We, edding Expressive Skin GmbH, operators of the website www.edding.tattoo , take the protection of your data very seriously. The following information is intended to inform you of the extent and purpose for which we collect and process your personal data on our website www.edding.tattoo (hereinafter „Website“).
Personal data means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (cf. Art. 4 (1) GDPR).
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (cf. Art. 4 (2) GDPR).
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (cf. first clause of Art. 4 (3) GDPR).
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (cf. Art. 4 (8) GDPR).
Third party means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (cf. Art. 4 (10) GDPR).
Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (cf. Art. 4 (11) GDPR).
The controller of personal data within the meaning of the GDPR is:
If you wish to view and update your personal data or have any queries regarding data protection on our Website, please contact us at any time using our email address email@example.com or by post at the address provided above.
You can contact our Data Protection Officer (Frau Jennifer Jähn-Nguyen, datenschutz nord GmbH, Standort Hamburg, Sechslingspforte 2, 22087 Hamburg)
- by emaill firstname.lastname@example.org or
- by post at the postal address for the Controller, specifying “FAO Data Protection Officer”.
The extent and type of processing of your personal data depends on whether you make contact with us via our website, order something from our online shop, register on our Website, or simply wish to use our Website for information. You may assert your rights as a Data Subject (see number 7 below) at any time in relation to the data processing operations described below.
3.1 Collection of data with your assistance
We collect and store your personal data in connection with use of this Website if you provide us with such data voluntarily, e.g. for a mailing list. You are always free to decide whether you wish to provide us with your data for the respective purposes.
3.1.1 Enquiries via email and customer service
If you send us an email, we will store your email address and any personal content contained in the message (the legal basis is Art. 6 (1) (f) GDPR). We do this for the exclusive purpose of allowing us to process your query.
If your query relates to a planned tattoo, we will process your personal data to initiate or implement a contractual relationship (legal basis: Art. 6 (1) (b) GDPR).
We erase the respective data once the purpose has lapsed. You may also assert your rights as a Data Subject at any time in relation to this data processing (see number 7 in this regard); in particular you may object to the respective data processing.
3.1.2 Update Service
18.104.22.168 Subscribing to the update service
edding offers an update service on its Website providing information regarding edding TATTOO and shop openings via email updates. You can subscribe to the update service by selecting a checkbox and confirming the “send” button with the following text:
Consent to update service
If you have subscribed to the update service and have thus given your consent to processing of your data (legal basis: Art.6 (1) (a) GDPR), we will process your personal data as follows:
When you subscribe to the update service, your email address and your forename and surname will be stored. We use this data for internal statistical purposes and in order to tailor the content of our update service to you more accurately.
In order to subscribe to our update service, we use what is known as the double opt-in procedure. After subscribing to the update service, we will send an email to the email address you have provided, in which we will ask you to confirm that you have requested to receive update emails. If you confirm this request, the update emails will be sent to your email address permanently. However, if you do not provide such confirmation, your subscription will be cancelled automatically after 48 hours.
We use the service provider MailChimp, which is operated by the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA for content design, sending emails and the response analysis for our update service. For this purpose, we have concluded a commissioned data processing agreement with MailChimp, which ensures that MailChimp will process your personal data exclusively in accordance with our instructions and in compliance with the applicable data protection laws. Using EU standard contract clauses, MailChimp guarantees that it will maintain an appropriate level of data protection when processing personal data in the USA, whilst also observing the European data protection law regulations.
If you subscribe to our update service (see number 22.214.171.124), MailChimp stores your declaration of consent, your IP address and the time at which you subscribe to the newsletter and confirm your subscription. Furthermore, your email address and any other personal data you have provided for the purpose of personalising the newsletter are stored on the MailChimp servers in the USA for this purpose. MailChimp uses this information in order to send our update emails and to analyse users’ behaviour when they receive the update email. When analysing use, MailChimp collects technical information, particularly regarding the browser used, IP address and the time of the download. MailChimp determines whether and when a newsletter or links contained therein are opened. This information is used exclusively to better assess the email recipient’s expectations and to adapt the content accordingly. It is also possible for MailChimp to use these data in order to optimise or improve its own services, for example making the update service more effective, by recording the selected language, local information or time zones. MailChimp will never use your personal data to write to you for its own purposes or disclose your data to third parties.
We use MailChimp’s services as a processor on the basis of the statutory permission contained in Art. 6 (1) (f) GDPR. Our legitimate interest in this is offering a centrally coordinated update service that is lawful and tailored to your interests using a professional supplier.
126.96.36.199 Unsubscribing from the Update Service
If you no longer wish to receive the update service, you can object to receiving the update emails at any time (Art. 21 GDPR) or withdraw your consent (Art. 7 (3) GDPR) and thereby unsubscribe from the update service. To do this, click on the link contained in each update email. You will then be taken through the unsubscribe process. Alternatively, you can also inform us of your withdrawal of consent to receiving update emails by sending an email to email@example.com.
3.1.3 Requesting an appointment
188.8.131.52 Appointment requests via the "Kisscal" portal
You have the option to book an appointment for consultation, tattooing or aftercare via the online appointment booking system we use, the studio manager software Kisscal (hereinafter "Kisscal"). The provider of Kisscal is Kiss Solutions GbR, Im Steinenberg 9/1, 79585 Steinen, Germany.
Kisscal collects the following personal data on our behalf (Art. 28 GDPR) and transmits it to us for booking appointments:
- First name*,
- Last name*,
- Email address*,
- Telephone number*,
- Type of appointment requested,
- Selected Artist,
- Preferred contact type,
- Diseases/ Allergies,
- Your Message,
- if necessary a picture or sketch of the desired tattoo.
