I. Contact details of the controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as data protection regulations is:
StilART Möbelwerkstätten GmbH
In der Brückenwiese 14
II. Contact details of the Data Protection Officer
You can contact our Data Protection Officer at email@example.com or at our postal address FAO “der Datenschutzbeauftragte”.
III. General information on data processing
1. Scope of processing of personal data
We process the personal data of our users in principle only where this is required to provide a functional website as well as the contents and services offered by us. The personal data of our users is usually only processed with the consent of the user. An exception applies to cases in which prior consent cannot be obtained on factual grounds and the processing of the data is permitted by law.
2. Legal basis for the processing of personal data
Where we obtain the consent of the data subject for the processing of personal data, Article 6 (1) (a) EU General Data Protection Regulation (GDPR) serves as legal basis.
Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, Article 6 (1) (b) GDPR is the legal basis. This also applies to processing operations that are required to take steps prior to entering into a contract. Where the processing of personal data is necessary for the compliance with a legal obligation to which our company is subject, Article 6 (1) (c) GDPR is the legal basis.
If the processing of personal data is required in order to protect the vital interests of the data subject or of another natural person, Article 6 (1) (d) GDPR is the legal basis.
If the processing is required to protect the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interests, Article 6 (1) (f) GDPR is the legal basis for the processing.
3. Data erasure and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. In addition, personal data may be stored if provided for by the European or national legislator in EU regulations, laws, or other regulations to which the controller is subject. The data is also blocked or deleted if a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for conclusion or fulfilment of a contract.
4. Use of service providers
We use service providers for the following services and for the processing of your data:
(1) for the hosting of our website in a secure computer centre
(2) the care and maintenance of software and hardware
The service providers process data in the course of so-called job processing Article 28 GDPR exclusively in accordance with our instructions and are obliged to comply with the applicable data protection provisions. All service providers have been carefully selected by us and obtain access to personal data only to the extent and for the duration required to provide the service or as far as you have consented to the use of the data.
Where the registered office of our service providers or partners is located in a country outside the European Economic Area (EEA), we will inform you accordingly.
IV. Provision of the website and creation of log files
1 . Description and scope of the data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer.
The following data is collected here:
(1) Information regarding the browser type and the version used
(2) The user’s operating system
(3 The internet service provider of the user
(4) The IP address of the user
(5) Date and time of access
(6) Websites, from which the system of the user reaches our website
(7) Websites that are called up by the system of the user via our website
The data is also stored in the log files of our system. Storage of this data will not be stored with other personal data of the user.
2. Legal basis for data processing
The legal basis for temporary storage of the data and the log files is Article 6 (1) (f) GDPR.
3. Purpose of the data processing
Temporary storage of the IP address by the system is required to enable the delivery of the website to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session.
Log files are used for the storage in order to ensure the functionality of the website. The data also helps us to optimise the website and to safeguard the security of our IT systems. In this context, the data is not evaluated for marketing purposes.
Our legitimate interest in data processing also lies in these purposes, in accordance with Article 6 (1) (f) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. Where data is collected for the provision of the website, the data is deleted when the respective session is completed.
If the data is stored in log files, it will be deleted within seven days. Continued storage may be possible, in which case the users’ IP addresses are deleted or masked so that association with a website user isnot possible.
5. Option to reject and erase
The capture of the data for the delivery of our website and the storage of the data in log files is imperative for the operation of our website. The user therefore does not have the option to object.
a) Description and scope of the data processing
In the process, the following data is saved and transferred:
(1) Consent to note on cookie
(2) Spam protection
The following data can be transmitted this way:
(1) various statistics on visitors’ analysis
(2) use of website functions
The user data collected this way are pseudonymised by technical means. It is therefore no longer possible to assign the data to the calling user. The data is not stored together with other personal data.
b) Legal basis for data processing
The legal basis for the processing of personal data using cookies that are technically necessary is Article 6 (1) (f) GDPR.
