PRIVACY STATEMENT – May 2018
The subject matter of data protection is personal data.
1. General information
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy statement. Our website and our business processes are designed to ensure that as little personal data as possible is collected or processed.
When you use this website, various personal data will be collected. Personal data is data that personally identifies you. This Privacy Statement explains what type of data we collect and what we use it for. It also explains how and for what purpose this takes place.
Please read this privacy statement carefully. It will inform you about the extent, nature and purpose of the collection, use and processing of personal data of persons who make contact with us via this website.
Name and contact details of the company as the controller in accordance with Article 4(7) GDPR and Article 13(1a) GDPR
Schallplattenfabrik Pallas GmbH
Auf dem Esch 8
Telephone: +49 5441 977-0
Telefax: +49 5441 977-111
The privacy statement is based on the terminology used by the European bodies issuing directives and legislations in the adoption of the General Data Protection Regulation (GDPR).
The law requires that personal data is processed lawfully, in good faith, and in a comprehensible way for the data subject (“lawfulness, fairness, transparency”).
Our privacy statement is intended to be easy to read and understand for you as a visitor, customer or business partner.
To ensure this, we would like to explain in advance the terminology used. In this privacy statement we use, among others, the following terms:
a) Personal data
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter the “data subject”); a natural person is considered to be identifiable if they are able to be identified directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics expressing the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
c) Restriction of processing
“restriction of processing” means the marking of stored personal data with the aim of limiting its processing in the future.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“pseudonymisation” means the processing of personal data in a way in which the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients; the processing of this data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
i) Data subject
„Data subject” means any identified or identifiable natural person whose personal data is processed by the controller.
j) Third party
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
“Consent” on the part of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
4. Data collection on our website
(on the basis of Article 6(1)(1)(f) GDPR)
4.1. How do we collect your data on our website and for what purpose?
When anyone visits our website, personal data is collected.
A. Automatic data collection
When you visit our website, the browser used on your device (e.g. PC or smartphone) will automatically send information to the server of our website.
Unless you register or otherwise provide information to us, we will only collect the following personal data that your browser transmits to our server.
The following information will be collected during the automatic data collection without any action on your part, and stored in the log files of the server until the time of automatic deletion.
The following can be collected:
a) Browser type and browser version
b) Operating system used
c) Website from which access is obtained (the so-called referrer)
d) The sub-websites, which are accessed via an accessing system on our website
e) Date and time of access to the website
f) Internet Protocol address (IP address)
g) The Internet service provider (host name) of the accessing system
h) Other similar data and information for use in the event of attacks on our information technology systems.
The aforementioned data is processed by us for the following purposes:
• To ensure a smooth connection of the website
• To ensure easy use of our website
• To evaluate system security and stability
• For other administrative purposes.
This data is technically necessary for us to be able to show you our website and ensure stability and security.
The legal basis for the data processing is Article 6(1)(1)(f) GDPR.
Our legitimate interest ensues from the data collection purposes listed above. Under no circumstances will we use the collected data for the purpose of drawing conclusions about you.
B. Collection of data disclosed by you
Additional data will be collected if you disclose it to us. This can be, for example, data that you enter in a contact form or send via email (for example your email address, name and/or telephone number).
The data you provide will be stored by us in order to answer your questions. We will delete the data obtained in this way as soon as its storage is no longer required, or the processing will be restricted if statutory retention requirements exist.
The data processing for the purpose of contacting us takes place in accordance with Article 6(1)(1)(a) and (b) GDPR on the basis of your voluntarily granted consent.
5. Dissemination of data
There will be no transfer of your personal data to third parties for purposes other than those listed below.
We will only share your personal data with third parties if:
• you have given your express consent to do so, in accordance with Article 6(1)(1)(f) GDPR,
• disclosure pursuant to Article 6(1)(1)(f) GDPR is required to assert, exercise or defend legal claims, and there is no reason to assume that you have an overriding and legitimate interest in the non-disclosure of your data,
• a legal obligation of disclosure pursuant to Article 6(1)(1)(c) GDPR exists, and
• this is permitted by law and is required for the handling of the contractual relationship with you in accordance with Article 6(1)(1)(b) GDPR.
6. Data deletion and storage period
We adhere to the principles of data avoidance and data economy. The controller processes and stores the personal data of the data subject only for the period necessary to achieve the purpose of the storage or as required by the various storage periods provided for by the legislator. If the storage purpose no longer applies or if a storage period prescribed by the European directives and regulations or any other relevant legislature expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.
7. Rights of the data subject
(1) Revocation of consent
In accordance with Article 7(3) GDPR, you can revoke at any time your consent previously given to us. As a result, we will not be allowed to continue data processing based on this consent in the future.
The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation. The data subject will be informed accordingly before the consent is given. The revocation of consent must be as simple as the granting of consent.