Only the data marked with a * needs to be provided in order to request an appointment.
We process the personal data provided by you via Kisscal in order to store your desired appointment with us and to prepare the appointment accordingly. Any further use of your data, e.g. for advertising purposes, will only take place if you are already a customer of ours and have made an appointment to have your tattoo engraved (see section 184.108.40.206). The legal basis of the processing is the initiation of a contract (Art. 6 para. 1 b) GDPR).
If you do not want to book your appointment via Kisscal, you are free to make your appointment as a request by phone or at our studio.
220.127.116.11 Cancelling your request for an appointment
If you wish to cancel your request for an appointment, you may object to the processing of your data at any time (Art. 21 GDPR), or withdraw the underlying consent (Art. 7 (3) GDPR) and thus retract it. You can send your objection to processing of your data in order to deal with the request for an appointment by emailing firstname.lastname@example.org.
3.1.4 Appointment reminders
18.104.22.168 Sending appointment reminders
If you select e-mail as your preferred method of contact when booking an appointment, we will also use your personal data as described in Section 3.1.3 (first and last name, e-mail address, and the date of your appointment) for this purpose. You give us your consent by clicking the confirmation button "verbindlich Buchen".
22.214.171.124 Unsubscribe from appointment reminders
If you no longer wish to receive appointment reminders, you can object to the processing of your data at any time (Art. 21 DSGVO) or revoke the underlying consent (Art. 7 (3) DSGVO) and thus withdraw it. In this case, you can send us your objection to appointment reminders and other reminders via e-mail to email@example.com.
3.1.5 Sending marketing emails
126.96.36.199 Subscribing to marketing emails
If you wish to receive emails about edding’s goods and services and provide your express consent to this (Art. 6 (1) (a) GDPR), we will also use your personal data specified in clause 3.1.3 (forename, surname and email address) for this purpose. You give us your consent by selecting a checkbox with the following text and clicking on the “Send” button:
Declaration of consent to receiving marketing emails
In order to document your consent to the processing of your sensitive personal data, when you send the declaration we store your IP address and the time at which you gave your consent.
In order to subscribe to appointment reminders, we use the “double opt-in procedure”. After subscribing to appointment reminders, we will first send an email to the email address you have provided, in which we will ask you to confirm that you have requested to receive appointment reminders. If you confirm the subscription, we will contact you using the contact information you have provided for the purpose of appointment reminders and other reminders. However, if you do not provide such confirmation, your subscription will lapse automatically after 48 hours.
188.8.131.52 Unsubscribing from marketing emails
If you no longer wish to receive marketing emails, you may object to the processing of your data at any time (Art. 21 GDPR), or withdraw the underlying consent (Art. 7 (3) GDPR) and thus retract it. To do so, click on the link contained in the email in question. You will then be guided through the unsubscribe process. Alternatively, you may also object to marketing emails by emailing firstname.lastname@example.org.
184.108.40.206 Receiving marketing emails after arranging an appointment for a tattoo
If you have not given your express consent to receive marketing emails when requesting an appointment for a consultation (cf. clause 3.1.5), we will only send you such emails if you arrange an appointment to have your tattoo done. In that event, we may also use the email address that you sent to us without your express consent to send marketing emails. In such a case, we send direct marketing with the email for our own, similar goods or services. The legal basis for sending the newsletter in this case is Article 7 (3) of the German Unfair Competition Act (UWG) and Art. 6 (1) (f) GDPR.
If you do not wish to receive marketing emails, you can unsubscribe from receiving such marketing emails at any time (Art. 21 GDPR). In order to do this, you can either follow the unsubscribe link in the respective marketing email, or you can email us at email@example.com.
When organising competitions, edding collects personal data from participants for the purpose of the competition. Depending on the individual case and where necessary, this includes the following data in particular:
- First and last name
- Account name
- Email address
- Date of birth
- Postal address
- Telephone number
- Participation in the competition
If the winner is announced on the organiser’s website/social media channels after the competition has ended, this is done on the basis of Art. 6 (1) (f) GDPR. Our overriding legitimate interest is in sharing with the community, in such a way that is effective from a marketing perspective, the fact that the competition has been held successfully. You may object to this at any time by sending an informal message to edding (Art. 21 GDPR).
We will erase your data if they are no longer required for the specified purpose and we are not legally obliged or entitled to continue to store the data, particularly for the purpose of proof of participation in the competition. In this case, we will block the data for all other purposes and will restrict access rights accordingly.
3.1.7 Video conference systems
Hereinafter we would like to inform you which video conference systems we and/or the respective edding subsidiary (edding Expressive Skin GmbH) use to communicate with business partners and customers (e.g. to hold video conferences, online seminars, and workshops; hereinafter referred to as “video conference”) and which personal data are processed by the respective edding subsidiary as the responsible data controller and by the respective provider of the video conference system used.
One of the following video conference systems (hereinafter referred to as “providers”) are used to hold video conferences:
- Microsoft Teams – A service of the provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA (“Microsoft”).
For more information on the purpose and extent of data collection and processing through Microsoft, please see Microsoft’s privacy statement at privacy.microsoft.com/de-de/privacystatement and, for Microsoft Teams specifically, at docs.microsoft.com/de-de/microsoftteams/teams-privacy.
If your usual place of residence is in the European Economic Area or Switzerland, Microsoft Ireland Operations Ltd. (The Atrium Building Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18, Ireland) is the data controller responsible for your personal data.
