Privacy policy

Preamble

We, edding Expressive Skin GmbH, operators of the website www.edding.tattoo , take the protection of your data very seriously. The following information is intended to inform you of the extent and purpose for which we collect and process your personal data on our website www.edding.tattoo (hereinafter „Website“).

1. General; Definitions

Our privacy policy is based on the terms used in the General Data Protection Regulation (GDPR). Some of the terms we use in this privacy policy are as follows:

Personal data means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (cf. Art. 4 (1) GDPR).

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (cf. Art. 4 (2) GDPR).

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (cf. first clause of Art. 4 (3) GDPR).

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (cf. Art. 4 (8) GDPR).

Third party means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (cf. Art. 4 (10) GDPR).

Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (cf. Art. 4 (11) GDPR).

2. Responsibility and contact

The controller of personal data within the meaning of the GDPR is:

edding Expressive Skin GmbH (im Folgenden „edding“, „we“, „us“) of
Bookkoppel 7
22926 Ahrensburg
+49 4102 808-0
online@edding.de

This Privacy Policy fulfils our duties to provide information regarding the extent and purposes of the processing of your personal data pursuant to Art. 12-14 GDPR.

If you wish to view and update your personal data or have any queries regarding data protection on our Website, please contact us at any time using our email address online@edding.de or by post at the address provided above.

You can contact our Data Protection Officer

  • by emaill datenschutz@edding.de or
  • by post at the postal address for the Controller, specifying “FAO Data Protection Officer”.

3. Processing your personal data

The extent and type of processing of your personal data depends on whether you make contact with us via our website, order something from our online shop, register on our Website, or simply wish to use our Website for information. You may assert your rights as a Data Subject (see number 7 below) at any time in relation to the data processing operations described below.

3.1 Collection of data with your assistance

We collect and store your personal data in connection with use of this Website if you provide us with such data voluntarily, e.g. for a mailing list. You are always free to decide whether you wish to provide us with your data for the respective purposes.

3.1.1 Enquiries via email and customer service

If you send us an email, we will store your email address and any personal content contained in the message (the legal basis is Art. 6 (1) (f) GDPR). We do this for the exclusive purpose of allowing us to process your query.

If your query relates to a planned tattoo, we will process your personal data to initiate or implement a contractual relationship (legal basis: Art. 6 (1) (b) GDPR).

We erase the respective data once the purpose has lapsed. You may also assert your rights as a Data Subject at any time in relation to this data processing (see number 7 in this regard); in particular you may object to the respective data processing.

3.1.2 Update Service

3.1.2.1 Subscribing to the update service

edding offers an update service on its Website providing information regarding edding TATTOO and shop openings via email updates. You can subscribe to the update service by selecting a checkbox and confirming the “send” button with the following text:

Consent to update service
I have read and understood the Privacy Policy. I agree that the data I have provided will be used for the purpose of sending update emails regarding edding TATTOO and shop openings in accordance with number 3.1.2 of the Privacy Policy. This consent is voluntary and I may withdraw it at any time.

If you have subscribed to the update service and have thus given your consent to processing of your data (legal basis: Art.6 (1) (a) GDPR), we will process your personal data as follows:

When you subscribe to the update service, your email address and your forename and surname will be stored. We use this data for internal statistical purposes and in order to tailor the content of our update service to you more accurately.

In order to subscribe to our update service, we use what is known as the double opt-in procedure. After subscribing to the update service, we will send an email to the email address you have provided, in which we will ask you to confirm that you have requested to receive update emails. If you confirm this request, the update emails will be sent to your email address permanently. However, if you do not provide such confirmation, your subscription will be cancelled automatically after 48 hours.

3.1.2.2 MailChimp

We use the service provider MailChimp, which is operated by the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA for content design, sending emails and the response analysis for our update service. For this purpose, we have concluded a commissioned data processing agreement with MailChimp, which ensures that MailChimp will process your personal data exclusively in accordance with our instructions and in compliance with the applicable data protection laws. Using EU standard contract clauses, MailChimp guarantees that it will maintain an appropriate level of data protection when processing personal data in the USA, whilst also observing the European data protection law regulations.

If you subscribe to our update service (see number 3.1.5.1), MailChimp stores your declaration of consent, your IP address and the time at which you subscribe to the newsletter and confirm your subscription. Furthermore, your email address and any other personal data you have provided for the purpose of personalising the newsletter are stored on the MailChimp servers in the USA for this purpose. MailChimp uses this information in order to send our update emails and to analyse users’ behaviour when they receive the update email. When analysing use, MailChimp collects technical information, particularly regarding the browser used, IP address and the time of the download. MailChimp determines whether and when a newsletter or links contained therein are opened. This information is used exclusively to better assess the email recipient’s expectations and to adapt the content accordingly. It is also possible for MailChimp to use these data in order to optimise or improve its own services, for example making the update service more effective, by recording the selected language, local information or time zones. MailChimp will never use your personal data to write to you for its own purposes or disclose your data to third parties.