The legal basis for the processing of personal data while using cookies for analysis purpose is Article 6 (1) (a) GDPR. if the user’s consent to this effect has been obtained.
c) Purpose of the data processing
We require cookies for the following purposes:
(1) Analytics of visitor statistics
d) Duration of storage, Right to object and right to erasure
VI. Contact form and e-mail contact
1. Description and scope of the data processing
Our website contains a contact form. If a user chooses this option, the data entered in the input screen will be sent to us and stored. The contact form contains the following data:
• My name
• My e-mail address
• My phone number
• My topic
When the message is sent, the following data is also stored:
(1) The IP address of the user
(2) Date and time of registration
Alternatively, you can contact us via the e-mail address provided. In this case, the user’s personal data transmitted with the e-mail will be stored.
Data will not be passed on to third parties in this regard. This data will be used exclusively for processing the conversation.
2. Legal basis for data processing
If the consent of the user has been provided, the legal basis for the processing of the data is Article 6 (1) (a) GDPR.
The legal basis for the processing of the data transmitted in the course of sending an e-mail is Article 6 (1) (f) GDPR. If the e-mail contact is aimed at forming a contract, an additional legal basis for the processing is Article 6 (1) (b) GDPR.
3. Purpose of the data processing
The purpose of processing the personal data from the input screen is solely to enable us to process the establishment of contact. In the case of contact via e-mail, this is also the basis of the required legitimate interest in the processing of the data.
The other personal data processed during the dispatching process serves to prevent misuse of the contact form and to ensure the security of our IT systems.
4. Duration of storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the input screen of the contact form and the personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation has ended when it can be inferred from the circumstances that the relevant facts have been finally clarified.
The personal data also collected during the dispatching process is deleted no later than after a period of seven days.
5. Right to object and erasure
The user has the right to withdraw its consent to the processing of the personal data at any time. A user contacting us by e-mail may object to the storage of his personal data at any time. In this case, the conversation cannot be continued.
You can notify us of your objection informally at any time by contacting us using the contact details provided in clause 1.
In this case, all personal data stored during contact will be erased.
VII. Web analysis using Google Analytics
(1) This website uses Google Analytics, an online website analysis service of Google Inc. ("Google").
Google Analytics uses so-called “cookies”, these are text files stored on your computer, and which enable an analysis on how you use the website. The information generated by the cookie about your usage of this website is normally sent to one of Google's servers in the USA and stored there. If IP anonymisation has been activated on this website, your IP address will, however, first be truncated by Google within the Member States of the European Union or in other countries that are contracting parties to the Agreement on the European Economic Area. Only in exceptional situations will your full IP address be transmitted to a Google server in the US and truncated there. Google will use this information on behalf of this website’s operator to analyse your use of this website, to create reports about website activity, and to provide additional services connected with the website and Internet use to the website operator.
(2) Google will not associate your IP address transmitted by your browser with any other data held by Google.
(3) You can prevent the storage of cookies storage by selecting the appropriate settings in your browser; however, we would like to point out that in such cases you might not be able to use all of the functions of this website. You can also prevent the capture of the data related to your use of the website generated by the cookie (including your IP address) on Google as well as the processing of this data by Google by downloading and installing the browser plugin available at the following link: tools.google.com/dlpage/gaoptout.
(4) This website uses Google Analytics with the “_anonymizeIp()” function. The IP addresses are further processed in truncated form, excluding the possibility of their being linked to any individual. If the data collected from you is found to be of a personal nature, it will be removed and deleted immediately.
(5) We use Google Analytics to analyse the use of our website and regularly make improvements to it. The statistical evaluation obtained helps us to improve our website and make it more interesting for you as user. For exceptional cases in which personal data may be transmitted to the USA, Google is subject to the EU-US Privacy Shield Framework: www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Art. 6 para. 1, sentence 1 f GDPR.
