Privacy Notice of Hechler & Nickel Fashion GmbH

1. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is:

Hechler & Nickel Fashion GmbH
Wilhelminenstr. 7b
Am alten Landtag

64283 Darmstadt
Phone (Backoffice): 06151 - 6017746
Website: www.hechler-nickel.com
E-mail: shop@hechler-nickel.de

2. Data Protection Officer

According to the current legal situation, we are not obliged to appoint a data protection officer in accordance with Art. 37 GDPR in conjunction with Sec. 38 (1) BDSG.

For questions regarding this privacy notice or for data protection matters, please contact:

shop@hechler-nickel.de

3. Definitions

The privacy notice of Hechler & Nickel Fashion GmbH is based on the terms defined in the General Data Protection Regulation (GDPR). Our privacy notice should be easy to read and understand. To ensure this, we explain the terms used in advance:

3.1 Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.2 Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

3.3 Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.4 Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

3.5 Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

3.6 Pseudonymization

Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

3.7 Controller or controller responsible for the processing

Controller or controller responsible for the processing means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

3.8 Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3.9 Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

3.10 Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

3.11 Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

4. General information on data processing

Data protection, data security and the protection of secrets are a high priority for Hechler & Nickel Fashion GmbH (hereinafter also referred to as "Hechler & Nickel", "we" or "us"). The permanent protection of your personal data, your company data and your trade secrets is particularly important to us.

You can generally visit our website without providing any personal information. However, if you use our company's services via our website, this requires the provision of your personal data. As a rule, we use the data you provide, the data collected by the website and the data stored during use exclusively for our own purposes, namely for the implementation and provision of our website and the initiation, execution and processing of the services/offers offered via the website (performance of a contract), and do not pass this on to outside third parties, unless there is a statutorily ordered obligation to do so. In all other cases, we will obtain your separate consent.

The processing of your personal data is carried out in accordance with the requirements of the General Data Protection Regulation and in compliance with the national or country-specific data protection regulations applicable to Hechler & Nickel. By means of this privacy notice, we would like to inform you about the nature, scope and purpose of the personal data processed by us. Furthermore, we use this privacy notice to inform you of your rights.

Hechler & Nickel has implemented technical and organizational measures to ensure adequate protection of the personal data processed through this website. Nevertheless, internet-based data transmissions can generally have security gaps, so that absolute protection cannot be guaranteed.

5. Collection of general data and information when visiting the website

The website of Hechler & Nickel accessible at https://www.hechler-nickel.com/ (together with its subpages and the webshop available there, hereinafter referred to as the "website") collects a series of general data and information with every access to the website by a data subject or an automated system. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information used to avert danger in the event of attacks on our information technology systems.

When using these general data and information, Hechler & Nickel does not draw any conclusions about the data subject. Rather, this information is needed to

(1) deliver the content of our website correctly,

(2) optimize the content of our website as well as its advertising,

(3) to ensure the long-term functionality of our information technology systems and the technology of our website, as well as

(4) to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyberattack.

Therefore, these collected data and information are analyzed by Hechler & Nickel statistically and with the aim of increasing data protection and data security in our company, to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

Date/Data

Legal basis

Storage purpose

Storage duration

Objection / Possibility of removal

General system data in accordance with section 5

Art. 6 (1) lit. f GDPR

(legitimate interest)

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session.

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

In the case of storage of the data in log files, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or anonymized, so that an assignment of the calling client is no longer possible.

No, as it is strictly necessary for the operation of the website

6. Registration on the website

You have the option to register on our website by providing personal data. Which personal data are transmitted to the controller is determined by the respective input mask used for the registration. The personal data entered by the data subject are collected and stored exclusively for internal use by the controller and for its own purposes. We may request the transfer to one or more processors, for example, a payment service provider and parcel service provider, who also uses the personal data exclusively for an internal purpose attributable to fulfill its order towards us.

When you register on our website, we also store the IP address assigned by your Internet Service Provider (ISP), the date, and the time of your registration. The storage of these data enables us to clarify committed crimes and copyright infringements if necessary. In this respect, the storage of these data is required to secure us and is in our legitimate interest within the meaning of Art. 6 (1) lit. f) GDPR. These data are not passed on to third parties as a matter of principle, unless there is a statutory obligation to pass on the data, or if the transfer serves the aim of criminal or legal prosecution.

Furthermore, the personal data voluntarily provided by you during your registration serve us to offer you content or services that, due to the nature of the matter, can only be offered to registered users.

If a user makes use of the option to register on our site, the following data are transmitted to us and stored:

· Title*

· First and last name*

· Password*

· Address*

*Mandatory fields

Date/Data

Legal basis

Storage purpose

Storage duration

Objection / Possibility of removal

Registration data in accordance with section 6

Art. 6 (1) lit. a GDPR

(consent)

The processing and storage of the data transmitted during the registration process is necessary to ensure the functionality and use of the user account by the user.

For the data collected during the registration process to fulfill a contract or to carry out pre-contractual measures, this is the case when the data are no longer required for the implementation of the contract. Furthermore, the data are deleted as soon as the user's consent has been revoked or we are obliged to delete the data due to statutory or legal orders.

Even after conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations.

As a user, you have the option to cancel the registration at any time. You can have the data stored about you changed at any time.

If the data are necessary to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not preclude deletion.