You can find further information in the Privacy Policy and the general terms and conditions of the Rocket Science Group.

We use MailChimp’s services as a processor on the basis of the statutory permission contained in Art. 6 (1) (f) GDPR. Our legitimate interest in this is offering a centrally coordinated update service that is lawful and tailored to your interests using a professional supplier.

3.1.2.3 Unsubscribing from the Update Service

If you no longer wish to receive the update service, you can object to receiving the update emails at any time (Art. 21 GDPR) or withdraw your consent (Art. 7 (3) GDPR) and thereby unsubscribe from the update service. To do this, click on the link contained in each update email. You will then be taken through the unsubscribe process. Alternatively, you can also inform us of your withdrawal of consent to receiving update emails by sending an email to datenschutz@edding.de.

3.1.3 Requesting an appointment

3.1.3.1 Requesting an appointment for a consultation or aftercare

edding provides a contact form for a no-obligation request for an appointment on its website. We collect and process the following personal data from this form:

  • First name*
  • Last name*
  • Email address*
  • Telephone number
  • Majority*
  • Pre-existing tattoos
  • Type of appointment requested
  • Tattoo design
  • Tattoo size
  • Area of the body
  • Message

Only the data marked with a * needs to be provided in order to request an appointment. You can request an appointment by selecting a checkbox with the following text and clicking the “Send” button:

Declaration of consent for an appointment request
I have read and understood the privacy statement. My data will be used exclusively for the purposes of arranging an appointment and will not be disclosed to third parties. I can withdraw my consent to data processing at any time.

Wenn Du die Anfrage für einen Termin gestellt hast und somit Deine Einwilligung in die Verarbeitung Deiner Daten erteilt hast (Rechtsgrundlage: Art. 6 Abs. 1 a) DSGVO), werden wir Deine personenbezogenen Daten wie folgt verarbeiten:

If you have requested an appointment and have thus given your consent to the processing of your data (legal basis: Art.6 (1) (a) GDPR), we will process your personal data as follows:
We store your email address, your forename, information about your age and all other data that you may have given voluntarily. We use these data in order to contact you to arrange an appointment and for internal statistical purposes. Your data will only be used in other ways, such as for marketing purposes, if you have given your express consent (cf. 3.1.5.1), or if you are already our customer and have made an appointment to have your tattoo done (cf. 3.1.5.3).

3.1.3.2 Cancelling your request for an appointment

If you wish to cancel your request for an appointment, you may object to the processing of your data at any time (Art. 21 GDPR), or withdraw the underlying consent (Art. 7 (3) GDPR) and thus retract it. You can send your objection to processing of your data in order to deal with the request for an appointment by emailing datenschutz@edding.de.

3.1.5 Sending marketing emails

3.1.5.1 Subscribing to marketing emails

If you wish to receive emails about edding’s goods and services and provide your express consent to this (Art. 6 (1) (a) GDPR), we will also use your personal data specified in clause 3.1.3 (forename, surname and email address) for this purpose. You give us your consent by selecting a checkbox with the following text and clicking on the “Send” button:

Declaration of consent to receiving marketing emails
I have read and understood the data protection policy. I agree to the data I provide when requesting an appointment (particularly my forename, surname and email address) being collected and processed for the purpose of sending marketing emails in accordance with clause 3.1.5 of the Privacy Policy. I may withdraw this consent at any time.

In order to document your consent to the processing of your sensitive personal data, when you send the declaration we store your IP address and the time at which you gave your consent.

In order to subscribe to appointment reminders, we use the “double opt-in procedure”. After subscribing to appointment reminders, we will first send an email to the email address you have provided, in which we will ask you to confirm that you have requested to receive appointment reminders. If you confirm the subscription, we will contact you using the contact information you have provided for the purpose of appointment reminders and other reminders. However, if you do not provide such confirmation, your subscription will lapse automatically after 48 hours.

3.1.5.2 Unsubscribing from marketing emails

If you no longer wish to receive marketing emails, you may object to the processing of your data at any time (Art. 21 GDPR), or withdraw the underlying consent (Art. 7 (3) GDPR) and thus retract it. To do so, click on the link contained in the email in question. You will then be guided through the unsubscribe process. Alternatively, you may also object to marketing emails by emailing datenschutz@edding.de.