IX. Other web analysis tools
1. Integration of YouTube videos
(1) We have YouTube videos integrated on our website. These are stored at www.YouTube.com and can be played directly from our website.
(2) When you visit our website, YouTube receives the information that you have accessed the corresponding sub-page. This is done regardless of whether or not you have a YouTube user account through which you are logged in. If you are logged into Google, your data will be associated directly with your account. If you prefer that your activity is not associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses it for the purposes of advertising, market research and/or the design of its website. Such an analysis is undertaken (even for users who are not logged in) to provide targeted advertising and to inform other users of the social network of your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube if you wish to exercise this right.
(4) Google also processes your personal data in the USA and has agreed to comply with the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework.
2. Information on social plug-ins
(1) We are currently using social media plug-ins from the following social networks: Facebook, Google+, Twitter, Xing, LinkedIn. These buttons enable you to recommend selected website contents via a social network to other internet users, to add these to your personal profile in a social network or otherwise draw attention to such contents.
(2) The recommend buttons are provided by the operators of the social networks for the purpose of embedding them into other websites. By their integration into our websites, a connection to the servers of the respective social network is made via the cookies saved on your computer system. Via this connection, your IP address is thereby transmitted to the respective social network without clicking the recommend button. You can prevent this with the appropriate browser settings (see clause 4.).
(3) If you are logged into one of the profiles of the aforementioned social networks during your visit to our websites, where appropriate, the operator of this network collects and stores other data regarding the visit to our websites. Should you not wish for this to happen, we recommend logging out of social networks prior to visit our websites.
(4) We have neither any influence on the collected data and data processing procedures, nor knowledge of the full extent of the data collection, the purpose of the processing or the storage periods. We also do not have any information about the deletion of collected data by the provider of the plug-in. Your data that has been collected is stored by the plug-in provider as usage profiles and used by the provider for the purposes of advertising, market research and/or the appropriate design of its website. Such an analysis is undertaken (also for users who are not logged in) in particular for the presentation of targeted advertising and to inform other users of the social network of your activities on our website. You have a right to object to the creation of these user profiles, and you must contact the respective plug-in provider to exercise this right.
Please request information regarding the processing and use of your data from the respective operator of the social networks. Notes from the operators on the respective data protection provisions and, where appropriate, possible settings to protect your privacy are provided here:
Addresses of the respective plug-in providers and URL with their data protection notices:
a) Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA;
HUF HAUS maintains the Facebook page to communicate with users and to refer to contributions, services and similar aspects. HUF HAUS points out that the data of the users can thereby be processed outside the area of the European Union. This can lead to risks for the users, because, for example, it may be more difficult to assert the users’ rights. Facebook has, however, agreed to be bound by the terms and conditions of the EU-US Privacy Shield and promises to comply with the data protection level of the EU (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
As a general rule, the user data is also processed for the purposes of market research and advertising. This enables, for example, the creation of usage profiles from the usage behaviour and the resulting user interests. The usage profiles can in turn be used, for example, to switch advertisements within and outside Facebook, which are presumed to correspond with the interests of the users. For these purposes, cookies are stored on the computers of the users, where in turn the usage behaviour and the interests of the users are stored.
HUF HAUS would also like to point out that the most effective way to raise requests for information and assert user rights is to address such issues directly to Facebook. Only Facebook has access to the user data and can directly take appropriate measures and provide information.
b) Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; www.google.com/policies/privacy/partners/.
