from Facebook to your browser and integrated into the website.
By integrating the plug-ins, Facebook receives the information that your browser has called up the corresponding page of our website, even if you do not have a Facebook account or are not currently logged on to Facebook. This information (including your IP address) is transferred directly from your browser to a Facebook server in the US and stored there.
If you are logged in to Facebook, Facebook can directly associate your visit to our website using your Facebook account. If you interact with the plug-ins, for example by clicking on the “LIKE” or “SHARE” button, the corresponding information is also transferred directly to a Facebook server and stored there. The information is also published on Facebook and displayed to your Facebook friends.
Facebook may use this information for the purposes of advertising, market research and the needs-oriented design of Facebook pages. For this purpose, Facebook creates usage, interest and relationship profiles, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide further information and to provide services related to the use of Facebook.
If you do not want Facebook to associate the information collected through our website with your Facebook account, you must log out of Facebook before visiting our website.
The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights and setting options for the protection of your privacy, can be found in Facebook’s information on data protection (https://www.facebook.com/about/privacy/).
Our website also uses so-called social plug-ins (“Plug-ins”) from Instagram, which is operated by lnstagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”).
The plug-ins are marked with an Instagram logo, for example in the form of an “Instagram camera”.
When you access a page of our website that contains such a plug-in, your browser establishes a direct connection to Instagram’s servers. Instagram transfers the content of the plug-in directly to your browser and integrates it into the page. This integration informs Instagram that your browser has called up the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram.
This information (including your IP address) is transferred directly from your browser to an Instagram server in the US and stored there. If you are logged in to Instagram, Instagram can immediately assign your visit to our website with your Intagram account. If you interact with the plug-ins, for example by clicking on the “Instagram” button, this information is also transferred directly to an Instagram server and stored there.
The information is also published on your Instagram account and displayed to your contacts.
If you do not want Instagram to assign the information collected through our website directly to your Instagram account, you must log out of Instagram before visiting our website.
Further information can be found in Instagram’s data protection declaration (https://help.instagram.com/155833707900388).
IX. Google Maps
This site uses the mapping service Google Maps via an API. Provider is Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.
To use the features of Google Maps, it is necessary to save your IP address. This information is usually transmitted to and stored on a Google server in the United States. The provider of this site has no influence on this data transfer.
The use of Google Maps takes place in the interest of a pleasing and technically necessary representation of our dealers as well as identity leather suppliers.
X. Rights of the data subject
Within the meaning of the GDPR, you are data subject if your personal data are processed. You thus have the following rights relating to the controller:
1. Right to information
You can request the controller to confirm whether any personal data relating to you is being processed by us.
If such processing is taking place, you can request the following information from the controller:
(a) the purposes for which the personal data are processed;
(b) the categories of personal data being processed;
(c) the recipients or categories of recipients to whom the personal information concerning you has been or will be disclosed;
(d) the planned period of storage of personal data relating to you or, if specific information is not possible, criteria for determining the storage period;
(e) the existence of a right to rectification or erasure of personal data relating to you, a right to restriction of the processing by the controller or a right to object to such processing;
(f) the existence of a right of appeal to a supervisory authority;
(g) all available information about the data’s origin, if the personal data are not collected from the data subject;
(h) the existence of automated decision-making including profiling in accordance with Art. 22 Para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information as to whether the personal data relating to you are stored in a third country or an international organisation. In this context, you can ask to be informed about the appropriate safeguards relating to the transfer in accordance with Art. 46 GDPR.
2. Right to rectification
If the personal data processed concerning you are incorrect or incomplete, you have a right to rectification and/or completion vis-à-vis the data controller. The controller shall make the rectification without delay.
3. Right to restriction of processing
Under the following conditions, you may request that the processing of personal data relating to you be restricted:
(a) if you dispute the accuracy of the personal data relating to you for a period of time which may enable the controller to check the personal data’s accuracy;
(b) the processing is unlawful and you reject having your personal data erased and instead demand to restrict the use of personal data;
(c) the controller no longer needs the personal data for the purposes of the processing; you need them, however, to assert, exercise or defend legal claims, or
(d) if you have filed an objection against the processing pursuant to Art. 21 Para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh your reasons.
If the processing of personal data relating to you has been restricted, such data – except for their storage – may only be processed with your consent or for the purpose of asserting, exercising or defending a right or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or of a Member State. If the processing restriction has been restricted according to the above conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
4.1. Duty to erasure
You may demand that the controller erases the personal data relating to you immediately, i.e. the controller is obliged to erase this data immediately if one of the following reasons applies:
(a) The purposes for which the personal data relating to you were collected or processed in any other way are no longer necessary.