3.1.5.3 Receiving marketing emails after arranging an appointment for a tattoo

If you have not given your express consent to receive marketing emails when requesting an appointment for a consultation (cf. clause 3.1.5), we will only send you such emails if you arrange an appointment to have your tattoo done. In that event, we may also use the email address that you sent to us without your express consent to send marketing emails. In such a case, we send direct marketing with the email for our own, similar goods or services. The legal basis for sending the newsletter in this case is Article 7 (3) of the German Unfair Competition Act (UWG) and Art. 6 (1) (f) GDPR.

If you do not wish to receive marketing emails, you can unsubscribe from receiving such marketing emails at any time (Art. 21 GDPR). In order to do this, you can either follow the unsubscribe link in the respective marketing email, or you can email us at datenschutz@edding.de.

3.1.6 Competitions

When organising competitions, edding collects personal data from participants for the purpose of the competition. Depending on the individual case and where necessary, this includes the following data in particular:

  • First and last name
  • Account name
  • Email address
  • Date of birth
  • Postal address
  • Title
  • Telephone number
  • Participation in the competition

The personal data are stored, processed and used for the purpose of organising and conducting the respective competition. The legal basis for this is Art. 6 (1) (b) GDPR. According to this, we can process your personal data if this is necessary for organising the competition, including in particular judging the competition entry, checking compliance with the terms of use, notifying the winner and delivering the prize. If necessary for this purpose and subject to the applicable data protection laws, your data may be forwarded to our partner when organising the competition and to delivery service providers.

If the winner is announced on the organiser’s website/social media channels after the competition has ended, this is done on the basis of Art. 6 (1) (f) GDPR. Our overriding legitimate interest is in sharing with the community, in such a way that is effective from a marketing perspective, the fact that the competition has been held successfully. You may object to this at any time by sending an informal message to edding (Art. 21 GDPR).

We will erase your data if they are no longer required for the specified purpose and we are not legally obliged or entitled to continue to store the data, particularly for the purpose of proof of participation in the competition. In this case, we will block the data for all other purposes and will restrict access rights accordingly.

3.2 Collecting data without your assistance

We collect and use personal data generated automatically by your visit to our Website in order to provide our services.

3.2.1 Log files and (session) cookies

When you visit our Website, our server temporarily records the following personal data in what are known as log files:

  • your computer’s IP address,
  • the client’s file request (file name and URL),
  • the http status code and the
  • the website from which you have visited us.

We process your personal data on the basis of our overriding legitimate interest in the discovery of misuse (spam, viruses, etc.) and in order to identify and rectify errors (legal basis: Art. 6 (1) (f) GDPR).

Furthermore, our Website uses “cookies” in several places, which serve to make our offer more user-friendly and effective. Cookies are small text files which our Website places on your computer or other web-enabled devices, such as tablets or smartphones. If your browser settings accept cookies, your browser adds the text to a small file.

Unless otherwise specified in this privacy policy, the cookies we use are necessary for our Website’s functionality and performance. Two types of cookies may be used on websites: “session cookies” and “permanent cookies”. Session cookies are temporary cookies which remain on your device until you leave the website. On the other hand, a permanent cookie remains on your device, even after you have left the website, for a specific period or until you delete it manually. (How long a cookie remains on your device depends on the “lifespan” of the respective cookie.) For example, this includes cookies that enable you to register for the protected area of our Website. We use the information stored in the necessary cookies exclusively to provide you with the requested services and features.

Cookies do not damage your computer per se and do not contain viruses. You can set your browser in such a way that these cookies are not stored at all, or they are deleted at the end of your browsing session. However, please note that you may not be able to use all the features of our Website in this case.

3.2.2 Matomo

This Website uses Matomo, a web analysis service from InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, to analyse user behaviour and to enable us to regularly improve our Website. Using the statistics obtained, we are able to improve our offer and present it in a more interesting way to you, as the user. The legal basis for the use of Matomo is Art. 6 (1) (f) GDPR.

Matomo places cookies in your local browser. The information collected in this way is stored exclusively on our server in Germany and includes the following data:

  • One byte (last three digits) of the IP address of the user's requesting system,
  • The website visited,
  • The website from which the user accessed the website visited (referrer),
  • The sub-pages visited on the website,
  • The length of time spent on the website and
  • The frequency of visits to the website.

This Website uses Matomo with a “PrivacyManager” plugin. This means that IP addresses are processed in a truncated form, which makes it impossible to identify any user directly. The IP address provided by your browser using Matomo will not be linked with other data collected by us.