Google has agreed to comply with the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework.
c) Further, the Tweet button by twitter.com has been implemented, for which the company Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107 in the USA (hereinafter “Twitter”) is assuming responsibility. The button can be recognised by a white “t” or by a bird. If you call up a part of our website containing such button, when this is activated, the browser makes a direct connection with the Twitter servers. Twitter is also using cookies. In any case, Twitter is collecting data about your usage behaviour. We do not have any influence on the extent of the data collected by Twitter via the button. Here also, the following applies: If you are a Twitter member, you should be aware that Twitter can collect data concerning yourself via our website (such as which specific page you have visited) and link such data with your user account - regardless of whether you use the “share” button yourself. If you do not wish this to happen, you should not activate the button and/or log out after using the Tweet button. To our knowledge it is, however, quite possible, that Twitter can link data collected by means of activated social plug-ins with the user account also at a later time via so-called persistent cookies.
You should therefore prevent the setting of cookies by Twitter via your browser settings.
Twitter has agreed to comply with the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework.
d) We also use the XING share button. During the retrieval of the HUF webpage, provided the “recommend” button is activated, a connection to servers of XING AG, Gänsemarkt 43, 20354 Hamburg, Germany, is temporarily made via the browser, whereby the functions of the “XING share button” are provided. XING does not store any personal data regarding the retrieval of this webpage. In particular, XING does not store any IP addresses. Further, usage behaviour in connection with the “XING Share button”, is not evaluated by means of cookies. The currently valid data protection information regarding the “XING share button” and supplemental information can be retrieved here: www.xing.com/app/share
e) LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; www.linkedin.com/legal/privacy-policy. LinkedIn has agreed to comply with the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework.
X. Rights of the Person concerned
If your personal data is processed, you are a data subject within the meaning of GDPR and you have the following rights against controller:
1. Right of access
You may ask the controller to confirm whether your personal data is processed by us.
If such processing is carried out, you can request information from the controller on the following:
(1) the purposes for which personal data is processed;
(2) the categories of personal data that is processed;
(3) the recipients or categories of recipients to whom the personal data relating to you has been disclosed or is will be disclosed;
(4) the envisaged period for which the personal data relating to you will be stored, or, if specific details cannot be provided in this respect, the criteria used to determine that period;
(5) he existence of a right to request from the controller rectification or erasure of personal data relating to you or restriction of processing or to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) all available information on the origins of the data, if the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic applied as well as the significance and the envisaged effects of such processing for the data subject.
You have the right to request information on whether the personal data relating to you is transmitted to a third country or to an international organisation. In this connection, you may request information about the appropriate safeguards in accordance with Article 46 GDPR, in connection with the transmission.
2. Right to rectification
You have the right to request the rectification and/or completion of your personal data from the controller if your personal data processed is incorrect or incomplete. The controller has to make the rectification without delay.
3. Right to restriction of processing
Subject to the following conditions, you may request the restriction of processing of the personal data relating to you:
(1) If you are disputing the accuracy of the personal data concerning your person for a duration, which enables the responsible party to verify the accuracy of the personal data;
(2) the processing is unlawful, and you oppose the deletion of the personal data and instead request a restriction of its use;
(3) the controller no longer requires the personal data for the purposes of the processing, you, however, you require these for the establishment, exercise or defence of legal claim, or
(4) if you have objected to the processing in accordance with Article 21 (1) GDPR and it has not yet been established whether the legitimate grounds of the controller outweigh your grounds.
If processing of the personal data relating to you has been restricted, then this data may only be processed, apart from its storage, with your permission or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of a significant public interest of the European Union or a member state.
If the processing has been restricted in accordance with the above-mentioned conditions, you shall be notified by the controller prior to the withdrawal of the restriction.
4. Right to erasure
a) Duty to erase
You can request the controller to immediately erase the personal data relating to you, and the controller has an obligation to erase such data immediately, if one of the following reasons applies:
(1) The personal data relating to you is no longer required for the purposes for which they were collected or otherwise processed.
(2) You are withdrawing your consent, on which the processing in accordance with Article 6 (1) (a) or Article 9 (2) (a) GDPR was based, and there is no other legal basis for processing.
(3) You are objecting to the processing in accordance with Article 21 (1) GDPR, and there are no overriding legitimate grounds for the processing, or you are objecting to the processing in accordance with Article 21 (2) GDPR.