You can check the invitation that was sent to you to see which video conference system the respective edding subsidiary will use to hold the respective video conference.
In order to use the respective video conference system and download the required software, it is regularly necessary to access the respective provider’s website. Once you access the respective provider’s website, the respective provider is responsible for data processing as the operator of the website. As an alternative to downloading, the providers offer apps where you have to enter the respective meeting ID, usually along with other access data, to access the video conference. If you don’t want to or cannot use both the app and the software of the respective provider, the providers also offer the basic functions of the respective video conference system as a browser version. You can also find the browser version on the website of the respective provider.
Depending on the provider, using a video conference system will entail the processing of different personal data. The extent of the personal data processed will depend on which personal data you provide or transmit before or during participation in a video conference.
The below personal data may be subject to processing when using the video conference system of the respective provider:
- User information: First name, family name (required for participation in online seminars and workshops), phone number (optional), email address, password, profile data such as the username (optional);
- Meeting metadata: Topic, description (optional), participants’ IP addresses, device/hardware information;
- Where the video conference is recorded (optional): MP4 file of all video, audio, and presentation recordings, M4A file of all audio recordings, text file of online seminar chat;
- Where participants dial in per phone: Incoming and outgoing phone number, country, start and stop time; other connection details may be stored, such as the device’s IP address;
- Text, audio, and video data: Participants in video conferences can use features for chatting, asking questions, or conducting surveys. If you use these features, the text you input is subject to processing in order for it to be displayed during the video conference and logged (where online seminars or workshops are recorded). In order to display video and reproduce audio, the personal data transmitted by your terminal device’s microphone and/or camera during the video conference are processed. You can always turn off or mute your microphone or camera yourself from within the respective video conference system.
In order to participate in an online seminar or workshop and dial in using a video conference system, it is required that you provide your name. The use of a pseudonym is possible when participating in video conferences, except in the case of online seminars and workshops, if you are identifiable as a valid participant by some other means. In some cases, it might also be necessary that you create a user account with the respective provider. In such cases, your customer data will be also used by the respective provider for their own purposes.
To protect your personal data when using video conference systems, data processing agreements that comply with the requirements of Art. 28 GDPR have been concluded with the respective provider. As it cannot be precluded, especially when using Microsoft Teams, that using the provider’s service might entail your personal data being transferred to a third country (especially the USA), EU standard contractual clauses (SCCs) were concluded to ensure a level of data protection acceptable in the EU (Art. 46 Para. 2 c) GDPR). In accordance with these SCCs, Microsoft is obligated to comply with European data protection law and ensure an appropriate level of data protection.
The legal basis for data processing in the framework of holding online seminars and workshops is Art. 6 Para. 1 b) GDPR, since it is necessary to process data in order to effect the contractual relationship.
For all other video conferences, the legal basis for data processing is the legitimate interest (Art. 6 Para. 1 f) GDPR) of being able to offer you a suitable alternative for holding personal meetings as well as of simplifying and improving the means of communication. The provision of personal data to providers as the data processor is based on our legitimate interest in the economic and technical advantages involved in the use of specialized data processors (Art. 6 Para. 1 f) GDPR). In cases where data processing is based on legitimate interest (Art. 6 Para. 1 f) GDPR), you may object at any time to a video conference being held by means of the respective provider (Art. 21 GPDR). However, please note that in such cases, the respective edding subsidiary may not be able to initiate the video conference due to a lack of technical options.
Your personal data subject to processing are deleted as soon as they are no longer required in order for the respective provider to render and hold the video conference or ensure its services or as soon as you have given us your consent to process your data (e.g. to send you a newsletter or to record and publish a seminar).
3.2 Collecting data without your assistance
We collect and use personal data generated automatically by your visit to our Website in order to provide our services.
3.2.1 Log files and (session) cookies
When you visit our Website, our server temporarily records the following personal data in what are known as log files:
- your computer’s IP address,
- the client’s file request (file name and URL),
- the http status code and the
- the website from which you have visited us.
We process your personal data on the basis of our overriding legitimate interest in the discovery of misuse (spam, viruses, etc.) and in order to identify and rectify errors (legal basis: Art. 6 (1) (f) GDPR).
Furthermore, our Website uses “cookies” in several places, which serve to make our offer more user-friendly and effective. Cookies are small text files which our Website places on your computer or other web-enabled devices, such as tablets or smartphones. If your browser settings accept cookies, your browser adds the text to a small file.
Cookies do not damage your computer per se and do not contain viruses. You can set your browser in such a way that these cookies are not stored at all, or they are deleted at the end of your browsing session. However, please note that you may not be able to use all the features of our Website in this case.
3.2.2 Google Tracking- and Marketing Tools
On our website, we use various tracking and marketing tools provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”).
If you have your usual place of residence in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is the competent controller for your data.
If you have expressly consented to the respective data processing (Art. 6 (1) (a) GDPR) as described in clauses 220.127.116.11 and 18.104.22.168, Google obtains the information it needs to provide its services by using cookies. Data are generally transferred to a Google server in the USA and stored there. In order to ensure a level of data protection in line with the EU, we have concluded EU standard contract clauses with Google (Art. 46 (2) (c) GDPR), according to which Google undertakes to comply with European data protection requirements.