7. Contact form and e-mail contact

A contact form is available on our website, which can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored. These data are:

· Title (selection)

· First name

· Last name

· E-mail address

· Phone number

· Subject

· Comment

At the time the message is sent, the following data is also stored:

· The IP address of the user

· Date and time of sending

Alternatively, contact is possible via the provided e-mail address (shop@hechler-nickel.de). In this case, the user's personal data transmitted with the e-mail will be stored.

· The IP address of the user

· Date and time of sending

Alternatively, contact is possible via the provided e-mail address (shop@hechler-nickel.de). In this case, the user's personal data transmitted with the e-mail will be stored.

In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation and deleted as soon as it is no longer required.

Date/Data

Legal basis

Storage purpose

Storage duration

Objection / Possibility of removal

Data from contact form and e-mail contact in accordance with section 7.

The legal basis for the processing of data in the case of inquiries via the contact form and/or e-mail is generally Art. 6 (1) lit. b GDPR

(performance of a contract; pre-contractual measures);

Art. 6 (1) lit. c GDPR (compliance with a legal obligation, e.g., answering questions regarding data protection) and

otherwise Art. 6 (1) lit. f GDPR

(legitimate interest).

The processing of personal data from the input mask/e-mail serves us solely to process the contact. This also constitutes the required legitimate interest in processing the data.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

The above does not apply if the correspondence is subject to a commercial retention obligation. In this case, the retention periods are based on the legal regulations.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

The user has the possibility to object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.

8. Revocation form

A revocation form is available on our website, which can be used for the electronic transmission of revocation declarations in accordance with German consumer law. Here, consumers (Sec. 13 BGB) have the option to transmit a revocation declaration to us relating to a distance contract concluded with us via the webshop on the website. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored. These data are:

· First name

· Last name

· E-mail address

· Order number

· Description (optional)

At the time the message is sent, the following data is also stored:

· The IP address of the user

· Date and time of sending

In this context, the data will not be passed on to third parties. The data is used exclusively for processing the revocation declaration and deleted as soon as it is no longer required.

Date/Data

Legal basis

Storage purpose

Storage duration

Objection / Possibility of removal

Data from the revocation form in accordance with section 8

The legal basis for the processing of the data transmitted via the revocation form is generally Art. 6 (1) lit. b GDPR

(performance of a contract; pre-contractual measures);

Art. 6 (1) lit. c GDPR (compliance with a legal obligation, e.g., the obligation to provide a revocation form for distance contracts concluded via an online interface)

The processing of personal data from the input mask serves us solely to process the revocation declaration and any associated reversal of the contract.

The other personal data processed during the sending process serve to prevent misuse of the revocation form and to ensure the security of our information technology systems.

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input mask of the revocation form, this is the case when the respective revocation declaration has been processed and the subsequent reversal of the contract (refund, return of the goods), if applicable, has been completed.

The above does not apply if the correspondence is subject to a commercial retention obligation. In this case, the retention periods are based on the legal regulations.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

The user has the possibility to object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.

9. Use of our webshop

If you would like to order in our webshop, it is necessary for the conclusion of the contract that you provide your personal data, which we need to process your order. Mandatory fields necessary for the processing of contracts are marked separately, further information is voluntary. We process the data you provide to handle your order. For this purpose, we can pass on your payment details to our bank.

You can voluntarily create a user account in which we can store your data for future purchases. When you create an account under "My Account", the data you provide is revocably stored. All data, including your user account, can be deleted at any time in the customer area.

With your consent, we can also process the data you provide to inform you about other interesting products from our portfolio or to send you e-mails with technical information.

If a user uses the option to place an order via our webshop, the following data will be processed:

· Title*

· First and last name*

· E-mail address*

· Delivery data (street, house number, zip code, city, country)*

· Transaction data (account number, bank code, IBAN)*

Mandatory fields*

Date/Data

Legal basis

Storage purpose

Storage duration

Objection / Possibility of removal

Data from the use of the webshop in accordance with section 9

The legal basis for the processing of the data is generally Art. 6 (1) lit. b GDPR (performance of a contract; pre-contractual measures)

The purpose of storing the data is the processing and fulfillment of a contract.

For the data collected during the use of the webshop to fulfill a contract or to carry out pre-contractual measures, this is the case when the data are no longer required for the implementation of the contract. Even after conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations.

As a user, you have the option to cancel the registration at any time. You can have the data stored about you changed at any time.

10. Newsletter; Advertising

To receive the newsletter offered on our website, you can sign up via our form. We use the so-called double opt-in procedure for this.

First, a confirmation e-mail will be sent to the e-mail address you provided, asking for confirmation. The registration only becomes effective when you click on the activation link contained in the confirmation e-mail. We use the data transmitted to us exclusively for the dispatch of the newsletter, which may contain information or offers. We use the "rapidmail" service of Positive Group Deutschland GmbH, Ingeborg-Krummer-Schroth-Straße 18a, 79106 Freiburg im Breisgau ("Positive Group") to send our newsletter. Your data will therefore be transmitted to Positive Group. Positive Group is prohibited from using your data for any purposes other than sending the newsletter. Positive Group is not permitted to pass on or sell your data. Positive Group is a German, certified newsletter software provider that was carefully selected according to the requirements of the GDPR and the BDSG. You can revoke your consent to the storage of the data and its use for sending the newsletter at any time, e.g., via the unsubscribe link in the newsletter.

