DATA PRIVACY POLICY

Each time a data subject or an automated system accesses the website, a series of general data and information is collected. This general data and information is stored in the server log files. The following may be recorded:

1. The browser types and versions used

2. The operating system used by the accessing system

3. The website from which the accessing system arrived at our website (so-called referrer)

4. The subpages that are accessed on our website via an accessing system

5. The date and time of access to the website

6. An Internet Protocol (IP) address

7. The internet service provider of the accessing system

8. Other similar data and information that serve to protect against threats in the event of cyberattacks

When using this general data and information, no conclusions are drawn about the data subject. Instead, this information is needed to:

1. Deliver the content of our website correctly

2. Optimize the content of our website and its advertising

3. Ensure the continued functionality of our information technology systems and website technology

4. Provide law enforcement authorities with necessary information in case of a cyberattack

These anonymously collected data and information are statistically evaluated by us and further used to increase data protection and security in our company to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data from server log files are stored separately from all personal data provided by a data subject.

The data subject has the option to register on our website by providing personal data. The specific personal data that is transmitted to the controller is determined by the respective input mask used for registration. The personal data entered by the data subject is collected and stored exclusively for internal use by the controller and for its own purposes. The controller may initiate the transfer of data to one or more processors, such as a parcel service provider, who also uses the personal data exclusively for internal purposes attributable to the controller.

When registering on the controller’s website, the IP address assigned by the internet service provider (ISP), as well as the date and time of registration, are also stored. This data is stored because it is the only way to prevent misuse of our services and to allow the investigation of any criminal offenses if necessary. In this respect, the storage of this data is necessary to protect the controller. This data is not disclosed to third parties unless there is a legal obligation to do so or the disclosure serves law enforcement purposes.

The registration of the data subject by voluntarily providing personal data serves the purpose of offering the data subject content or services that can only be provided to registered users due to their nature. Registered persons can modify or completely delete the personal data provided during registration at any time.

Upon request, the controller will provide any data subject with information about which personal data is stored about them. Furthermore, the controller will correct or delete personal data upon request or notification from the data subject, as long as there are no statutory retention obligations that prevent this. The entirety of the controller’s employees is available as contact persons in this regard.

Due to legal regulations, the website contains information that enables quick electronic contact with our company and direct communication with us, including a general email address (electronic mail). If a data subject contacts the controller via email or a contact form, the personal data transmitted by the data subject is automatically stored. Such personal data voluntarily provided by the data subject to the controller is stored for processing the request or for contacting the data subject. This personal data is not disclosed to third parties.

The hosting services we use provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, as well as technical maintenance services, which we utilize for the operation of this online offering.

In this context, we and/or our hosting provider process inventory data, contact data, content data, contract data, usage data, metadata, and communication data of customers, interested parties, and visitors of this online offering. This processing is based on our legitimate interest in the efficient and secure provision of this online offering in accordance with Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).

The data controller processes and stores personal data of the data subject only for the period necessary to achieve the storage purpose or as required by the European legislator or another relevant legislator in laws or regulations to which the data controller is subject.

If the storage purpose no longer applies or if a storage period prescribed by the European legislator or another relevant legislator expires, the personal data will be routinely blocked or deleted in accordance with legal requirements.

a) Right to Confirmation

Every data subject has the right, granted by the European legislator, to request confirmation from the data controller as to whether personal data concerning them is being processed. If a data subject wishes to exercise this right, they may contact a staff member of the data controller at any time.

b) Right to Information

Every data subject affected by the processing of personal data has the right, granted by the European legislator, to obtain free information about the personal data stored about them and to receive a copy of this information from the data controller at any time.

Additionally, the European legislator grants the data subject the right to access the following information:

• The purposes of the processing

• The categories of personal data being processed

• The recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly recipients in third countries or international organizations

• If possible, the planned storage duration of the personal data or, if not possible, the criteria used to determine that duration

• The existence of a right to rectification or deletion of their personal data, a right to restrict processing by the data controller, or a right to object to such processing

• The existence of a right to lodge a complaint with a supervisory authority

• If the personal data was not collected from the data subject: Any available information about the data’s source

• The existence of automated decision-making, including profiling, as per Article 22(1) and (4) GDPR, and meaningful information about the logic involved, as well as the significance and the intended consequences of such processing for the data subject

Furthermore, the data subject has the right to know whether personal data has been transferred to a third country or an international organization. If this is the case, they have the right to be informed about the appropriate safeguards relating to the transfer.

If a data subject wishes to exercise this right to information, they may contact a staff member of the data controller at any time.

c) Right to Rectification

Every data subject has the right, granted by the European legislator, to request the immediate rectification of inaccurate personal data concerning them. Additionally, considering the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of a supplementary statement.

If a data subject wishes to exercise this right to rectification, they may contact a staff member of the data controller at any time.

d) Right to Erasure (Right to Be Forgotten)

Every data subject has the right, granted by the European legislator, to request the data controller to delete personal data concerning them without delay if one of the following reasons applies and processing is not necessary:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

• The data subject withdraws their consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal basis for the processing.

• The data subject objects to the processing pursuant to Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.

• The personal data has been unlawfully processed.

• The deletion of personal data is required to fulfill a legal obligation under EU or Member State law to which the data controller is subject.