You can prevent the installation of cookies in various ways:
- By selecting the appropriate settings in your browser software; in particular, suppression of third-party cookies means that you will not receive any third-party advertisements. Please note that in this case, you may not be able to use all of our website’s functions in full;
- By installing the plug-in provided by Google under the following link google.com/settings/ads/plugin;
- By deactivating the interest-based advertisements from providers that are part of the “About Ads” self-regulation campaign via the link aboutads.info/choices; however, these settings will be deleted if you delete your cookies.
You can also obtain an opt-out cookie from here which, when installed, prevents Google from collecting data, which is particularly useful in the event that the deactivation add-on does not work, such as on mobile devices. If you access our website using various browsers/devices, you need to carry out the steps described on all browsers/devices.
You can find further information regarding data protection when using Google Analytics at support.google.com/analytics/answer/2838718. You can also find further information regarding protection of your data when using Google services from the following links:
22.214.171.124 Google Analytics
We use Google Analytics on our website. Google Analytics stores cookies in your web browser for a period of two years from your last visit. When you visit our website, this cookie records data which are transmitted to a Google server in the USA and stored there, including:
- Browser type/version
- Operating system used
- Referrer URL (the website visited previously)
- Host name of the accessing computer (IP address)
- Time of the server request
- The achievement of “website targets” (e.g. contact requests)
- Your behaviour on the website (e.g. clicks, scrolling and length of visit)
- Your approximate location (country and town)
- Technical information such as browser, internet service provider, device and screen resolution
- Origin of your visit (i.e. from which website or advertisement you reached us).
However, the IP address transmitted by your browser in particular will not be consolidated with other Google data. We have also extended Google Analytics on this website to include the code “anonymizeIP”. This guarantees that your IP address is masked so that all data are collected anonymously. Only in exceptional circumstances will the full IP address be transferred to a Google server in the USA and truncated there.
The cookies placed by Google Analytics also include a randomly generated user ID, allowing you to be recognised in the event of any future visits to the website. The information obtained by the cookies is stored together with the randomly generated user ID, which lets user profiles be analysed pseudonymously. These user-related data are erased automatically after 540 days. Other data remain stored for an indefinite period in an aggregated form.
Google uses the information obtained by placing cookies to analyse your use of our website, to compile reports on the website activities, and to provide us with further services associated with use of the website and the Internet. In this way, we can improve our offer and make it more interesting for you as a user. We also obtain information on our website’s functionality (e.g. identification of navigation problems).
Furthermore, Google is entitled to process the information obtained for its own purposes. For this reason, we only use Google services on our website if you consent to the processing of your personal data (the legal basis is Art. 6 (1) (a) GDPR). If you have already given consent, you can, of course, withdraw it at any time with future effect as specified in clause 3.2.3 above. You can also obtain an opt-out cookie from here which, when installed, prevents Google from collecting data, which is particularly useful in the event that the deactivation add-on does not work, such as on mobile devices. If you access our website using various browsers/devices, you need to carry out the steps described on all browsers/devices.
You can find further information regarding data protection when using Google Universal Analytics at support.google.com/analytics/answer/2838718. You can also find further information regarding protection of your data when using Google services from the following links:
126.96.36.199 Google Ads Conversion
We use the services of “Google Ads Conversion” to draw attention to our attractive offers on external websites using advertising materials (“Google Ads”). We can determine how successful the individual advertising measures are in relation to the advertising campaign data. By doing so we are pursuing the interest of showing you advertising that is of interest to you, making our website more interesting for you, and achieving a fair calculation of advertising costs.
These marketing materials are supplied by Google using “ad servers”. For this, we use ad server cookies, which allow specific success parameters, such as displaying the advertisements or user clicks, to be measured. If you access our website via a Google ad, Google Ads will store a cookie on your device. These cookies expire after 540 days at the latest and are not intended to identify you personally. The following are usually stored by this cookie as measures:
- Unique cookie ID;
- Number of ad impressions per placement (frequency);
- Last impression (relevant for post-view conversions); and
- Opt-out information (mark that the user no longer wishes to be contacted).
These cookies let Google recognise your Internet browser. If you visit specific pages of an Ads customer’s website and the cookie stored on your computer has not yet expired, both Google and we can see that you have clicked on the ad and have been redirected to this page. Each Ads customer is assigned a different cookie. Cookies therefore cannot be tracked via Ads customers’ websites.
We do not collect and process any personal data using the specified marketing measures. Google only supplies us with statistical analyses. Using these analyses, we can see which of the marketing measures we have used are particularly effective. We do not receive any further data from the use of marketing materials; in particular, we cannot identify users on the basis of this information.
If you have expressly consented to the data processing described (Art. 6 (1) (a) GDPR), your browser automatically establishes a direct connection to the Google server due to the marketing tools used. We have no influence over the extent and further use of the data collected by Google using this tool and can therefore only provide you with information according to our understanding of the process: by incorporating Ads Conversion, Google is informed that you have accessed the respective part of our website, or have clicked on one of our advertisements. If you are registered with one of Google's services, Google can allocate the visit to your account. Even if you are not registered or logged in to Google, there is a possibility that the provider may discover and store your IP address.
188.8.131.52 Google Ads Remarketing
Within Google Ads we also use the remarketing feature, provided that you have given your express consent to this (Art. 6 (1) (a) GDPR). Using the remarketing feature, we can present our website users with advertisements based on their interests on other websites within the Google advertising network (in Google search or on YouTube, so-called “Google ads” or on other websites). For this purpose, your interaction as a user of our website is analysed (e.g. products in which you have shown an interest) so that we can show you targeted adverts on other websites after you have visited our website. In order to allow this analysis, Google stores cookies on your device if you visit Google services or websites belonging to the Google Display Network. These cookies expire after 540 days at the latest (this only applies to cookies that are placed by this website). These cookies let your browser be identified, so that your visits to the respective websites can be recorded. The cookies are used exclusively to identify the web browser on a specific device and are not used to identify individuals.