10.1 Newsletter

The newsletter is dispatched based on your registration on the website via the double opt-in procedure. During registration for the newsletter, the following data from the input mask are transmitted to us:

· E-mail address (mandatory field)

In addition, users can voluntarily provide further information when registering for the newsletter:

· First name

· Last name

Furthermore, the following data are collected upon registration:

· IP address of the accessing computer

· Date and time of registration

For the processing of data, your consent is obtained by way of double opt-in during the registration process and reference is made to this privacy policy.

* Mandatory fields

Date/Data

Legal basis

Storage purpose

Storage duration

Objection / Removal option

Newsletter data according to Section 10.1

The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 (1) lit. a GDPR (consent) if the user's consent has been given.

The collection of the user's e-mail address serves to deliver the newsletter.

The collection of other personal data during the registration process serves to prevent misuse of the services or the e-mail address used.

The data is deleted as soon as it is no longer necessary to achieve the purpose of its collection. The user's e-mail address is therefore stored for as long as the subscription to the newsletter is active.

The other personal data collected during the registration process is usually deleted after a period of seven days.

The subscription to the newsletter can be cancelled by the affected user at any time. For this purpose, a corresponding deactivation link can be found in each newsletter.

The cancellation of the subscription also constitutes a revocation of consent to the storage of the personal data collected during the registration process.

10.2 Advertising

Furthermore, if you are an existing customer or have given us corresponding consent, we reserve the right to store your first and last name, your postal address and - provided we have received this additional information from you within the framework of the contractual relationship - your title, academic degree, your year of birth and your professional, industry or business designation and to use them for our own advertising purposes, e.g. for sending similar, interesting offers by letter mail or, if you provide your e-mail address, also by e-mail.

Date/Data

Legal basis

Storage purpose

Storage duration

Objection / Removal option

Advertising mailings

The legal basis for advertising mailings according to Section 10.2 is Art. 6 (1) lit. a GDPR (consent) if the user's consent has been given, and otherwise Art. 6 (1) lit. f GDPR (legitimate interest) and, if applicable, Sec. 7 (3) UWG.

The purpose of the collection is, in addition to the fulfillment of the contract, to send the customer targeted advertising (corresponding to their interests).

The data will be deleted at the latest 6 years after the last booking or (if a retention obligation persists) blocked for advertising purposes.

Right of objection according to Section 17.7

10.3 No disclosure

In connection with the data processing for the dispatch of newsletters and advertising mailings, no data is passed on to third parties. The data is used exclusively for the dispatch of the newsletter.

10.4 Right of objection and revocation

We expressly point out your right of revocation (newsletter) and right of objection (advertising mailing) according to Sections 17.7 and 17.8.

11. Data protection for applications and in the application process

We collect and process personal data of applicants for the purpose of handling the application process. The processing can also be carried out electronically. This is particularly the case if an applicant submits corresponding application documents to us electronically, for example by e-mail. If we conclude an employment contract with you as an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after notification of the rejection decision, provided that no other legitimate interests of the controller oppose deletion. Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

Date/Data

Legal basis

Storage purpose

Storage duration

Objection / Removal option

Data for applications and in the application process according to Section 11

The legal basis for the processing of data in the case of inquiries via the contact form and/or e-mail is generally Art. 6 (1) lit. b. GDPR

(Fulfillment of employment contract; pre-contractual employment measures);

Art. 6 (1) lit. c. GDPR (Fulfillment of a legal obligation, e.g. answering questions about the application process) and

otherwise Art. 6 (1) lit. f GDPR

(legitimate interest) as well as

Special statutory authorization standards, such as collective agreement, works agreement, Income Tax Act, etc. Supplementary reference is made to the record of processing activities for Personnel/HR.

If we conclude an employment contract with you as an applicant, the transmitted data will be stored for the purpose of processing the employment relationship under compliance with statutory provisions.

If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after notification of the rejection decision, provided that no other legitimate interests of the controller oppose deletion.

Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG)

The user has the option to object to the processing of their personal data at any time. In this case, the application process can no longer be continued.

12. Cookies and similar technologies

12.1 General

Our website uses cookies and similar technologies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. If a user accesses a website, a cookie may be stored on the user's device. This cookie contains a characteristic string of characters that enables a unique identification of the browser when the website is accessed again. Similar technologies do not necessarily set cookies, but equally enable the tracking and analysis of user behavior.

We use cookies to make our website displayable and more user-friendly for the user. Some elements of our website require that the calling browser can be identified even after a page change. Such technically necessary cookies are essential for the proper functioning of the website and are set on your device independently of your consent when accessing the website ("technically necessary cookies").

Technically necessary cookies are set by the services of our web infrastructure provider shopware AG, Ebbinghoff 10, 48624 Schöppingen, Germany ("Shopware") and personal data collected in this context is also forwarded to Shopware. Further information on this can be found in the privacy policy of Shopware at https://www.shopware.com/de/datenschutz/website/.

The following data and information are stored and transmitted in the technically necessary cookies:

· Language settings

· Items in a shopping cart

· Log-in information

· Device information (desktop, mobile)

· Payment and PayPal account information when paying with PayPal

Furthermore, we use cookies on our website that enable an analysis of the surfing behavior of the users ("statistics cookies").

In this way, the following data and information can be transmitted:

· Entered search terms

· Frequency of page views

· Use of website functions

· Time of the page view

· Shopping cart size

· Visited pages in the shop

· Purchase and shopping cart abandonments

Furthermore, we use cookies to provide you with a comfortable user experience on the website ("comfort cookies").