We operate our web analysis software on our own servers and do not disclose any personal data to any third parties, except when our technical support is used (e.g. in the context of software updates).

You can prevent the use of cookies for web analysis purposes by turning off tracking using the option below. Matomo also recognises the “Do not track” setting, which can be set globally in many modern browsers.

Matomo is a free and open source software in which many developers from different countries and with different technical backgrounds are involved. You can find further information on Matomo at www.matomo.org.

You can prevent your activities on this Website from being analysed. This will protect your privacy, but will also prevent us from learning from your activities and improving usability for both you and other users.

3.2.3 Google Tracking- and Marketing Tools

On our website, we use various tracking and marketing tools provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”).

If you have your usual place of residence in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is the competent controller for your data.

If you have expressly consented to the respective data processing (Art. 6 (1) (a) GDPR) as described in clauses 3.2.3.1 and 3.2.3.2, Google obtains the information it needs to provide its services by using cookies. Data are generally transferred to a Google server in the USA and stored there. In order to ensure a level of data protection in line with the EU, we have concluded EU standard contract clauses with Google (Art. 46 (2) (c) GDPR), according to which Google undertakes to comply with European data protection requirements.

You can prevent the installation of cookies in various ways:

  • By selecting the appropriate settings in your browser software; in particular, suppression of third-party cookies means that you will not receive any third-party advertisements. Please note that in this case, you may not be able to use all of our website’s functions in full;
  • By installing the plug-in provided by Google under the following link google.com/settings/ads/plugin;
  • By deactivating the interest-based advertisements from providers that are part of the “About Ads” self-regulation campaign via the link aboutads.info/choices; however, these settings will be deleted if you delete your cookies.

You can also obtain an opt-out cookie from here which, when installed, prevents Google from collecting data, which is particularly useful in the event that the deactivation add-on does not work, such as on mobile devices. If you access our website using various browsers/devices, you need to carry out the steps described on all browsers/devices.

You can find further information regarding data protection when using Google Analytics at support.google.com/analytics/answer/2838718. You can also find further information regarding protection of your data when using Google services from the following links:

3.2.3.1 Google Analytics

We use Google Analytics on our website. Google Analytics stores cookies in your web browser for a period of two years from your last visit. When you visit our website, this cookie records data which are transmitted to a Google server in the USA and stored there, including:

  • Browser type/version
  • Operating system used
  • Referrer URL (the website visited previously)
  • Host name of the accessing computer (IP address)
  • Time of the server request
  • The achievement of “website targets” (e.g. contact requests)
  • Your behaviour on the website (e.g. clicks, scrolling and length of visit)
  • Your approximate location (country and town)
  • Technical information such as browser, internet service provider, device and screen resolution
  • Origin of your visit (i.e. from which website or advertisement you reached us).

However, the IP address transmitted by your browser in particular will not be consolidated with other Google data. We have also extended Google Analytics on this website to include the code “anonymizeIP”. This guarantees that your IP address is masked so that all data are collected anonymously. Only in exceptional circumstances will the full IP address be transferred to a Google server in the USA and truncated there.

The cookies placed by Google Analytics also include a randomly generated user ID, allowing you to be recognised in the event of any future visits to the website. The information obtained by the cookies is stored together with the randomly generated user ID, which lets user profiles be analysed pseudonymously. These user-related data are erased automatically after 14 months. Other data remain stored for an indefinite period in an aggregated form.

Google uses the information obtained by placing cookies to analyse your use of our website, to compile reports on the website activities, and to provide us with further services associated with use of the website and the Internet. In this way, we can improve our offer and make it more interesting for you as a user. We also obtain information on our website’s functionality (e.g. identification of navigation problems).

Furthermore, Google is entitled to process the information obtained for its own purposes. For this reason, we only use Google services on our website if you consent to the processing of your personal data (the legal basis is Art. 6 (1) (a) GDPR). If you have already given consent, you can, of course, withdraw it at any time with future effect as specified in clause 3.2.3 above. You can also obtain an opt-out cookie from here which, when installed, prevents Google from collecting data, which is particularly useful in the event that the deactivation add-on does not work, such as on mobile devices. If you access our website using various browsers/devices, you need to carry out the steps described on all browsers/devices.

You can find further information regarding data protection when using Google Universal Analytics at support.google.com/analytics/answer/2838718. You can also find further information regarding protection of your data when using Google services from the following links:

3.2.3.2 Google Ads Conversion

We use the services of “Google Ads Conversion” to draw attention to our attractive offers on external websites using advertising materials (“Google Ads”). We can determine how successful the individual advertising measures are in relation to the advertising campaign data. By doing so we are pursuing the interest of showing you advertising that is of interest to you, making our website more interesting for you, and achieving a fair calculation of advertising costs.