3.2.3 Google Tag Manager
This website uses Google Tag Manager. Google Tag Manager is a solution that allows us to manage website tags using an interface. The tool itself (which implements the tags) is a cookie-free domain and does not register personal data. The tool causes other tags to be activated (e.g. Google Analytics – cf. clause 3.2.3), which may in turn collect data in certain circumstances. Google Tag Manager does not access these data. If there has been a deactivation at domain or cookie level, this will apply to all tracking tags implemented using Google Tag Manager.
3.2.4 Integration of Google Maps
We use Google Maps on our Website. This allows us to display interactive maps directly on the Website. It also allows you to use the map function easily.
As a result of integration of Google Maps on our Website, Google will be informed that you are visiting our Website and have visited the relevant sub-page. Personal data will also be transferred. The data transfer will occur regardless of whether Google provides a user account into which you are logged in, or whether no user account exists. If you are logged into Google, your data will be attributed directly to your account. If you do not wish your data to be attributed to your account in this way, you must log out before activating the button. Google stores your data as a user profile and uses them for the purposes of marketing, market research and/or the needs-based design of its website. This type of analysis is carried out (even for users who are not logged in) particularly to provide appropriate marketing and to inform other social network users about your activities on our Website. You have the right to object to creation of these user profiles; you must contact Google to exercise this right. We have no control over collection and processing of the data.
You can find further information about the purpose and extent of data collection and processing by Google and your rights, as well as settings options for protecting your privacy at: google.de/intl/de/policies/privacy.
3.2.5 Facebook Pixel
We also use “Facebook Pixel”, a service provided by the social network Facebook, which is operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”) for further analysis and optimisation and for commercial operation of our website.
In order to ensure a level of data protection in line with the EU, we have concluded EU standard contract clauses with Facebook (Art. 46 (2) (c) GDPR), according to which Facebook undertakes to comply with European data protection requirements.
Facebook Pixel is embedded straight into our website by Facebook and can store a cookie on your device if you have given your express consent to this (Art. 6 (1) (a) GDPR). If you subsequently log in to Facebook, or visit Facebook while you are logged in, the visit to our website will be recorded on your profile. The data collected about you are anonymous to us and therefore do not allow us to identify you. However, the data are stored and processed by Facebook, so that a link to the respective user profile is possible and can be used by Facebook for its market research and marketing purposes, as well as ours. If we forward data to Facebook for comparison purposes, such data are encrypted locally on the browser and only then are they sent to Facebook using a secure https connection. This is done solely for the purpose of a comparison with the data similarly encrypted by Facebook.
Facebook Pixel also lets Facebook identify visitors to our website as a target group for displaying advertisements (“Facebook Ads”). Accordingly, we use Facebook Pixel to ensure that the Facebook Ads placed by us are only displayed to those Facebook users who have shown an interest in our website, or who exhibit specific characteristics (such as interest in specific topics or products determined on the basis of websites visited) that we specify to Facebook (“custom audiences”). We also use Facebook Pixel to try to ensure that our Facebook Ads correspond to the potential interests of users and are not perceived to be annoying. Facebook Pixel also lets us determine Facebook advertisements’ effectiveness for statistical and market research purposes, as it lets us see whether users have been redirected to our website after clicking on a Facebook advertisement (“conversion”).
Furthermore, when using Facebook Pixel, we use the additional “extended comparison” function. This lets data for the formation of target groups (“custom audiences” or “look-alike audiences”) be sent to Facebook in encrypted form.
We only use Facebook Pixel on our website if you consent to this processing of your personal data (Art. 6 (1) (a) GDPR). You can, of course, withdraw any consent you have given at any time with future effect. Such withdrawal of consent does not affect lawfulness of the processing (until consent is withdrawn).
Alternatively, you can deactivate the “custom audiences” remarketing feature at facebook.com/settings. You must be registered with Facebook to be able to do this.
3.2.6 Microsoft Advertising
Wir nutzen auf unserer Website den Service Microsoft Advertising, der von der Microsoft Corporation One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft") bereitgestellt und betrieben wird.
Soweit Du deinen gewöhnlichen Aufenthalt im europäischen Wirtschaftsraum oder der Schweiz hast, ist die Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521) die für deine Daten zuständige Verantwortliche.
Zur Nutzung der Services von Microsoft haben wir auf unserer Website einen sog. Universal-Event-Tracking (UET)-Tag von Microsoft implementiert. Hierbei handelt es sich um einen Code, über den in Verbindung mit einem Cookie Informationen über die Nutzung unserer Website erhoben und gespeichert werden können. Microsoft erhebt und verarbeitet über den Cookie personenbezogene Daten, aus denen unter Verwendung von Pseudonymen Nutzungsprofile für uns erstellt werden. Auf diese Weise können wir mit Hilfe von Microsoft mehr über das Userverhalten der Nutzer unserer Website erfahren. Bei der Erbringung der Services durch Microsoft werden Daten auch an Server von Microsoft in den USA übertragen, weshalb wir mit Microsoft EU-Standardvertragsklauseln geschlossen haben, die Microsoft dazu verpflichten, ein angemessenes Datenschutzniveau zu gewährleisten.