(4) The personal data relating to you was illegally processed.
(5) The deletion of the personal data relating to you is required to meet a legal obligation under European Union law or the right of the member states, to which the controller is subject.
(6) The personal data relating to you was collected in relation to the offer of information society services in accordance with Article 8 (1) GDPR.
b) Information disclosed to third parties
If the controller has made the personal data relating to you public, and he has a duty to delete such data in accordance with Article 17 (1) GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you, as the data subject, have requested the deletion of all links to this personal data or of copies or replications of this personal data.
The right to erasure does not exist where the processing is required
(1) for the exercise of the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by European Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interests in the area of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Notification obligation
If you have made use of your right to rectify, erase, or restrict the processing of your personal data, the controller is obliged to inform all recipients to whom the personal data has been disclosed of this rectification or erasure of the data or restriction of the processing, unless this proves to be impossible or involves a disproportionate effort.
You have the right to be informed of these recipients by the controller.
6. Right to data portability
You have the right to receive the personal data relating to you which you have provided to the data controller in a structured, commonly used, and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance by the controller, who has been provided with the personal data, where
(1) the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR and
(2) the processing is carried out using automated means.
In the exercise of this right you also have the right to seek that the personal data relating to you are transmitted directly by a controller to another controller, insofar this is technically feasible. Freedoms and rights of other persons must hereby not be compromised.
The right to data portability does not apply to the processing of personal data, which is required for the performance of a task, which is in the public interest or which is carried out in the exercise of public power, which has been transferred to the controller.
7. Right to object
You have the right to object at any time to processing of personal data relating to you on grounds relating to your particular situation where the processing is based on Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data related to you, unless the controller can prove that there are compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms or the processing serves to establish, exercise, or defend legal claims.
Where the personal data related to you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data related to you for such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
Where you object to the processing for the purposes of direct marketing, the personal data related to you will no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the possibility of exercising your right to object by automated means using technical specifications.
You can notify us of your objection to advertising informally at any time by contacting us using the contact details provided in clause 1.
8. Right to withdraw the declaration of consent under the Data Protection Act
You can withdraw your consent on the use of your data for advertising purposes at any time. You can send such withdrawal in writing or by e-mail to the above-mentioned contact address. You can also unsubscribe from a specific service using the respective platform or via your customer account and therefore withdraw your consent. If you only unsubscribe from individual services (such as a specific customer programme), your registration for other services and, where appropriate, consent provided for corresponding advertising continue to remain valid.
The withdrawal of your consent does not affect the legality of the processing up until its withdrawal.
9. Automated individual decision-making including Profiling
You have the right not to be subjected to a decision that is exclusively based on automated processing, including profiling, where such decision has a legal effect or a similar significant adverse effect on you. This does not apply if the decision
(1) is required for the formation or the implementation of a contract between yourself and the controller,
(2) is admissible by European Union or Member State law to which the controller is subject, and if these legal provisions contain reasonable measures to safeguard your rights and freedoms as well as your legitimate interests or
(3) is made with your express consent.
These decisions may not, however, be based on special categories of personal data in accordance with Article 9 (1) GDPR, provided that Article 9 (2) (a) or (g) GDPR does not apply and reasonable steps have been taken to safeguard your rights and freedoms as well as your legitimate interests.
Regarding the cases referred to in (1) and (3) the controller implements suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
We currently are not making any decisions that are exclusively based on automated processing, including profiling.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged is shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Article 78 DSGVO.
The website contains links to other websites (“external links”). These websites are the responsibility of the respective website operators. At the time of the connection to the external links, there were no legal infringements apparent. The provider does not have any influence on the current and future presentation of the linked sites. In the absence of specific indications of any legal infringements, it is not reasonable for the provider to constantly monitor the external links. As soon as we become aware of any legal infringements, we shall remove the relevant external links immediately.