These marketing materials are supplied by Google using “ad servers”. For this, we use ad server cookies, which allow specific success parameters, such as displaying the advertisements or user clicks, to be measured. If you access our website via a Google ad, Google Ads will store a cookie on your device. These cookies usually expire after 180 days and are not intended to identify you personally. The following are usually stored by this cookie as measures:

  • Unique cookie ID;
  • Number of ad impressions per placement (frequency);
  • Last impression (relevant for post-view conversions); and
  • Opt-out information (mark that the user no longer wishes to be contacted).

These cookies let Google recognise your Internet browser. If you visit specific pages of an Ads customer’s website and the cookie stored on your computer has not yet expired, both Google and we can see that you have clicked on the ad and have been redirected to this page. Each Ads customer is assigned a different cookie. Cookies therefore cannot be tracked via Ads customers’ websites.

We do not collect and process any personal data using the specified marketing measures. Google only supplies us with statistical analyses. Using these analyses, we can see which of the marketing measures we have used are particularly effective. We do not receive any further data from the use of marketing materials; in particular, we cannot identify users on the basis of this information.

If you have expressly consented to the data processing described (Art. 6 (1) (a) GDPR), your browser automatically establishes a direct connection to the Google server due to the marketing tools used. We have no influence over the extent and further use of the data collected by Google using this tool and can therefore only provide you with information according to our understanding of the process: by incorporating Ads Conversion, Google is informed that you have accessed the respective part of our website, or have clicked on one of our advertisements. If you are registered with one of Google's services, Google can allocate the visit to your account. Even if you are not registered or logged in to Google, there is a possibility that the provider may discover and store your IP address.

3.2.3.3 Google Ads Remarketing

Within Google Ads we also use the remarketing feature, provided that you have given your express consent to this (Art. 6 (1) (a) GDPR). Using the remarketing feature, we can present our website users with advertisements based on their interests on other websites within the Google advertising network (in Google search or on YouTube, so-called “Google ads” or on other websites). For this purpose, your interaction as a user of our website is analysed (e.g. products in which you have shown an interest) so that we can show you targeted adverts on other websites after you have visited our website. In order to allow this analysis, Google stores cookies on your device if you visit Google services or websites belonging to the Google Display Network. These cookies usually expire after 30 days (this only applies to cookies that are placed by this website). These cookies let your browser be identified, so that your visits to the respective websites can be recorded. The cookies are used exclusively to identify the web browser on a specific device and are not used to identify individuals.

3.2.5 Google Tag Manager

This website uses Google Tag Manager. Google Tag Manager is a solution that allows us to manage website tags using an interface. The tool itself (which implements the tags) is a cookie-free domain and does not register personal data. The tool causes other tags to be activated (e.g. Google Analytics – cf. clause 3.2.3), which may in turn collect data in certain circumstances. Google Tag Manager does not access these data. If there has been a deactivation at domain or cookie level, this will apply to all tracking tags implemented using Google Tag Manager.

3.2.6 Integration of Google Maps

We use Google Maps on our Website. This allows us to display interactive maps directly on the Website. It also allows you to use the map function easily.

As a result of integration of Google Maps on our Website, Google will be informed that you are visiting our Website and have visited the relevant sub-page. Personal data will also be transferred. The data transfer will occur regardless of whether Google provides a user account into which you are logged in, or whether no user account exists. If you are logged into Google, your data will be attributed directly to your account. If you do not wish your data to be attributed to your account in this way, you must log out before activating the button. Google stores your data as a user profile and uses them for the purposes of marketing, market research and/or the needs-based design of its website. This type of analysis is carried out (even for users who are not logged in) particularly to provide appropriate marketing and to inform other social network users about your activities on our Website. You have the right to object to creation of these user profiles; you must contact Google to exercise this right. We have no control over collection and processing of the data.

You can find further information about the purpose and extent of data collection and processing by Google and your rights, as well as settings options for protecting your privacy at: google.de/intl/de/policies/privacy.

3.2.7 Facebook Pixel

We also use “Facebook Pixel”, a service provided by the social network Facebook, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”) for further analysis and optimisation and for commercial operation of our website.

In order to ensure a level of data protection in line with the EU, we have concluded EU standard contract clauses with Facebook (Art. 46 (2) (c) GDPR), according to which Facebook undertakes to comply with European data protection requirements.