Einen Cookie setzt Microsoft auf Deinem Endgerät nur dann, wenn Du hierfür Deine ausdrückliche Einwilligung (Rechtsgrundlage Art. 6 Abs. 1 a) DSGVO) erteilt hast und über eine Microsoft-Anzeige (z.B. über Bing) auf unsere Website gelangt bist.
In diesem Fall erhalten wir insbesondere statistische Informationen darüber, über welches Keyword bzw. welche Anzeige Nutzer zu uns gekommen sind, was Nutzer auf unserer Website anklicken, wie viele Nutzer über Microsoft Ads unsere Website besuchen und wie lange Nutzer auf unserer Website bleiben. Die erfassten Informationen werden maximal 180 Tage gespeichert.
Microsoft nutzt die Daten außerdem auch zu eignen Zwecken z.B. um das eigene Werbeangebot und weitere Dienste zu optimieren. Wenn Du selbst ein Microsoft-Konto hast, können die erhobenen Daten auch mit Deinem Konto verknüpft werden. So kann es sein, dass Microsoft Deine IP-Adresse erkennt und speichert. Außerdem kann Microsoft unter Umständen durch so genanntes Cross-Device-Tracking Dein Nutzungsverhalten über mehrere Deiner elektronischen Geräte hinweg verfolgen und ist dadurch in der Lage personalisierte Werbung auf bzw. in Microsoft-Webseiten und –Apps einzublenden.
Wenn Du nicht möchtest, dass Informationen zu Deinem Nutzerverhalten von Microsoft wie oben erläutert verarbeitet werden, kannst Du das hierfür erforderliche Setzen eines Cookies ablehnen, etwa per Browser-Einstellungen, über die Du das Setzen von Cookies generell deaktivieren, verwalten oder gesetzte Cookies löschen kannst. Du kannst darüber hinaus die Erfassung Deiner Daten von Microsoft mittels Cookies verhindern, indem Du unter dem folgenden Link Deinen Widerspruch erklärst.
Weitere Informationen zum Datenschutz und zu den eingesetzten Cookies von Microsoft findest Du auf der Website von Microsoft.
3.2.7 Embedding Videos via YouTube
We embed YouTube videos in our online offer; these are saved at www.youtube.com and can be played direct from our Website. YouTube is provided by a third party which is not affiliated with us, YouTube LLC, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube's embed function in 'extended data protection mode', which according to YouTube’s information does not store any user information until a video starts being played.
Even if users are not logged in, YouTube saves your data amongst other things to collect video statistics, make itself user-friendlier and suppress abuse.
To find out more about what YouTube collects and processes data and to what extent, see their data protection statement. This also tells you more about your rights and settings available to protect your privacy: google.de/intl/de/policies/privacy.
Google also processes your personal data in the USA, so we have signed standard EU contract clauses to ensure a reasonable level of data protection.
We use Sleeknote to show email newsletter sign-up pop-ups. Sleeknote is a service provided by Sleeknote ApS, Jens Baggesens Vej 90A, 8200 Aarhus.
We collect the following data:
- Submitted data: This is the data you collect with Sleeknote, for example, name and email fields on a SleekBox. This will in many cases be personal data.
- Analytics data: This is data you passively gather using Sleeknote, you can compare it to what you would gather with a service like Google Analytics. Below is a list of data you will be collecting with Sleeknote in regards to Analytics and what you could be collecting in the various SleekBoxes or SleekBars.
- Submitted Data via Sleeknote: Using Sleeknote you can collect various personal data. Often this will include but not be limited to: Email, Name, Address, Phone number, Gender, IP address.
- Analytics Data: Using Sleeknote you are gathering analytics data that consists of Time of visit, Geolocation of visitor, Browser language, Pages visited, Website referrer, User agent, Returning visitor and Device. Sleeknote specific data: SleekBoxes and SleekBars shown, SleekBoxes and SleekBars engaged (Newsletter signup or links clicked), SleekBoxes and SleekBars closed and Links clicked.
To supplement the description as it comes from Cookiebot (tooling we use for this):
Purpose: Used to generate statistical data on how visitors use the website / sleeknote.
Expiration Time: Session
Type: Pixel Tracker
Purpose: Functional cookie that allows pop-ups to be displayed.
Expiration Term: Persistent
3.3 Social media platforms
We also run a Facebook page to give our company a presence on this platform, to provide information and to make contact with you as a visitor to and user of our Facebook page. As the operator of this Facebook page, we - together with the platform operator, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland - are the Controller.
When you visit our Facebook page, the Controllers process personal data. Data processing is carried out on the basis of an agreement between joint Controllers in accordance with Art. 26 GDPR, which you can view here: facebook.com/legal/terms/page_controller_addendum.
Below we inform you about which data this relates to and the way in which they are processed.
For our part, we collect personal data if, for example, you contact us via Messenger (user name, personal data included in your message as applicable). These data are stored and used exclusively for the purpose of responding to your query or for making contact and the associated technical administration. The legal basis for processing data is our legitimate interest in responding to your query in accordance with Art. 6 (1) (f) GDPR. Your data will be erased after we have finished dealing with your query, unless there are any statutory retention obligations that would prevent this. We deem that we have finished dealing with your query if, according to the circumstances, the respective issue has been fully resolved.
We also analyse the visits to and interactions with our Facebook page. Facebook creates user profiles for this purpose and provides us exclusively with anonymous data in the form of Page Insights (“Page Insights”): facebook.com/business/a/page/page-insights.
