Data protection

In accordance with the statutory requirements of data protection law – in particular the new amendment of the Federal German Data Protection Act (BDSG n.F.) and the European General Data Protection Regulation (GDPR) – , we inform you in the paragraphs here below about the processing of personal data by our company, i.e. its nature, scope and purpose. This data protection declaration applies to all our websites and social media profiles. For the definition of terms such as ‘personal data’ and ‘processing’ we refer the reader to Art. 4 of the GDPR.

Name and contact data of controller

Our controller (referred to hereinafter as ‘the controller’) within the meaning of Art. 4 7. of the GDPR is:

Brummé
P. O. Box 10 01 21
D-85001 Ingolstadt
E-mail: info@brumme-design.com

Types of data, purposes of processing and categories of data subjects

We inform you below about the way in which personal data are gathered, processed and used, and the scope and purpose of such gathering, processing and use.

1. Types of data that we process
Usage data (times of access, websites visited etc.), user-related data (name, address etc.), contact data (telephone number, e-mail, fax etc.), content data (text input, videos, photos etc.), communication data (IP address etc.)

2. Purposes of processing in accordance with Art. 13 1. (c) of the GDPR
Optimisation of the website from a technical and commercial point of view, facilitation of access to the website, making contact in case of legal objections lodged by third parties, optimisation and statistical analysis of our services, support of commercial use of the website, improvement of the user experience, design of the website to be user-friendly, economically viable operation of advertising and website, marketing / sales / advertising, compilation of statistics, determination of the probability with which texts will be copied, avoidance of spam and abuse, handling of contact enquiries, provision of websites with functions and content, security measures, secure and uninterrupted operation of our website.

3. Categories of data subjects as in Art. 13 1. (e) of the GDPR
Visitors to and users of the website, customers, suppliers, interested parties, employees of customers or and suppliers.

Data subjects are referred to here collectively as ‘users’.

Legal bases for the processing of personal data
We inform you here below about the various kinds of legal basis for the processing of personal data:

1. If we have obtained your consent to the processing of personal data, the legal basis for that processing is Art. 6 1. Sentence 1 (a) of the GDPR.
2. If the processing is necessary for the performance of a contract or to take steps prior to entering into a contract following an enquiry you have made, the legal basis is Art. 6 1. Sentence 1 (b) of the GDPR.
3. If the processing is necessary to the fulfilment of a legal obligation incumbent on ourselves (e.g. statutory obligations to preserve business records), the legal basis is Art. 6 1. Sentence 1 (c) of the GDPR.
4. If the processing is necessary to the protection of vital interests of the data subject or another natural person, the legal basis is Art. 6 1. Sentence 1 (d) of the GDPR.
5. If the processing is necessary to the safeguarding of our legitimate interests or those of a third party, and if these are not overridden by your interests or basic rights and fundamental freedoms, the legal basis is Art. 6 1. Sentence 1 (f) of the GDPR.

Passing on of personal data to third parties and processors
As a matter of basic principle, we will not pass on any data to third parties without your consent. If we do, we will do so on one of the legal bases mentioned above, for example when data are forwarded to on-line payment providers for the performance of their contract, because of a court order or on account of a statutory obligation to release the data for the purpose of prosecution, to avert an emergency or to enforce intellectual property rights.

We also deploy processors (external service providers, for example for hosting our websites and databases) to process your data. If data are passed on to these processors within the framework of a processing contract, this is always done in accordance with Art. 28 of the GDPR. We select our processors carefully, review them on a regular basis and make sure that we have been given the authority to issue instructions regarding the data. Furthermore, the processors have to have taken appropriate technical and organisational measures and must comply with the data protection regulations in accordance with the BDSG n.F. and the GDPR.