Facebook Pixel is embedded straight into our website by Facebook and can store a cookie on your device if you have given your express consent to this (Art. 6 (1) (a) GDPR). If you subsequently log in to Facebook, or visit Facebook while you are logged in, the visit to our website will be recorded on your profile. The data collected about you are anonymous to us and therefore do not allow us to identify you. However, the data are stored and processed by Facebook, so that a link to the respective user profile is possible and can be used by Facebook for its market research and marketing purposes, as well as ours. If we forward data to Facebook for comparison purposes, such data are encrypted locally on the browser and only then are they sent to Facebook using a secure https connection. This is done solely for the purpose of a comparison with the data similarly encrypted by Facebook.

Facebook Pixel also lets Facebook identify visitors to our website as a target group for displaying advertisements (“Facebook Ads”). Accordingly, we use Facebook Pixel to ensure that the Facebook Ads placed by us are only displayed to those Facebook users who have shown an interest in our website, or who exhibit specific characteristics (such as interest in specific topics or products determined on the basis of websites visited) that we specify to Facebook (“custom audiences”). We also use Facebook Pixel to try to ensure that our Facebook Ads correspond to the potential interests of users and are not perceived to be annoying. Facebook Pixel also lets us determine Facebook advertisements’ effectiveness for statistical and market research purposes, as it lets us see whether users have been redirected to our website after clicking on a Facebook advertisement (“conversion”).

Furthermore, when using Facebook Pixel, we use the additional “extended comparison” function. This lets data for the formation of target groups (“custom audiences” or “look-alike audiences”) be sent to Facebook in encrypted form.

We only use Facebook Pixel on our website if you consent to this processing of your personal data (Art. 6 (1) (a) GDPR). You can, of course, withdraw any consent you have given at any time with future effect. Such withdrawal of consent does not affect lawfulness of the processing (until consent is withdrawn).

Further information about the collection and use of data by Facebook, your rights in this regard and your options regarding protection of your privacy can be found in Facebook’s privacy policy at facebook.com/about/privacy.

Alternatively, you can deactivate the “custom audiences” remarketing feature at facebook.com/settings. You must be registered with Facebook to be able to do this.

To select what kind of advertisements are displayed to you within Facebook, go to the page set up by Facebook and follow the instructions on settings for use-based advertising. The settings are platform-independent, i.e. they are adopted by all devices, such as desktop computers or mobile devices. You can also object to the use of cookies employed to measure scope and for marketing purposes on the network advertising initiative deactivation page and also on the American website aboutads.info or the European website youronlinechoices.com.

3.3 Social media platforms

3.3.1 Facebook

We also run a Facebook page to give our company a presence on this platform, to provide information and to make contact with you as a visitor to and user of our Facebook page. As the operator of this Facebook page, we - together with the platform operator, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland - are the Controller.

When you visit our Facebook page, the Controllers process personal data. Data processing is carried out on the basis of an agreement between joint Controllers in accordance with Art. 26 GDPR, which you can view here: facebook.com/legal/terms/page_controller_addendum.

Below we inform you about which data this relates to and the way in which they are processed.

For our part, we collect personal data if, for example, you contact us via Messenger (user name, personal data included in your message as applicable). These data are stored and used exclusively for the purpose of responding to your query or for making contact and the associated technical administration. The legal basis for processing data is our legitimate interest in responding to your query in accordance with Art. 6 (1) (f) GDPR. Your data will be erased after we have finished dealing with your query, unless there are any statutory retention obligations that would prevent this. We deem that we have finished dealing with your query if, according to the circumstances, the respective issue has been fully resolved.

We also analyse the visits to and interactions with our Facebook page. Facebook creates user profiles for this purpose and provides us exclusively with anonymous data in the form of Page Insights (“Page Insights”): facebook.com/business/a/page/page-insights.

These consist of aggregated data, which provide us with information about how people interact without our page. Page Insights may be based on personal data that are collected when people visit or interact with our page and its content. In accordance with Art. 6 (1) (f) GDPR, this serves to uphold our overriding legitimate interests, which are established on a balance of interests, in the optimised presentation of our offer and more effective communication with customers and potential customers.

Please note that by using and visiting our Facebook page, your personal data are processed by Facebook as well as by edding. Both edding and Facebook are joint Controllers in relation to the processing of Insights data. Facebook is responsible for the way in which it uses Insights data from visits to Facebook pages for its own purposes, the extent to which activities on the Facebook page are attributed to individual users, how long Facebook stores these data and whether data from a visit to the Facebook page are disclosed to third parties.

In relation to data processing via our Facebook page, you can assert your rights as a Data Subject (see number 7 below) against Facebook as well as against edding. You can find further information about this in Facebook’s data use policy at de-de.facebook.com/about/privacy..