(b) You revoke your consent to the processing pursuant to Art. 6 Para. 1 lit. a or Art. 9 Para. 2 lit. a GDPR and there is no other legal basis for processing.
(c) You file an objection against the processing pursuant to Art. 21 Para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you submit your objection to the processing in accordance with Art. 21 Para. 2 GDPR.
(d) The personal data relating to you have been processed unlawfully.
(e) The erasure of personal data relating to you is necessary for the fulfilment of a legal obligation under Union law or the law of the Member States to which the controller is subject.
(f) The personal data relating to you have been collected in relation to services offered by the information society pursuant to Art. 8 Para. 1 GDPR.
4.2. Information to third parties
If the controller has made the personal data relating to you public and is obliged to erase them pursuant to Art. 17 Para. 1 GDPR, taking into account the available technology and the implementation costs, s/he shall take appropriate measures, including technical measures, to inform controllers who process the personal data that you, as the data subject, have requested the erasure of old links to this personal data or of copies or replications of this personal data.
The right to cancellation does not exist insofar as the processing is necessary
(a) to exercise freedom of expression and information;
(b) to fulfil a legal obligation arising out of the processing under the law of the Union or Member States to which the controller is subject, or for the performance of a task which is in the public interest or is carried out in the exercise of official authority which has been conferred on the controller;
(c) for reasons of public interest in the field of public health pursuant to Art. 9 Para. 2 lit. h and i and Art. 9 Para. 3 GDPR;
(d) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law referred to under a) is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or
(e) for the assertion, exercise or defence of legal claims.
5. Right to information
If you have exercised your right to have the controller rectify, erase or restrict the processing, s/he is obliged to inform all recipients to whom the personal data relating to you have been disclosed of this rectification or erasure of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of any such recipients by the controller.
6. Right to data portability
You have the right to receive the personal data relating to you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another controller without obstruction by the controller to whom the personal data was provided, as long as
(a) consent was given to the processing pursuant to Art. 6 Para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or is based on a contract pursuant to Art. 6 Para. 1 lit. b GDPR and
(b) processing is carried out by means of automated procedures.
In exercising this right, you also have the right to request that the personal data relating to you be transferred directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
7. Right of objection
For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data relating to you according to Article 6 Para. 1 lit. e or lit. f of the DSBER; this also applies to profiling based on these provisions.
The controller no longer processes the personal data relating to you, unless s/he can prove compelling reasons for the processing worthy of defence which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data relating to you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing.
If you object to the processing for direct marketing purposes, meaning the personal data relating to you will no longer be processed for these purposes.
You have the possibility to exercise your right of objection in connection with the use of services by the information society by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.
If you would like to make use of your right of revocation or objection, simply send an e-mail to [email protected].
8. Right to revoke the consent to the data protection declaration
You have the right to revoke your consent to the data protection declaration at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
9. Automated decision in individual cases including profiling
You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision
(a) is necessary for the conclusion or performance of a contract between you and the controller,
(b) is admissible by virtue of Union or Member State legislation to which the controller is subject, and that this legislation takes appropriate measures to protect your rights and freedoms and your legitimate interests, or
(c) occurs with your express consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 Para. 1 GDPR unless Art. 9 Para. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
With regard to the cases referred to in (a) and (c), the controller shall take reasonable measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to state his/her own position and to challenge the decision.
10. Right of appeal to a supervisory authority
If you believe that the processing of personal data relating to you is in breach of the GDPR, you have the right of appeal to a supervisory authority, in particular in the Member State where you are staying, working or the place of a suspected violation without prejudice to any other administrative or judicial remedy.
In accordance with Art. 78 GDPR, the supervisory authority to which the complaint has been lodged shall inform the complainant of the complaint’s state and outcome, including the possibility of a judicial remedy.
11. Data security
During the website visit, we use the widespread SSL (Secure Socket Layer) method, the connection with the highest encryption level supported by your browser. Usually, this is 256-bit encryption. If your browser does not support 256-bit encryption, we instead use 128-bit v3 technology. You can see if a single page of our website is transferred in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.
We also use suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
12. Up-to-dateness and amendment of this data protection declaration
This data protection declaration is currently valid and was compiled in May 2018.
Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to amend this data protection declaration. You can call up the current declaration on data protection at any time on our website https://www.meindl.de/privacy-policy/?lang=en .