(2) Right to information of the data subject
(1) The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, where this is the case, access to the personal data and the following information:
a. the purposes of the processing
b. the categories of personal data concerned
c. the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
d. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f. the right to lodge a complaint with a supervisory authority
g. where the personal data is not collected from the data subject, any available information as to their source
h. the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.
(2) If personal data is transmitted to a third country or to an international organisation, you have the right to be informed about the appropriate safeguards under Article 46 GDPR relating to the transfer.
(3) The controller will provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may request an appropriate fee based on the administrative costs. If the data subject makes the request by electronic means, the information shall be provided in a standard electronic format unless otherwise indicated.
(4) The right to receive a copy in accordance with Section 3 shall not adversely affect the rights and freedoms of others.
(3) Right to rectification
In accordance with Article 16 GDPR, you have the right to demand the rectification of inaccurate personal data, or the completion of incomplete personal data stored by us without delay
(4) Right to erasure (“right to be forgotten”)
In accordance with Article 17 GDPR, you have the right to demand the erasure of your personal data stored by us, and we are obliged to delete personal data immediately, where one of the following grounds applies:
a. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
b. The data subject withdraws their consent on which the processing was based in accordance with Article 6(1)(a) or Article 9(2)(a) GDPR and lacks any other legal basis for the processing.
c. the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
d. The personal data has been unlawfully processed.
e. The personal data has to be erased for compliance with a legal obligation in European Union or Member State law to which the controller is subject.
f. The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
Where the controller has made the personal data public and is obliged pursuant to section 1 to erase the personal data, the controller, taking account of the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, this personal data.
The right to erasure ( “right to be forgotten“) does not apply to the extent that processing is necessary:
– for exercising the right of freedom of expression and information;
– for compliance with a legal obligation which requires processing by European Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in section 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or for the establishment, exercise or defence of legal claims.
(5) Right to restriction of processing
You have the right to request that we restrict the processing of your personal data where one of the following applies:
a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
c. the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims,
d. the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If processing has been restricted in accordance with the above-mentioned conditions, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
In order to exercise the right to restriction of processing, the data subject may contact us at any time using the contact details provided above.
(6) Right to data portability
Pursuant to Article 20 GDPR, you are entitled to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request transmission to another controller provided that:
a. the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) GDPR; and
b. the processing is carried out by automated means.
In exercising the right to data portability referred to in section 1, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right to data portability is without prejudice to the right to erasure (“right to be forgotten”). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(7) Right to object
You have the right, for reasons relating to your particular situation, to object at any time to the processing of personal data relating to you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), you have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The right to object can be exercised at any time by contacting the operator.
(8) Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
a. is necessary for entering into, or performance of, a contract between the data subject and a controller,
b. is authorised by European Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c. is based on the data subject’s explicit consent.
The controller shall take suitable steps to safeguard the rights and freedoms and legitimate interests of the data subject, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
This right can be exercised by the data subject at any time by contacting the controller.
(9) Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you, as the data subject, consider that the processing of personal data relating to you infringes this Regulation. In general, you can contact the supervisory authority of your usual place of residence or work, or our company headquarters. In our case, the data protection authority of the state of Lower Saxony (Landesbeauftragte für den Datenschutz Niedersachsen) is responsible for this. You can find more information at: https://www.lfd.niedersachsen.de
(10) Right to an effective judicial remedy
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR, you have the right to an effective judicial remedy where you consider that your rights under this Regulation have been infringed as a result of the processing of your personal data in non-compliance with this Regulation.
8. Legal basis for the processing of personal data
The legal basis for the processing of personal data is set out in Article 6(1)(a) - (f) GDPR in particular:
a. Article 6(1)(a) GDPR serves our company as the legal basis for processing operations in which we seek consent for a particular processing purpose.
b. If the processing of personal data is necessary to fulfil a contract of which the data subject is a party, as is the case, for example, in processing operations necessary for the supply of goods or the provision of any other service or consideration, processing shall be based on Article 6(1)(b) GDPR. The same applies to processing operations that are necessary to carry out pre-contractual measures, for example in the case of inquiries about our products or services.
c. If our company is subject to a legal obligation which requires the processing of personal data, such as the fulfilment of tax obligations, the processing is based on Article 6(1)(c) GDPR.
d. In rare cases, the processing of personal data may be necessary in order to protect the vital interests of the data subject or another natural person, Article 6(1)(d) GDPR.
e. Ultimately, processing operations could also be based on Article 6(f) GDPR. Processing operations that are not covered by any of the above legal foundations are based on this legal foundation if processing is necessary to safeguard the legitimate interests of our company or a third party, unless the interests, fundamental rights and fundamental freedoms of the data subject prevail.
We take technical and organisational measures for data security (TOM) in accordance with Article 32 GDPR in order to protect your personal data against accidental or intentional manipulation, loss, destruction, and access by unauthorised persons. These security measures are always adapted to reflect the current state of the art.