In this way, the following data and information can be transmitted:

· Entered search terms

· Frequency of page views

· Use of website functions

· Time of the page view

· Shopping cart size

· Visited pages in the shop

· Purchase and shopping cart abandonments

The user data collected in this way is pseudonymized by technical precautions. The data is not stored together with other personal data of the users.

When accessing our website, users are informed by an info banner ("cookie banner") about the use of technically necessary cookies, statistics cookies and comfort cookies, referred to this privacy policy and can accept or reject individual statistics and comfort cookies in the cookie banner.

We use technically necessary cookies and similar technologies on the basis of our legitimate interest in the proper and secure operation and the proper presentation of our website or to display the website to the user as requested by them (Art. 6 (1) lit. f GDPR (legitimate interests) and Sec. 25 (2) No. 2 TDDDG).

We use statistics and comfort cookies and similar technologies on the basis of your previously given consent (Art. 6 (1) lit. a GDPR and Sec. 25 (1) TDDDG).

When accessing our website, the user is informed about the use of statistics cookies and comfort cookies via the cookie banner and their consent to the processing of the personal data used in this context is obtained. In this context, a reference is also made to this privacy policy.

Under the following links you can find out how to deactivate the cookies in the most common browsers:

Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen

Chrome Browser: https://support.google.com/accounts/answer/61416?hl=de

Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies

Consequently, you can deactivate or restrict the transmission of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all functions of the website. The transmission of flash cookies cannot be prevented via the browser settings, but by changing the settings of the Flash Player. Furthermore, you can object to the processing of your personal data by cookies and similar technologies at any time in accordance with Section 14.7 with effect for the future or revoke consent already given for the processing of your personal data by cookies and similar technologies in accordance with Section 14.8.

12.2 Data protection provisions about the application and use of PayPal payment services

We offer payments via the PayPal service. The provider is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg ("PayPal").

When selecting and using PayPal, the following personal data is processed: Master data (e.g. name), contact data, payment and transaction data, information about the shopping cart, IP address, date/time, device/browser data, as well as – depending on the procedure – risk assessment/auth‑data (e.g. 3‑D‑Secure/SCA). PayPal processes this data as an independent controller; if a PayPal login exists, it can be assigned to your PayPal account.

This personal data is used for the purpose of payment processing and authentication, to fulfill a contract with the user and for identity and fraud prevention. If necessary, PayPal carries out credit/risk checks on its own responsibility. The provision of the data required for payment processing is necessary for a payment via PayPal; without this, it is not possible to use this payment method.

The legal basis for the processing of your personal data is Art. 6 (1) lit. b GDPR (contract execution or pre-contractual measures, processing of the payment) and Art. 6 (1) lit. f GDPR (our legitimate interests in IT/transaction security and fraud prevention). If cookies/trackers that are not strictly necessary are set within the scope of the integration or if PayPal resources are loaded before you select the payment method, we base this on your consent, Art. 6 (1) lit. a GDPR and Sec. 25 (1) TTDSG. Required, technically necessary storage accesses for the payment process are based on Sec. 25 (2) No. 2 TDDDG.

Transfers to third countries (including the USA) by PayPal are possible. If there is no adequacy decision, these are made on the basis of appropriate safeguards (standard contractual clauses) pursuant to Art. 46 GDPR; in individual cases also on the basis of your explicit consent, Art. 49 (1) lit. a GDPR. Further information on data protection at PayPal can be found at https://www.paypal.com/de/legalhub/paypal/privacy-full.

You can revoke a given consent (e.g. for optional cookies/trackers) at any time with effect for the future via the cookie banner; the contractually required processing for payment processing remains unaffected.

12.3 Data protection provisions about the application and use of Google Analytics (with anonymization function)

We have integrated the component Google Analytics (with anonymization function) on this website. This component is deactivated by default when you visit and is only activated by the user accepting the corresponding statistics cookies in the cookie banner of the website (consent). The legal basis in this case is Art. 6 (1) lit. a GDPR and Sec. 25 (1) TTDSG.

Google Analytics is a web analytics service. Web analysis is the gathering, collection and evaluation of data regarding the behavior of visitors to websites. A web analytics service collects, among other things, data on the website from which a data subject has accessed a website (so-called referrers), which subpages of the website were accessed or how often and for what duration a subpage was viewed. A web analysis is mainly used to optimize a website and to carry out a cost-benefit analysis of internet advertising.

The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

The controller responsible for the processing uses the addition "_gat._anonymizeIp" for web analysis via Google Analytics. By means of this addition, the IP address of the internet connection of the data subject is shortened and anonymized by Google if access to our website takes place from a Member State of the European Union or from another Contracting State to the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyze visitor flows on our website. Google uses the obtained data and information, among other things, to evaluate the use of our website, to compile online reports for us that show the activities on our website, and to provide other services related to the use of our website.

Google Analytics sets a cookie on the information technology system of the data subject. Further information on cookies can be found in Section 12.1. With the setting of the cookie, Google is enabled to analyze the use of our website. With each call-up of one of the individual pages of this website, which is operated by the controller responsible for the processing and on which a Google Analytics component was integrated, the internet browser on the information technology system of the data subject will automatically be prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical procedure, Google acquires knowledge of personal data, such as the IP address of the data subject, which serves Google, among other things, to understand the origin of visitors and clicks and subsequently create commission settlements.