In addition to the processing mentioned above, Facebook also processes your data for analysis and marketing purposes and to serve personalised advertising. To the best of our knowledge, Facebook also uses cookies, pixels or other technologies in order to store your user behaviour (including using various end devices) in order to do this. This enables Facebook to serve targeted advertising on its own platform and on third-party sites. The data collected about you in this context is also transferred by Facebook to the USA and other countries outside the European Union. Facebook describes in general terms in its data use policy exactly what information Facebook receives and how such information is used. Here you can also find information on how to contact Facebook and your settings options for advertisements. You can access the data use policy using the following link: de-de.facebook.com/about/privacy. You can find Facebook’s full Data Policies here: de-de.facebook.com/full_data_use_policy.

Facebook also offers Facebook members the opportunity to object to certain data processing practices; you can find information and opt-out options regarding this at facebook.com/settings.

You can contact the Facebook data protection officer using the online contact form provided by Facebook at facebook.com/help/contact/540977946302970.

The competent supervisory authority for Facebook Ireland Ltd. is: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland www.dataprotection.ie.

3.3.2 Instagram

We also use the technical platform and services of Instagram on our Website. The Instagram service is one of the Facebook products provided by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). As the operator of this Instagram page, we are joint Controllers with Facebook. When you visit our Instagram page, the Controllers process personal data. As a Controller of this page, we have entered into agreements with Facebook which govern issues including the conditions for using the Instagram page. Instagram’s Terms of Use and the other conditions and guidelines listed at the end of the Terms of Use apply.

We inform you below about which data this relates to and the way in which they are processed.

We would expressly point out that Facebook stores its users’ data (e.g. personal information, IP address, etc.) and uses them for commercial purposes. For more information about the data processing carried out by Facebook, see Facebook’s Data Policy at de-de.facebook.com/policy.php.

We have no control over data collection and further processing carried out by Facebook. We also do not know to what extent, where and for how long Facebook stores the data, to what extent Facebook complies with existing erasure obligations, which analyses and connections Facebook makes using the data and to whom Facebook discloses the data. If you would like to avoid Facebook processing your personal data that you have provided to us, please contact us in other ways. You can find all of our contact details in our legal notice for this Website, or on Facebook.

We only collect and use our users’ personal data if this is necessary or appropriate for providing a functional Instagram company page. or website linked from Instagram and for our content and services, such as participating in promotions and competitions etc. published on Instagram.

You can make contact with us via our Instagram page either by sending a private message or by commenting under a picture. You can contact us in this way with any questions regarding edding, our Instagram page, or with any other queries. When you contact us, you particularly provide us with your user name, the text of the query and, potentially, further personal data. These data are stored and used exclusively for the purpose of responding to your query and contacting you and for the associated technical administration. Comments are public and are visible to all other Instagram users.
The legal basis for processing data is our legitimate interest in responding to your query in accordance with Art. 6 (1) (f) GDPR. Your data will be erased after we have finished dealing with your query, unless there are any statutory retention obligations that would prevent this. We deem that we have finished dealing with your query if, according to the circumstances, the respective issue has been fully resolved.

Depending on the user’s respective privacy settings on Instagram, we can also see if you have liked or shared one of our Instagram pages, posts or comments, or if you have subscribed to our Instagram page. We can also attribute comments on our Instagram page to you as an Instagram user. The legal basis for this data processing is Art. 6 (1) (f) GDPR. Our legitimate interest is in communicating and interacting with you via Instagram.

The type and extent of personal data collection when you visit an Instagram page therefore depends on your behaviour and can be controlled by you. It is possible to visit our Instagram page at any time without leaving any comments or clicking on “Like”. Please note that the interactive features on Instagram can only be used following registration. Facebook can even process data in relation to this.

We also receive statistical data from Facebook regarding visitors to our Instagram page via the “Insights” feature. These consist of aggregated data which provide us with information about how people interact without our page. Page Insights may be based on personal data that are collected when people visit or interact with our page and its content. This feature allows us to better analyse our page and tailor it to our users’ interests. Our legitimate interest pursuant to Art. 6 (1) (f) GDPR in the operation of our Instagram page and the use of Insights is carrying out effective marketing on a widely used platform. You can find more information on the “Insights” feature here: facebook.com/iq/tools-resources/audience-insights.

You can contact Facebook’s data protection officer using the online contact form provided by Facebook at
facebook.com/help/contact/540977946302970.

The competent supervisory authority for Facebook Ireland Ltd. is: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland www.dataprotection.ie.

3.4 Consent to usage of Cookies

4. Disclosure of data to other third parties

We must also disclose some data to third parties, in strict compliance with the applicable data protection laws, in connection with the tools and features used on our Website.