Your personal data transmitted as part of the use of our website will be securely transmitted by means of encryption for security purposes and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator. We use the encryption protocol Transport Layer Security (TLS), which is more widely known under the predecessor name Secure Sockets Layer (SSL).
An encrypted connection is indicated by the browser’s address bar changing from “http://” to “https://” and the padlock icon in your browser bar.
When SSL or TLS encryption is enabled, the data you submit to us cannot be read by third parties. Our employees are committed to data secrecy.
10. Collaboration with processors and third parties
If, in the context of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant access to the data, this is done only on the basis of legal permission (e.g. if a transmission of the data to third parties, as required by payment service providers, is, pursuant to Article 6(1)(b) GDPR, required to fulfil the contract), if you have consented to a legal obligation or on the basis of our legitimate interests (e.g. the use of agents, web hosters, etc.). Insofar as we commission third parties to process data on the basis of a so-called “contract processing contract”, this is done on the basis of Article 28 GDPR.
11. Legal or contractual regulations
regarding the provision of personal data
Necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision
We inform you that the provision of personal data is required by law in some cases (such as tax regulations) or may result from contractual arrangements (such as details regarding the contractual partner). Sometimes, for a contract to be concluded, it may be necessary for a data subject to provide us with personal data which must subsequently be processed by us.
For example, the data subject is required to provide us with personal data when our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.
Before the data subject provides personal data, the data subject must contact our data protection officer. Our data protection officer will inform the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or is required for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of non-provision of the personal data would be.
12. Existence of automated decision-making
As a responsible company, we refrain from automatic decision-making and profiling.
The web pages make use of so-called cookies. Cookies are used to make our offering more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and by your browser.
Cookies do not harm your computer and do not contain viruses.
The cookies we use are so-called “session cookies”. They are automatically deleted after your visit. Other cookies remain stored on your device until you delete them. These cookies allow us to recognise your browser during your next visit.
Cookies required to carry out the electronic communication process or to provide certain functions desired by you (e.g. the shopping cart function) are stored on the basis of Article 6(1)(f) GDPR. The website operator has a legitimate interest in the storage of cookies to ensure the technically correct and optimised provision of its services. If other cookies (such as cookies for analysing your browsing behaviour) are stored, they will be dealt with separately in this privacy statement. We do not use analytical/tracking tools
14. Social Media
Link to the social network Facebook
The controller has integrated components of the company Facebook on this website. Facebook is a social network.
A social network is an internet-based social meeting place – an online community that typically allows users to communicate with each other and interact in virtual space. A social network can serve as a platform for sharing views and experiences, or allow the online community to provide personal or company-related information. Facebook allows users of the social network to, among other things, create private profiles, upload photos and network via friend requests.
The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. The controller for personal data, if the data subject lives outside the USA or Canada, is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Each time one of the individual pages of this website, which is operated by the controller and on which a Facebook component (Facebook plug-in) has been integrated, is accessed, the internet browser on the information technology system of the data subject is automatically prompted by the respective Facebook component to download a representation of the corresponding Facebook component. A complete overview of all Facebook plug-ins can be downloaded at developers.facebook.com/docs/plugins/. As part of this technical process, Facebook receives information about which specific subpage of our website is being visited by the data subject.
If the data subject is at the same time logged into Facebook, Facebook recognises with each visit to our website by the data subject and during the entire duration of the respective stay on our website, which specific subpage of our website the data subject is visiting. This information is collected through the Facebook component and assigned by Facebook to the respective Facebook account of the data subject. If the data subject clicks on the integrated Facebook button on the website, for example the “Like” button, or if the data subject posts a comment, Facebook assigns this information to the personal Facebook user account of the data subject and saves this personal data.
Facebook always receives information via the Facebook component that the data subject has visited our website if the data subject is also logged into Facebook at the time of access to our website; this takes place regardless of whether the data subject clicks on the Facebook component or not. If such a transfer of this information to Facebook is not desired by the data subject, he/she can prevent the transfer by logging out of their Facebook account before accessing our website.
The data policy published by Facebook, which is available at de-de.facebook.com/about/privacy/provides information on the collection, processing and use of personal data by Facebook. It also explains which configuration options Facebook offers to protect the privacy of the data subject. In addition, various applications are available that make it possible to suppress data transmission to Facebook. Such applications can be used by the data subject to suppress data transmission to Facebook.
15. Google fonts
This site uses certain Google fonts. When you visit a page, your browser loads these fonts. Your IP address, including the page (internet address) that you visited, will be transmitted to a Google server.
16. Google Maps
This website uses the “Google Maps and Route Planner” feature of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”) to display or compute geographic information and directions as a service to users. Via Google Maps, data about your use of this website can be transferred to Google, and collected and used by Google.
17. Up-to-dateness and changing this privacy statement
This privacy statement is currently in force and is valid as of May 2018.
Due to further development of our website and offerings or due to changes in legal or regulatory requirements, it may be necessary to amend this privacy statement. You can access and print out the current privacy statement at any time here on our website