The cookie is used to store personal information, such as the access time, the location from which the access originated and the frequency of visits to our website by the data subject. With each visit to our website, this personal data, including the IP address of the internet access used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure on to third parties.

The data subject can prevent the setting of cookies by our website at any time, as already outlined under Section 12.1, by means of a corresponding setting of the internet browser used and thus permanently deny the setting of cookies. Such a setting of the internet browser used would also prevent Google from setting a cookie on the information technology system of the data subject. In addition, a cookie already set by Google Analytics can be deleted at any time via the internet browser or other software programs.

Furthermore, the data subject has the possibility to object to the collection of data generated by Google Analytics relating to the use of this website as well as the processing of this data by Google, and to preclude such. For this purpose, the data subject must download and install a browser add-on under the link https://tools.google.com/dlpage/gaoptout. This browser add-on tells Google Analytics via JavaScript that no data and information on the visits of websites may be transmitted to Google Analytics. The installation of the browser add-ons is considered an objection by Google. If the information technology system of the data subject is deleted, formatted or reinstalled at a later point in time, the data subject must reinstall the browser add-on to disable Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or any other person who is attributable to their sphere of influence, there is the possibility to reinstall or reactivate the browser add-on.

Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.de/intl/de/policies/privacy/ and under http://www.google.com/analytics/terms/de.html. Google Analytics is further explained under this link https://www.google.com/intl/de_de/analytics/.

12.4 Data protection provisions about the application and use of Google Remarketing

This website uses the remarketing function of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA ("Google"). This component is deactivated by default when you visit and is only activated by the user accepting the corresponding statistics cookies in the cookie banner of the website (consent). The legal basis in this case is Art. 6 (1) lit. a GDPR and Sec. 25 (1) TDDDG.

This function serves to present interest-based advertisements to visitors to the website within the Google advertising network. The browser of the website visitor saves so-called "cookies", text files that are saved on your computer and that make it possible to recognize the visitor when they access websites that belong to the advertising network of Google. On these pages, the visitor can then be presented with advertisements that relate to content that the visitor previously accessed on websites that use the remarketing function of Google. According to its own statements, Google does not collect any personal data during this process.

If you still do not wish to use Google's remarketing function, you can generally deactivate it by making the appropriate settings under http://www.google.com/settings/ads.

Alternatively, you can deactivate the use of cookies for interest-based advertising via the Network Advertising Initiative by following the instructions under http://www.networkadvertising.org/managing/opt_out.asp.

Further information on Google Remarketing and the privacy policy of Google can be viewed at: http://www.google.com/privacy/ads/.

12.5 Data protection provisions about the application and use of Google AdWords and Conversion Tracking

We have integrated Google AdWords on this website. This service is deactivated by default when you visit and is only activated by the user accepting the corresponding statistics cookies in the cookie banner of the website (consent). The legal basis in this case is Art. 6 (1) lit. a GDPR and Sec. 25 (1) TDDDG.

Google AdWords is a service for Internet advertising that allows advertisers to place ads in search engine results of Google as well as in the Google advertising network. Google AdWords allows an advertiser to pre-define specific keywords, by means of which an ad in Google's search engine results is displayed exclusively when the user utilizes the search engine to retrieve a keyword-relevant search result. In the Google advertising network, the ads are distributed to topic-relevant websites using an automatic algorithm and taking the previously defined keywords into account.

The operating company of the Google AdWords services is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is the promotion of our website through the inclusion of relevant advertising on the websites of third-party enterprises and in the search engine results of the search engine Google and the display of third-party advertising on our website.

If a data subject reaches our website via a Google ad, a so-called conversion cookie is placed on the information technology system of the data subject by Google. Further information on cookies can be found in Section 12.1. A conversion cookie loses its validity after thirty days and is not used to identify the data subject. If the cookie has not yet expired, the conversion cookie is used to track whether certain subpages, for example, the shopping cart from an online shop system, were called up on our website. Through the conversion cookie, both we and Google can track whether a data subject who reached our website via an AdWords ad generated sales, i.e., completed or canceled a purchase of goods.

The data and information collected through the use of the conversion cookie are used by Google to create visitor statistics for our website. These visitor statistics are used in turn by us to determine the total number of users who have been served through AdWords ads to ascertain the success or failure of the respective AdWords ad and to optimize our AdWords ads in the future. Neither our company nor other advertising customers of Google AdWords receive information from Google that could identify the data subject.

The conversion cookie is used to store personal information, for example, the websites visited by the data subject. Accordingly, with each visit to our websites, personal data, including the IP address of the internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.

The data subject can prevent the setting of cookies by our website at any time, as already described above, by means of a corresponding setting of the internet browser used and thus permanently object to the setting of cookies. Such a setting of the internet browser used would also prevent Google from placing a conversion cookie on the information technology system of the data subject. In addition, a cookie already set by Google AdWords can be deleted at any time via the internet browser or other software programs.

Furthermore, the data subject has the opportunity to object to interest-based advertising by Google. For this purpose, the data subject must access the link www.google.de/settings/ads from each of the internet browsers they use and make the desired settings there.

Further information and the applicable data protection provisions of Google can be retrieved under https://www.google.de/intl/de/policies/privacy/.

12.6 Data protection provisions about the application and use of Google Fonts

For the uniform representation of fonts, our website uses so-called Google Fonts, which are provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

The fonts for the main design of our website are installed locally on our server, which means that no connection to Google's servers is established. No personal data (such as IP addresses) is transmitted to Google. The presentation takes place directly from our web server.