• The personal data was collected in relation to information society services offered under Article 8(1) GDPR.

If any of the above reasons apply and a data subject wishes to request the deletion of stored personal data, they may contact a staff member of the data controller at any time. The staff member will ensure that the deletion request is processed immediately.

If the personal data has been made public and the data controller is obliged to delete the personal data under Article 17(1) GDPR, the company will take reasonable measures, including technical measures, to inform other data controllers processing the published personal data that the data subject has requested the deletion of any links to, copies, or replications of this personal data unless processing is necessary.

e) Right to Restriction of Processing

Every data subject has the right, granted by the European legislator, to request the restriction of processing from the data controller if one of the following conditions is met:

• The accuracy of the personal data is contested by the data subject for a period that allows the data controller to verify its accuracy.

• The processing is unlawful, and the data subject opposes the deletion of personal data and instead requests the restriction of its use.

• The data controller no longer needs the personal data for processing, but the data subject requires it for the establishment, exercise, or defense of legal claims.

• The data subject has objected to processing pursuant to Article 21(1) GDPR, and it has not yet been determined whether the legitimate interests of the data controller override those of the data subject.

If one of the above conditions is met and a data subject wishes to request the restriction of processing of stored personal data, they may contact a staff member of the data controller at any time. The staff member will arrange for the restriction of processing.

f) Right to Data Portability

Every data subject has the right, granted by the European legislator, to receive their personal data, which they have provided to a data controller, in a structured, commonly used, and machine-readable format. They also have the right to transfer this data to another data controller without hindrance, provided that:

• The processing is based on consent under Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract under Article 6(1)(b) GDPR.

• The processing is carried out by automated means.

Additionally, the data subject has the right to have their personal data transmitted directly from one controller to another, where technically feasible and where it does not adversely affect the rights and freedoms of others.

To exercise the right to data portability, the data subject may contact the data controller at any time.

g) Right to Object

Every data subject has the right, granted by the European legislator, to object, on grounds relating to their particular situation, at any time to the processing of their personal data based on Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.

In case of an objection, the data controller will no longer process the personal data unless compelling legitimate reasons for processing can be demonstrated that override the data subject’s interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

If personal data is processed for direct marketing, the data subject has the right to object at any time to such processing, including profiling related to direct marketing. If they object, their personal data will no longer be used for these purposes.

Additionally, the data subject may object to processing related to scientific, historical research, or statistical purposes under Article 89(1) GDPR, unless necessary for public interest tasks.

To exercise the right to object, the data subject may contact any staff member directly.

h) Automated Decision-Making, Including Profiling

Every data subject has the right, granted by the European legislator, not to be subject to decisions based solely on automated processing, including profiling, that significantly affect them, unless:

• The decision is necessary for entering into or performing a contract with the data controller.

• The decision is authorized by EU or Member State law and includes safeguards.

• The decision is based on the data subject’s explicit consent.

If one of these conditions applies, the data controller will implement appropriate safeguards, including human intervention, to protect the data subject’s rights and freedoms.

i) Right to Withdraw Consent

Every data subject has the right to withdraw their consent to personal data processing at any time.

To exercise this right, the data subject may contact a staff member of the data controller at any time.

Article 6(1)(a) of the GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party—such as processing operations required for the delivery of goods or the provision of another service or consideration—then the processing is based on Article 6(1)(b) of the GDPR. The same applies to processing operations that are necessary to carry out pre-contractual measures, for example, in cases of inquiries regarding our products or services.

If our company is subject to a legal obligation that requires the processing of personal data—such as to fulfill tax obligations—then the processing is based on Article 6(1)(c) of the GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This could be the case, for example, if a visitor were injured on our premises and their name, age, health insurance details, or other essential information needed to be passed on to a doctor, hospital, or other third parties. In this situation, the processing would be based on Article 6(1)(d) of the GDPR.

Finally, processing operations could be based on Article 6(1)(f) of the GDPR. This legal basis applies to processing operations not covered by any of the aforementioned legal grounds, where processing is necessary to protect a legitimate interest of our company or a third party, provided that such interests are not overridden by the interests, fundamental rights, and freedoms of the data subject. The European legislator specifically acknowledged that a legitimate interest may be assumed if the data subject is a customer of the data controller (Recital 47, Sentence 2 of the GDPR).

If the processing of personal data is based on Article 6(1)(f) of the GDPR, our legitimate interest is the conduct of our business activities for the benefit of the well-being of all our employees and shareholders.

The criterion for determining the storage period of personal data is the respective legal retention period. After the expiration of this period, the corresponding data is routinely deleted unless it is still required for contract fulfillment or initiation.

We inform you that the provision of personal data is sometimes required by law (e.g., tax regulations) or may result from contractual obligations (e.g., information about the contracting party). In some cases, it may be necessary for a data subject to provide us with personal data to conclude a contract, which will then be processed by us. For example, the data subject is obliged to provide us with personal data if our company enters into a contract with them. Failure to provide personal data would result in the contract not being concluded.

Before providing personal data, the data subject must contact one of our employees. The employee will clarify on a case-by-case basis whether the provision of personal data is legally or contractually required, necessary for contract conclusion, whether there is an obligation to provide the personal data, and what consequences the non-provision of personal data would have.

As a responsible company, we do not engage in automated decision-making or profiling.