Data transfer to third states
The passing of the European General Data Protection Regulation (GDPR) created a uniform basis for data protection in Europe. Your data will thus mainly be processed by companies to which the GDPR applies. However, if they are processed outside the European Union or the European Economic Area as part of third-party services, said services must comply with the special principles laid down in Art. 44 ff. of the GDPR. That means that the processing is done on the basis of certain special guarantees, such as official acknowledgement by the EU Commission of a level of data protection which corresponds to that provided in the EU (‘adequacy decision’), or the observance of officially recognised special contractual obligations, the so-called ‘standard contractual clauses’. In the case of US companies, these conditions are met by their being subject to the so-called ‘Privacy Shield’, the data protection agreement between the EU and the USA.

Erasure of data and duration of storage
Unless expressly stated in this data protection declaration, your personal data will be erased or disabled as soon as the purpose for which they were being stored ceases to apply, unless their further preservation is necessary for the purpose of providing evidence, or their erasure or disablement is contradicted by statutory obligations to preserve business records. Examples of the latter are commercial law obligations to preserve business correspondence as in Section 257 (1) of the German Commercial Code (HGB) (6 years) and fiscal obligations to preserve supporting documents as in Section 147 (1) of the German Fiscal Code (AO) (10 years). When the prescribed preservation period expires, your data will be disabled or erased, unless their storage continues to be necessary to the conclusion or performance of a contract.

Automated decision-making
We do not avail ourselves of any automatic decision-making or profiling.

Provision of our website and generation of logfiles
1. If you only use our website for information purposes – in other words if you do not register or transmit any other information – , we only gather those personal data which your browser transmits to our server. If you simply wish to look at our website, we gather the following data:
• IP address
• Internet service provider of user
• date and time of access
• browser type
• language and browser version
• content retrieved
• time zone
• access status / HTTP status code
• data quantity
• websites from which the request came
• operating system.

These data are not stored together with any other of your personal data.

2. These data serve the purpose of delivering our website to you in a user-friendly, functional and secure way with its functions and content and their optimisation and statistical analysis.

3. The legal basis for this is our legitimate interest, which also lies in the purposes listed above, in processing the data in accordance with Art. 6 1. Sentence 1 (f) of the GDPR.

4. For reasons of security, we store these data in server logfiles for a duration of ….. days. On expiry of that period, the data are automatically erased, unless we require them to be preserved for the purpose of providing evidence in the case of attacks on the server infrastructure or other legal infringements.

Cookies
1. We deploy so-called cookies when you visit our website. Cookies are small text files which your Internet browser deposits and saves on your computer. When you revisit our website, these cookies release information which enables you to be recognised automatically. The information thus obtained serves the purposes of enabling us to optimise our web amenities technically and commercially and giving you easier, secure access to our website. When you access our website, we also inform you by means of a notice referring you to our data protection declaration about the deployment of cookies for the above-mentioned purposes and about how you can object to or prevent their being saved (‘opt-out’). Our website uses session cookies, persistent cookies and third-party cookies:
• Session cookies: we use so-called cookies to recognise when the same user uses an amenity more than once (for example when you have logged in in order to ascertain your log-in status). When you revisit our site, these cookies release information which enables you to be recognised automatically. The information thus obtained serves the purposes of enabling us to optimise our amenities and making it easier for you to access our site. When you shut down your browser or log out, the session cookies are deleted.

• Persistent cookies: these are automatically deleted after a prescribed period of time, though this may vary depending on the cookie. You can delete these cookies at any time in the security settings of your browser.

• Third-party cookies: depending on your wishes, you can configure your browser setting and, for example, refuse to accept third-party cookies or all cookies. Having said that, we would like to point out to you at this juncture that if you do so you may not be able to use all the functions of this website. You can read more about these cookies in the respective data protection declarations of the third-party providers.

2. The legal basis for this processing is Art. 6 1. Sentence 1 (b) of the GDPR if the cookies are placed for the negotiation of a contract, for example in the case of an order. Otherwise we have a legitimate interest in the effective functionality of the website, in which case the legal basis is Art. 6 1. Sentence 1 (f) of the GDPR.