However, some analysis or comfort services on our website additionally use so-called Google Web Fonts (e.g. Google Maps). These services are deactivated by default on our website. When accessing a page after the user accepts the corresponding statistics/comfort cookies in the cookie banner of the website (consent), your browser loads the required web fonts for the respective analysis or comfort service into your browser cache to correctly display texts and fonts. The legal basis in this case is Art. 6 (1) lit. a GDPR and Sec. 25 (1) TDDDG.

For this purpose, the browser you use must establish a connection to the servers of Google. Through this, Google becomes aware that our website was accessed via your IP address. The use of Google Web Fonts takes place in the interest of a uniform and appealing presentation of our online offers, but only with your explicit consent via the cookie banner.

You can revoke your consent at any time with effect for the future in the cookie banner; this will prevent further data processing for the future. You can delete cookies that have already been set in your browser.

Google LLC, based in the USA, is certified under the US-European data protection agreement EU-US Data Privacy Framework, which guarantees compliance with the level of data protection applicable in the EU.

Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in the privacy policy of Google: https://www.google.com/policies/privacy/.

12.7 Data protection provisions about the application and use of the YouTube plugin

We embed videos from the "YouTube" platform of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google Ireland") into our website to provide you with video content suitable for our offer. When activating/playing the video, personal data (IP address, date/time, device/browser data, referrer, accessed page, interaction data; possibly cookies/pixel IDs) is transmitted to Google; an assignment to an existing user account with YouTube is possible if you are logged in there.

The integration is deactivated by default. Processing and transmission only begin after your consent. The legal basis in this case is Art. 6 (1) lit. a GDPR and Sec. 25 (1) TDDDG.

By clicking on the video, a connection to the servers of YouTube in the USA is established. In doing so, YouTube is informed which of our pages you have visited. If you are logged into YouTube, your surfing behavior will be assigned to your profile. You can prevent this by logging out beforehand. In addition, cookies can be stored on your end device after starting a video. The scope, purposes and storage duration of any cookies by Google Ireland are within its area of responsibility. Any transfers to third countries (esp. USA) take place – provided there is no adequate level of data protection – on the basis of your consent, Art. 49 (1) lit. a GDPR, and/or appropriate safeguards (standard contractual clauses), Art. 46 GDPR. Further information can be found in the privacy policy of Google Ireland at https://policies.google.com/privacy and at https://www.youtube.com/intl/de_be/howyoutubeworks/privacy/.

12.8 Data protection provisions about the application and use of the Vimeo plugin

We embed videos from the "Vimeo" platform of the provider Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA ("Vimeo") into our website to provide you with video content suitable for our offer. When activating/playing the video, personal data (IP address, date/time, device/browser data, referrer, accessed page, interaction data; possibly cookies/pixel IDs) is transmitted to Vimeo; an assignment to an existing user account with Vimeo is possible if you are logged in there.

The integration is deactivated by default. Processing and transmission only begin after your consent. By clicking on the video, a connection to the servers of Vimeo in the USA is established. The legal basis in this case is Art. 6 (1) lit. a GDPR and Sec. 25 (1) TDDDG. In doing so, Vimeo is informed which of our pages you have visited. If you are logged into Vimeo, your surfing behavior will be assigned to your profile. You can prevent this by logging out beforehand. In addition, cookies can be stored on your end device after starting a video. The scope, purposes and storage duration of any cookies by Vimeo are within its area of responsibility. Further information can be found in the privacy policy of Vimeo at https://vimeo.com/legal/terms/de/datenschutz/policy.

Vimeo, based in the USA, is certified under the US-European data protection agreement EU-US Data Privacy Framework, which guarantees compliance with the level of data protection applicable in the EU.

12.9 Data protection provisions about the application and use of the Google Maps plugin

We integrate map material and services of the "Google Maps" service on our website to display interactive maps, route and location functions to users. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google Ireland"). When activating/displaying a Google Maps map on our website, personal data is processed and transmitted to Google Ireland, including in particular: IP address, date/time, device and browser data, referrer/accessed page, language settings, interaction data (e.g. zoom/movement), possibly location data (if approved by the device/browser) as well as – depending on the implementation – cookies/similar technologies or unique online identifiers. If a login to a Google service is active, an assignment to your Google account can take place. The integration is deactivated by default. Processing and transmission only begin after your consent. The legal basis in this case is Art. 6 (1) lit. a GDPR and Sec. 25 (1) TDDDG. By clicking on the map, a connection to the servers of Google in the USA is established. In doing so, Google is informed which of our pages you have visited. If you are logged into a Google service, your surfing behavior will be assigned to your Google user profile. You can prevent this by logging out beforehand. In addition, cookies can be stored on your end device after displaying a map. The scope, purposes and storage duration of any cookies by Google Ireland are within its area of responsibility. Further information can be found in the privacy policy of Google Ireland at https://policies.google.com/privacy.

12.10 Data protection provisions about the application and use of the accessibility widget

We use the accessibility widget "Accessibility Toolbar & Widget | Accessibility Assistant" from TC-Innovations GmbH, Hanns-Martin-Schleyer-Straße 27, 41564 Kaarst, on our website.

The widget supports users in using our website more barrier-free, for example by adjusting contrasts, font sizes or other display options. The settings made by the user are stored exclusively locally in the local storage of the end device. A transmission to external servers or a processing of personal data by the widget does not take place.