These consist of aggregated data, which provide us with information about how people interact without our page. Page Insights may be based on personal data that are collected when people visit or interact with our page and its content. In accordance with Art. 6 (1) (f) GDPR, this serves to uphold our overriding legitimate interests, which are established on a balance of interests, in the optimised presentation of our offer and more effective communication with customers and potential customers.
Please note that by using and visiting our Facebook page, your personal data are processed by Facebook as well as by edding. Both edding and Facebook are joint Controllers in relation to the processing of Insights data. Facebook is responsible for the way in which it uses Insights data from visits to Facebook pages for its own purposes, the extent to which activities on the Facebook page are attributed to individual users, how long Facebook stores these data and whether data from a visit to the Facebook page are disclosed to third parties.
In relation to data processing via our Facebook page, you can assert your rights as a Data Subject (see number 7 below) against Facebook as well as against edding. You can find further information about this in Facebook’s data use policy at de-de.facebook.com/about/privacy..
Facebook also offers Facebook members the opportunity to object to certain data processing practices; you can find information and opt-out options regarding this at facebook.com/settings.
You can contact the Facebook data protection officer using the online contact form provided by Facebook at facebook.com/help/contact/540977946302970.
The competent supervisory authority for Meta Platforms Ireland Ltd. is: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland www.dataprotection.ie.
We inform you below about which data this relates to and the way in which they are processed.
We would expressly point out that Facebook stores its users’ data (e.g. personal information, IP address, etc.) and uses them for commercial purposes. For more information about the data processing carried out by Facebook, see Facebook’s Data Policy at de-de.facebook.com/policy.php.
We have no control over data collection and further processing carried out by Facebook. We also do not know to what extent, where and for how long Facebook stores the data, to what extent Facebook complies with existing erasure obligations, which analyses and connections Facebook makes using the data and to whom Facebook discloses the data. If you would like to avoid Facebook processing your personal data that you have provided to us, please contact us in other ways. You can find all of our contact details in our legal notice for this Website, or on Facebook.
We only collect and use our users’ personal data if this is necessary or appropriate for providing a functional Instagram company page. or website linked from Instagram and for our content and services, such as participating in promotions and competitions etc. published on Instagram.
You can make contact with us via our Instagram page either by sending a private message or by commenting under a picture. You can contact us in this way with any questions regarding edding, our Instagram page, or with any other queries. When you contact us, you particularly provide us with your user name, the text of the query and, potentially, further personal data. These data are stored and used exclusively for the purpose of responding to your query and contacting you and for the associated technical administration. Comments are public and are visible to all other Instagram users.
The legal basis for processing data is our legitimate interest in responding to your query in accordance with Art. 6 (1) (f) GDPR. Your data will be erased after we have finished dealing with your query, unless there are any statutory retention obligations that would prevent this. We deem that we have finished dealing with your query if, according to the circumstances, the respective issue has been fully resolved.
Depending on the user’s respective privacy settings on Instagram, we can also see if you have liked or shared one of our Instagram pages, posts or comments, or if you have subscribed to our Instagram page. We can also attribute comments on our Instagram page to you as an Instagram user. The legal basis for this data processing is Art. 6 (1) (f) GDPR. Our legitimate interest is in communicating and interacting with you via Instagram.
The type and extent of personal data collection when you visit an Instagram page therefore depends on your behaviour and can be controlled by you. It is possible to visit our Instagram page at any time without leaving any comments or clicking on “Like”. Please note that the interactive features on Instagram can only be used following registration. Facebook can even process data in relation to this.
We also receive statistical data from Facebook regarding visitors to our Instagram page via the “Insights” feature. These consist of aggregated data which provide us with information about how people interact without our page. Page Insights may be based on personal data that are collected when people visit or interact with our page and its content. This feature allows us to better analyse our page and tailor it to our users’ interests. Our legitimate interest pursuant to Art. 6 (1) (f) GDPR in the operation of our Instagram page and the use of Insights is carrying out effective marketing on a widely used platform. You can find more information on the “Insights” feature here: facebook.com/iq/tools-resources/audience-insights.
You can contact Facebook’s data protection officer using the online contact form provided by Facebook at
The competent supervisory authority for Meta Platforms Ireland Ltd. is: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland www.dataprotection.ie.
We use the youtube.com website to post our own videos and make them publicly available. YouTube is provided by a third party which is not affiliated with us, YouTube LLC, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Some of the Websites we offer contain links to what we offer on YouTube. If you follow a link to YouTube, we point out that YouTube saves its users' data (e.g. personal information and IP addresses) according to its own guidelines for using data and uses it for business purposes. We have no control over how YouTube collects data or how it processes it; nor do we know how much data it collects, what it processes it for or how long it saves it for. So we cannot rule out the possibility that data will be disclosed, including to third parties outside the EU. You can see YouTube's data protection statement at gstatic.com/policies/privacy/pdf/20190122/f3294e95/google_privacy_policy_de_eu.pdf.
YouTube collects personal data to analyse how users behave, and provides some of this data to YouTube channel operators like edding in anonymised form. This involves demographic data such as age, sex, place of residence, country or mother tongue without reference to any identifiable persons, so edding cannot identify anyone who visits our YouTube channel.
It also provides edding with statistics on where calls to our YouTube channel come from, what kind of terminal it is accessed from or what pages are called up. As this channel's operator, YouTube also sends edding statistics data ('Insights'), which cannot be used to trace the users concerned. Nor can we link this statistics data we receive with our subscribers' profile data: we can only specify the categories of data and visitors YouTube uses when analysing the data it collects and provides as anonymised statistics. The only reason edding uses this data is to analyse user behaviour so we can match our YouTube channel and what we offer better to users' needs and interests.