3. Objection and opt-out: you can prevent the saving of cookies on your hard disc in general by selecting ‘block all cookies’ in your browser settings. However, this may result in a restriction of the functions provided by our amenities. You can object to the deployment of cookies by third-party providers for advertising purposes via a so-called opt-out via the American website at https://optout.aboutads.info or the European website at http://www.youronlinechoices.com/de/praferenzmanagement/.

Making contact by contact form / e-mail / fax / post
1. When you make contact with us by contact form, fax, post or e-mail, the data you provide will be processed for the purpose of dealing with your enquiry.

2. If you have given us your consent, the legal basis for the processing of the data is Art. 6 1. Sentence 1 (a) of the GDPR. The legal basis for the processing of the data which are provided in the course of a contact enquiry or e-mail, letter or fax is Art. 6 1. Sentence 1 (f) of the GDPR. The controller has a legitimate interest in the processing and storage of the data, in order to be able to respond to enquiries from users, preserve evidence for reasons of liability and, if necessary, fulfil his or her statutory obligations to preserve business correspondence. If the contact was made with the aim of concluding a contract, a further legal basis for the processing is Art. 6 1. Sentence 1 (b) of the GDPR.

3. We can save the information you provide and your contact enquiry in our customer relations management (‘CRM’) system or a similar system.

4. The data will be erased as soon as they are no longer required to fulfil the purpose for which they were gathered. As regards the personal data from the template of the contact form and those sent by e-mail, this is the case when the conversation with you has come to an end. The conversation is deemed to have come to an end when the circumstances indicate that the matter in hand has been finally resolved. As for enquiries from users who have an account or a contract with us, we save them until the expiry of a period of two years after termination of the contract. In the case of statutory obligations to archive, the data are erased on expiry of the period prescribed, i.e. 6 years under commercial law and 10 years under fiscal law.

5. You have the possibility to withdraw your consent to the processing of personal data in accordance with Art. 6 1. Sentence 1 (a) of the GDPR at any time. If you make contact with us by e-mail, you can object to the storage of your personal data at any time.

Google AdWords with conversion tracking
1. We use the service ‘AdWords with Conversion Tracking’ (Google Ireland Limited, Register no. 368047, Gordon House, Barrow Street, Dublin 4, Ireland), to draw attention to our website on third-party websites by advertising. When you click on a Google advertisement of ours, a cookie is saved in your browser and remains valid for approximately 30 days. When you revisit our website after that, both we ourselves and Google can determine with the aid of the cookie whether you have visited our website before and, if so, which page or pages you visited. Google compiles statistics on this. The full extent of data processing in respect of those statistics is not known to us. The data are also transmitted to the USA and analysed there. If you are logged in with a Google account, AdWords can allocate the data to your account. If you do not wish this to happen, you must log out before you visit our website. This conversion tracking serves the purposes of analysis, optimisation and the efficient operation of our advertising and our website.

2. The legal basis for the processing of your data is our legitimate interest in the analysis, optimisation and efficient operation of our advertising and our website as in Art. 6 1. Sentence 1 (f) of the GDPR. Google is certified in accordance with the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.

3. You can prevent or object to the installation of cookies by Google in various different ways:
• You can inhibit the cookies in your browser via the setting ‘block all cookies’, which also includes cookies from third-party providers
• You can deactivate conversion tracking directly with Google via the link https://adssettings.google.com, though this setting only continues to apply until you delete your cookies
• You can deactivate the personalised advertisements of third-party providers participating in the advertisers’ self-regulation initiative ‘About Ads’ via the link https://optout.aboutads.info for US sites or at http://www.youronlinechoices.com/de/praferenzmanagement/ for EU sites, though this setting only continues to apply until you delete all your cookies
• You can deactivate cookies permanently via a browser plug-in for Chrome, Firefox or Internet Explorer via the link https://support.google.com/ads/answer/7395996. Such deactivation may however result in your no longer being able to avail yourself fully of all the functions on our website.