Insofar as the storing and reading of the settings on the end device is necessary to provide the function selected by the user, this is done on the basis of Sec. 25 (2) TDDDG. Users can delete the stored settings at any time via the settings of their browser.

Further information can be found in the privacy policy of TC-Innovations GmbH.

12.11 Information on the use of Altcha Captcha

To protect your orders via internet form and to protect our website against misuse, we use the service Altcha Captcha, provided by BAU Software s.r.o., Lidicka 700/19, Brno 602 00, Czech Republic.

The Altcha Captcha query serves to distinguish whether the input is made by a human or abusively through automated, machine processing.

Altcha Captcha works without tracking, cookies and fingerprinting. In this respect, no personal data of yours is processed when using Altcha Captcha.

12.12 Summary of cookies

Provider/Service	Storage purpose	Exact designation	Storage duration	Legal basis	Processed data	Objection options (in addition to objection according to Section 14.7 and possibly revocation of consent according to Section 14.8)
Shopware (1st party)	Detection of configuration changes	cookie-config-hash	30 days	Technically necessary: Sec. 25 (2) TTDSG; Art. 6 (1) lit. f GDPR	Configuration/preference status (detection of changes)	technically necessary, cannot be deselected itself
Shopware (1st party)	Saves consent/preference choice	cookie-preference	30 days	Technically necessary: Sec. 25 (2) TTDSG; Art. 6 (1) lit. f GDPR	Consent/preference status (decision in the banner)	technically necessary, cannot be deselected itself
Shopware (1st party)	Session, shopping cart, login, CSRF protection	session- (Prefix)	Session	Technically necessary: Sec. 25 (2) TTDSG; Art. 6 (1) lit. b/f GDPR	Session ID, shopping cart/login status, CSRF token status	technically necessary, cannot be deselected itself
Shopware (1st party)	Time zone for correct display	timezone	30 days	Technically necessary: Sec. 25 (2) TTDSG; Art. 6 (1) lit. f GDPR	Time zone information of the visitor	technically necessary, cannot be deselected itself
Shopware (1st party)	Internal storefront‑tokens (e.g. shopping cart)	SW-*	Session	Technically necessary: Sec. 25 (2) TTDSG; Art. 6 (1) lit. b/f GDPR	Internal tokens (e.g. shopping cart/storefront‑context)	technically necessary, cannot be deselected itself
Google (Analytics)	Distinction of unique visitors	_ga	400 days	Consent: Sec. 25 (1) TTDSG in conjunction with Art. 6 (1) lit. a GDPR	Client ID; in GA4 events, among others, client ID, session ID, URL, referrer, title, resolution, language, OS, scroll depth, time on page, experiments	Revocation via cookie banner "Statistics"
Google (Analytics)	Session state for GA4	_ga_xxx	400 days	Consent: Sec. 25 (1) TTDSG in conjunction with Art. 6 (1) lit. a GDPR	Session ID/status; linked to GA4 events (see data points above)	Revocation via cookie banner "Statistics"
Shopware Plugin (codiverse GTM)	Internal consent‑flag for GTM/GA	dtgsAllowGtmTracking	30 days	Consent (controls statistics tracking): Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Internal tracking status/flag for GTM/GA activation	Revocation via cookie banner "Statistics"
Shopware (1st party)	Consent decision for YouTube‑embeds	youtube-video	30 days	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Consent status for media embedding (Vimeo)	Revocation via cookie banner "Comfort functions"
Shopware (1st party)	Consent decision for Vimeo‑embeds	vimeo-video	30 days	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Consent status for media embedding (YouTube)	Revocation via cookie banner "Comfort functions"
Shopware/Plugin (ThemeWare)	Save dismiss/UI‑timestamp	twt-local-storage	30 days	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Timestamp/status of the UI‑dismiss	Revocation via cookie banner "Comfort functions"
Shopware/Plugin (coco_googlemaps)	Saves Google Maps‑consent and activates Google Maps	coco_googlemaps	30 days	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Consent status for Google Maps	Revocation via cookie banner "Comfort functions"
Cloudflare (via Vimeo)	Bot‑detection/defense	cf_bm	30 minutes	Consent (only arises with active Vimeo embed): Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Bot/traffic‑signals to distinguish human/bot	Revocation via cookie banner "Comfort functions/Vimeo"
Cloudflare (via Vimeo)	Rate Limiting	_cfuvid	Session	Consent (only arises with active Vimeo embed): Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Rate‑limiting‑signals to distinguish users per IP	Revocation via cookie banner "Comfort functions/Vimeo"