We use your data YouTube sends us on the basis of our legitimate interest (Art. 6 (1) f) GDPR).
We only get anonymised information and statistics, even if you are registered with YouTube when you visit our YouTube channel; but we must point out that, if you go to our YouTube channel directly, YouTube could theoretically trace who you are e.g. by reading out logfiles (such as IP addresses) or by setting cookies.
If visitors subscribe to our YouTube channel, YouTube adds a list of all subscribers to this channel to your profile, and sends edding this list; but this list contains only data in the public domain, i.e. information you voluntarily make available to other YouTube Users via your YouTube settings. What these are specifically is something you decide in your YouTube settings yourself. You can also use your Google settings (myaccount.google.com/u/1/privacycheckup/1/0) to review your privacy.
To find out more about the individual settings available, go to policies.google.com/technologies/product-privacy.
We can also trace comments on our YouTube channels to individual users.
We process this data for the purpose above under Art. 6 (1) a) GDPR based on your voluntary consent and registering with YouTube.
3.4 Consent to usage of Cookies
We must also disclose some data to third parties, in strict compliance with the applicable data protection laws, in connection with the tools and features used on our Website.
4.1 Disclosure to external service providers
In relation to the content-related, technical support and design of our online presence, it may be necessary for external service providers to be given access to personal data (particularly IT service providers).
In this case, your personal data will only be handled in accordance with our express instructions and on the basis of a data processing agreement in accordance with Art. 28 GDPR. According to this agreement, the service provider guarantees to us that they provide their service in accordance with applicable data protection laws. The involvement of professional providers of corresponding services is expressly provided for by law and serves our legitimate interest in professionalising our offer for you and providing it in a way that is economically viable (legal basis: Art. 6 (1) (f) GDPR). We remain responsible for protection of your data even in this case.
4.2 Disclosure on the basis of statutory obligations
We reserve the right to disclose your personal data if we are obliged to do so by law, or if we are asked to provide such data by public authorities or prosecution agencies. We will not disclose your data to third parties in any other circumstances.
Your data will be processed mainly in Germany. Your data will only be transferred to a country outside of the European Union or the Eurozone if an adequate level of protection has been established for the respective country within the terms of Art. 45 (2) GDPR. Data collected on our Website may be transferred to the United States on this basis (e.g. to Rocket Science Group, the MailChimp provider). In order to protect your data from unauthorised access and misuse, we have implemented comprehensive, state-of-the-art technical and organisational security measures in accordance with European data protection law (Art. 32 GDPR) and, in the event of any order processing, we have concluded an agreement in accordance with Art. 28 GDPR.
We only process and store the Data Subject’s personal data for the period that is necessary to achieve the purpose of the storage or, if legally prescribed, until a relevant storage period has expired. If the storage purpose ceases to apply, or if a legally prescribed storage period expires, the personal data will be blocked or erased in accordance with the statutory provisions, unless the Data Subject has provided us with their consent to store and continue to process the data.
Right of access: you can request information at any time, free of charge, about the extent, the origin and the recipient of the stored data and the purpose for storage (Art. 15 GDPR). If you wish to exercise your right of access, you can contact an edding employee or the data protection officer about this at any time.
Right to data portability: you can receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format (Art. 20 GDPR), if (1) processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, or on a contract pursuant to Art. 6 (1) (b) GDPR, and (2) processing is carried out by automated means.
Right to request rectification: every data subject has the right to obtain rectification of inaccurate personal data concerning him or her (Art. 16 GDPR) without undue delay. The data subject also has the right, taking into account the purpose of processing, to have incomplete personal data completed.
Right to erasure (right to be forgotten): every data subject has the right to request that the Controller erase personal data concerning him or her without undue delay, if one of the following reasons applies and if processing is unnecessary (Art. 17 GDPR): (1) the personal data were collected or otherwise processed for purposes for which they are no longer necessary; (2) the data subject withdraws consent on which the processing is based and there is no other legal basis for processing; (3) the data subject objects to processing and there are no overriding legitimate reasons for processing; (4) the personal data have been processed unlawfully; (5) the personal data have to be erased for compliance with a legal obligation.
Right to object: every data subject has the right to object to processing of personal data concerning him or her at any time (Art. 21 GDPR). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing which override the data subject’s interests, rights and freedoms, or processing is for the assertion, exercise or defence of legal claims. If we process personal data for direct marketing purposes, the data subject shall have the right to object to processing of the personal data for such marketing at any time.
Right to withdraw data protection consent: every data subject has the right to withdraw any consent to the processing of personal data at any time (Art. 7 (3) GDPR).
Right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that processing of personal data relating to you infringes this GDPR (Art. 77 GDPR).
If you assert this right, we will assess your claim and admit it unless there are any statutory regulations that prevent us from doing so. We will inform you of the outcome.
You do not have to comply with any specific formal requirements in order to assert your rights as a data subject. For example, you can send an email to firstname.lastname@example.org, or use the contact options on the Website. If your request for information relates to specially protected data within the terms of Art. 9 GDPR - particularly health data - you must provide specific personal identification so that we can check that you are entitled to make such a request. In this case, you can attach a copy of both sides of an identity document (copy of your identity card, passport or registration certificate) to the request in order for the identity of the person entitled to the information to be verified clearly; your forename and surname, your full address, your date of birth and your place of birth must be clearly legible on the identity document, although other details, including your photograph, can be blacked out.