4. For further information see the Google privacy policy at https://policies.google.com/privacy?hl=de&gl=de and https://services.google.com/sitestats/de.html.

Presence in social media
1. We maintain profiles and fan pages in social media to communicate with the users connected and registered there and keep them informed about our products, amenities and services. US providers are subject to the so-called Privacy Shield and thus under obligation to comply with European data protection standards. When you use our pages and access our profile in the respective network the data protection notices and conditions of use of the respective network apply.

2. We process the data which you send us via these networks in order to communicate with you and respond to the messages you post there.

3. The legal basis for the processing of the personal data is our legitimate interest in communication with the users and our public image for advertising purposes in accordance with Art. 6 1. Sentence 1 (f) of the GDPR. If you have given the controller of the social network your consent as regards the processing of your personal data, the legal basis is Art. 6 1. Sentence 1 (a) and Art. 7 of the GDPR.

4. For the data protection notices and options for information and objection (opt-out) on the respective networks go to:
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – data protection declaration/opt-out: http://instagram.com/about/legal/privacy/.

Social media plug-ins
1. On our website we deploy social media plug-ins from social networks. We use the so-called ‘two-click solution’ (Shariff solution) recommended by c’t (heise.de). With this solution, no personal data are transmitted to the providers of the plug-ins when you access our website. Next to the logo or trademark of the social network you will find a regulator with which you can activate the plug-in with a click. After activation, the provider of the social network receives information to the effect that you have accessed our website, and that your personal data are being transmitted to the provider of the plug-in and saved there. These are so-called third-party cookies. Some providers, such as Facebook and XING, say that they anonymise your IP immediately after having gathered these data.

2. The data gathered about the user are stored by the plug-in provider as usage profiles. These are used for purposes of advertising, market research and/or the design of the provider’s website in line with demand. These data are analysed in particular – also for users who have not logged in – to enable the depiction of demand-based advertising and to inform other users of the social network about the activities of the user on our website. The user has the right to object to the building of such user profiles, but must apply to the plug-in provider concerned in order to exercise it.

3. The legal basis for the use of the plug-ins is our legitimate interest in the improvement and optimisation of our website by enhancing our renown via the social networks, and the possibility of interaction with you, and interaction of the users among themselves via the social networks as in Art. 6 1. Sentence 1 (f) of the GDPR.

4. We have no influence on the data gathered or the data processing methods. We do not have any knowledge of the scope of data collection, the purpose of the processing or the periods for which data are stored. Neither do we have any information about the erasure of the data collected by the plug-in-provider.

5. As for the purpose and scope of data gathering and processing, we refer the reader to the respective data protection declarations of the social networks. There, you will also find information about your rights and the possibilities you have to alter your settings to protect your personal data.

Instagram
1. On our website we have integrated plug-ins of the social network Instagram (Instagram LLC., 1601 Willow Road, Menlo Park, CA, 94025, USA) as part of the so-called ‘two-click solution’ (Shariff solution). You can recognise these by the Instagram logo in the form of a square camera.

2. If you activate the plug-in intentionally, a connection will be made between your browser and the servers of Instagram. Instagram then receives the information, including your IP address, that you have visited our site, and transmits it to Instagram servers in the USA, where it is stored. If you are logged in to your Instagram account, Instagram can allocate that information to your account. You can click on the Instagram button to share and save the content of our website in your Instagram account and, if you wish, show it to your friends there. We have no knowledge as to the exact content in terms of transmitted data, the use to which they are put, or how they are stored by Instagram.

3. If you log out of Instagram before visiting our website and delete your cookies, no data relating to your visit to our website will be allocated to your Instagram profile when the plug-in is activated.

4. To obtain more information, go to the Instagram data protection declaration at https://help.instagram.com/519522125107875. For the settings you can select to protect your privacy, go to https://help.instagram.com/196883487377501.