12.13 Summary of similar technologies

Provider/Service	Purpose	Exact designation of the service/request	Legal basis	Processed data	Objection options (in addition to objection according to Section 14.7 and possibly revocation of consent according to Section 14.8)
PayPal SDK	Display of buttons/SDK; telemetry/logger	GET /sdk/js?components=…; POST /xoplatform/logger/api/logger	Technically necessary for payment function Sec. 25 (2) TTDSG, Art. 6 (1) lit. b/f or a GDPR	IP, User‑Agent, Page‑Session‑ID, Referrer, Locale, Currency, Merchant‑ID, Load Time, Correlation‑ID	Technically necessary for checkout function, cannot be deselected itself
Google Tag Manager	Container/root‑trigger for GA4	GET /gtm.js?id=GTM‑KBPWHT4	Consent (controls statistics): Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	IP, user‑agent, referrer, GTM‑container‑ID (in the request context)	Revocation via cookie banner "Statistics"
Google Analytics 4	Measurement (page_view, scroll), secondary DoubleClick‑endpoint	GET /gtag/js?id=G‑Q5WMX91R2F; POST /g/collect; GET /ads/ga‑audiences	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	among others client‑ID, session‑ID, URL, referrer, title, resolution, language, OS, scroll depth, time on page; audience‑building via Ads	Revocation via cookie banner "Statistics"
Google Ads (via GA4)	Remarketing/audience‑building	GET /ads/ga‑audiences	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	GA‑client‑ID and property‑reference for audience‑matching	Revocation via cookie banner "Statistics"
Google Maps	Map embedding/tiles/place‑data requests	/maps/embed/v1/place; /maps/api/js; /maps/vt; RPC‑calls	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	IP, API‑key, search/coordinates, zoom, map‑session‑ID, viewport‑BBox, fonts/assets‑requests	Revocation via cookie banner "Comfort functions"
YouTube (youtube‑nocookie.com)	Video player, assets, event‑logging	/embed/…; /s/player/…; POST /youtubei/v1/log_event	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Player‑assets; detailed client‑context and playback‑timing in the log‑event	Revocation via cookie banner "Comfort functions"
YouTube (cross‑origin assets)	Styles/scripts for embeds	/s//ytembeds//ss …; /js …	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	Asset‑requests; IP‑transmission as part of the request	Revocation via cookie banner "Comfort functions"
Vimeo (Player/CDN)	Player, vendor‑bundle, thumbnails	player.vimeo.com /video/…; f.vimeocdn.com /js/…; i.vimeocdn.com /video/…	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	IP, video‑ID, referer, browser‑fingerprint, language; thumbnails/assets; DNT=1 set	Revocation via cookie banner "Comfort functions"
Google WAA (Anti‑abuse)	Token‑generation/anti‑abuse	POST /$rpc/…/Waa/GenerateIT (jnn-pa.googleapis.com)	Consent (if triggered by YouTube/Google‑embeds): Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	IP, API‑key, encrypted fingerprint‑token (~2 KB payload)	Revocation via cookie banner "Comfort functions/YouTube"
Google Fonts/Infra (via embeds)	Fonts/utilities for UI	/s/roboto/… woff2; /js/th/…	According to the triggering service: Google Maps; YouTube/Vimeo: Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	IP; referer (youtube‑nocookie.com / google.com) for fonts	Revocable according to the triggering service (YouTube, Google Maps)
Google Cast SDK (via Vimeo)	Cast‑to‑TV in the player	/cv/js/sender/…; /cast_framework.js; /eureka/…	Consent: Sec. 25 (1) TTDSG; Art. 6 (1) lit. a GDPR	IP; referer player.vimeo.com	Revocation via cookie banner "Comfort functions"

13. Legal bases, purposes of processing, duration of storage, objection and possibility of removal

13.1 General information on the legal bases

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 (1) lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data. When using cookies, if your consent has been given, Sec. 25 (1) TDDDG also forms the legal basis for the processing of your personal data. Technically necessary cookies are set on the basis of Sec. 25 (2) No. 2 TDDDG so that we can provide you with a digital service expressly requested by you.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party, and if the interests, fundamental rights, and freedoms of the data subject do not override the first-mentioned interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.

13.2 General information on data deletion and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws, or other provisions to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

14. Your rights

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

14.1 Right of access

You can request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing is taking place, you can request access to the following information from the controller:

(1) the purposes for which the personal data is processed;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;

(4) the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;

(5) the existence of a right to rectification or deletion of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;

(6) the existence of a right to lodge a complaint with a supervisory authority;

(7) any available information as to their source, if the personal data is not collected from the data subject;

(8) the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you can request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

14.2 Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must make the correction without undue delay.

14.3 Right to restriction of processing

Under the following conditions, you can request the restriction of processing of the personal data concerning you:

(1) if you contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or

(4) if you have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override yours.

If the processing of the personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If you have obtained restriction of processing pursuant to the above conditions, you will be informed by the controller before the restriction of processing is lifted.

14.4 Right to erasure

14.4.1 Obligation to erase

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(1) The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

(2) You withdraw consent on which the processing is based according to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR, and where there is no other legal ground for the processing.

(3) You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.

(4) The personal data concerning you have been unlawfully processed.

(5) The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

14.4.2 Information to third parties

If the controller has made the personal data concerning you public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

14.4.3 Exceptions

The right to erasure does not apply to the extent that processing is necessary

(1) for exercising the right of freedom of expression and information;

(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the area of public health in accordance with Art. 9 (2) lit. h and i as well as Art. 9 (3) GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or

(5) for the establishment, exercise or defense of legal claims.

Furthermore, the right to erasure does not exist if the personal data must be stored by the controller due to statutory retention obligations and periods. In such a case, the personal data will be blocked instead of erased.

14.5 Right to be informed

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about those recipients by the controller.

14.6 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, machine-readable and interoperable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

(1) the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR and

(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.

The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

14.7 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) lit. e or f GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

14.8 Right to withdraw the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time and without giving reasons. In the event of withdrawal, we will delete your personal data immediately and no longer process it. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

14.9 Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for entering into, or performance of, a contract between you and the data controller,

(2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or

(3) is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

With regard to the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

14.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

As of: June 16, 2026

Controller: Hechler & Nickel Fashion GmbH

Managing Director: Martina Nickel