4.1 Disclosure to external service providers

In relation to the content-related, technical support and design of our online presence, it may be necessary for external service providers to be given access to personal data (particularly IT service providers).

In this case, your personal data will only be handled in accordance with our express instructions and on the basis of a data processing agreement in accordance with Art. 28 GDPR. According to this agreement, the service provider guarantees to us that they provide their service in accordance with applicable data protection laws. The involvement of professional providers of corresponding services is expressly provided for by law and serves our legitimate interest in professionalising our offer for you and providing it in a way that is economically viable (legal basis: Art. 6 (1) (f) GDPR). We remain responsible for protection of your data even in this case.

4.2 Disclosure on the basis of statutory obligations

We reserve the right to disclose your personal data if we are obliged to do so by law, or if we are asked to provide such data by public authorities or prosecution agencies. We will not disclose your data to third parties in any other circumstances.

5. Location of data processing and data security

Your data will be processed mainly in Germany. Your data will only be transferred to a country outside of the European Union or the Eurozone if an adequate level of protection has been established for the respective country within the terms of Art. 45 (2) GDPR. Data collected on our Website may be transferred to the United States on this basis (e.g. to Rocket Science Group, the MailChimp provider). In order to protect your data from unauthorised access and misuse, we have implemented comprehensive, state-of-the-art technical and organisational security measures in accordance with European data protection law (Art. 32 GDPR) and, in the event of any order processing, we have concluded an agreement in accordance with Art. 28 GDPR.

6. Erasure and blocking of personal data

We only process and store the Data Subject’s personal data for the period that is necessary to achieve the purpose of the storage or, if legally prescribed, until a relevant storage period has expired. If the storage purpose ceases to apply, or if a legally prescribed storage period expires, the personal data will be blocked or erased in accordance with the statutory provisions, unless the Data Subject has provided us with their consent to store and continue to process the data.

7. Your rights as a Data Subject

Right of access: you can request information at any time, free of charge, about the extent, the origin and the recipient of the stored data and the purpose for storage (Art. 15 GDPR). If you wish to exercise your right of access, you can contact an edding employee or the data protection officer about this at any time.

Right to data portability: you can receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format (Art. 20 GDPR), if (1) processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, or on a contract pursuant to Art. 6 (1) (b) GDPR, and (2) processing is carried out by automated means.

Right to request rectification: every data subject has the right to obtain rectification of inaccurate personal data concerning him or her (Art. 16 GDPR) without undue delay. The data subject also has the right, taking into account the purpose of processing, to have incomplete personal data completed.

Right to erasure (right to be forgotten): every data subject has the right to request that the Controller erase personal data concerning him or her without undue delay, if one of the following reasons applies and if processing is unnecessary (Art. 17 GDPR): (1) the personal data were collected or otherwise processed for purposes for which they are no longer necessary; (2) the data subject withdraws consent on which the processing is based and there is no other legal basis for processing; (3) the data subject objects to processing and there are no overriding legitimate reasons for processing; (4) the personal data have been processed unlawfully; (5) the personal data have to be erased for compliance with a legal obligation.

Right to object: every data subject has the right to object to processing of personal data concerning him or her at any time (Art. 21 GDPR). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing which override the data subject’s interests, rights and freedoms, or processing is for the assertion, exercise or defence of legal claims. If we process personal data for direct marketing purposes, the data subject shall have the right to object to processing of the personal data for such marketing at any time.

Right to withdraw data protection consent: every data subject has the right to withdraw any consent to the processing of personal data at any time (Art. 7 (3) GDPR).

Right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that processing of personal data relating to you infringes this GDPR (Art. 77 GDPR).

If you assert this right, we will assess your claim and admit it unless there are any statutory regulations that prevent us from doing so. We will inform you of the outcome.

You do not have to comply with any specific formal requirements in order to assert your rights as a data subject. For example, you can send an email to datenschutz@edding.de, or use the contact options on the Website. If your request for information relates to specially protected data within the terms of Art. 9 GDPR - particularly health data - you must provide specific personal identification so that we can check that you are entitled to make such a request. In this case, you can attach a copy of both sides of an identity document (copy of your identity card, passport or registration certificate) to the request in order for the identity of the person entitled to the information to be verified clearly; your forename and surname, your full address, your date of birth and your place of birth must be clearly legible on the identity document, although other details, including your photograph, can be blacked out.

8. Updates and amendments

We may amend or update parts of the Privacy Policy without providing you with any prior notice. Please always check the Privacy Policy before using our Website in order to be up to date with any amendments or updates.