Script libraries (Google web fonts)
In order to depict our content in a correct and graphically appealing way irrespective of browser type, we use script libraries and font libraries such as Google web fonts (https://www.google.com/webfonts/) on this website. Google web fonts are transmitted to prevent multiple uploads into the cache of your browser. If the browser does not support Google web fonts or inhibits access, content will be shown in a standard font. The retrieval of script libraries or font libraries automatically triggers a link to the operator of the library. In that context, it is theoretically possible – though it is currently not clear whether this is the case or, if it is, for what purpose – that the operators of such libraries gather data. For the data protection policy of the library operator Google go to https://www.google.com/policies/privacy/

Rights of the data subject
1. Objection to or revocation of the processing of your data
If the processing is based on consent that you have given as in Art. 6 1. Sentence. 1 (a) or Art. 7 of the GDPR, you have the right to withdraw your consent at any time. This will however not affect the lawfulness of any processing carried out on the basis of that consent up to the time of withdrawal.

If we base the processing of your personal data on the balancing of interests as in Art. 6 1. Sentence 1 (f) of the GDPR, you may file an objection to the processing. This may in particular be the case if the processing is not actually necessary to the performance of a contract with you, a circumstance indicated by us in each case in the subsequent description of functions. If you exercise your right to object in this way, we request you to state the reasons for which you wish us not to continue processing your personal data as we did prior to the objection. If your objection is justified, we will review the circumstances of the case and either discontinue or adapt the processing, or reveal to you the compelling legitimate reasons for which we need to continue it.

You can object to the processing of your personal data for purposes of advertising and data analysis at any time. You may exercise this right to object free of charge. To inform us of your objection to processing for advertising purposes, contact us at:

Brummé
P. O. Box 10 01 21
D-85001 Ingolstadt, Germany
E-mail: info@brumme-design.com

2. Right of access
You have the right to request confirmation from us of whether personal data concerning you are being processed. If they are, you have the right to receive information about the personal data concerning you that are stored by us in accordance with Art. 15 of the GDPR. In particular, this includes information about the purpose of the processing, the category of personal data, the categories of recipients to whom your data are being or have been disclosed, the planned duration of storage, and the origin of your data if they were not gathered directly from you yourself.

3. Right to rectification
You have the right to have inaccurate data rectified or accurate data completed in accordance with Art. 16 of the GDPR.

4. Right to erasure
You have the right to have the data concerning you that are stored by us erased in accordance with Art. 17 of the GDPR, provided that no statutory or contractual periods of obligation to preserve business records or other statutory obligations or rights relating to their continued storage are in contradiction of such erasure.

5. Right to restriction
You have the right to request a restriction in the processing of your personal data if any of the conditions in Art. 18 1. (a) to (d) of the GDPR are met, i.e.:
• you contest the accuracy of the personal data concerning you for a period which makes it possible for the controller to verify their accuracy
• the processing is unlawful and you refuse to allow the personal data to be erased, requesting their use to be restricted instead
• the controller no longer requires the personal data for the purposes of the processing, but you require them for the assertion, pursuit or defence of legal claims, or
• you have lodged an objection to the processing in accordance with Art. 21 1. of the GDPR and it is not yet clear whether or not the legitimate grounds put forward by the controller override your reasons.

6. Right to data portability
You have a right to data portability in accordance with Art. 20 of the GDPR, which means that you can receive the personal data concerning you which are stored by us in a structured, commonly used and machine-readable format or request them to be transmitted to another controller.

7. Right to complain
You have the right to complain to a supervisory authority. For this, you can normally apply in particular to the supervisory authority in the member state of your place of residence, your place of work or the place where the presumed infringement occurred.

Data security
In order to protect all the personal data that are transmitted to us, and in order to ensure that we ourselves and our external service providers comply with the data protection laws, we have adopted appropriate technical and organisational security measures. For these reasons, all the data being transmitted between your browser and our server are subject to encrypted transmission via a secure SSL connection.

Issue: 19.11.2019

Source of German text: Template data protection declaration from JuraForum.de