Data Privacy Statement
Name and contact of the controller as per Article 4 para. 7 of the General Data Protection Regulation
Zentralfachschule der Deutschen Süßwarenwirtschaft e.V.
Telephone: +49 (0)212-5961-0
Fax: +49 (0)212-5961-61
Zentralfachschule der Deutschen Süßwarenwirtschaft e.V.
Telephone: +49 (0)212-5961-0
Fax: +49 (0)212-5961-61
Data Security Officer
Ralf Maruhn Datenschutz und Datensicherheit GmbH
Grafenberger Allee 115
Security and protection of your personal data
We consider maintaining confidentiality regarding the personal data you provided and protecting it from unauthorised access as our paramount duty. That is why we are extremely careful and we apply state-of-the-art security standards in order to guarantee maximum protection of your personal data.
As a cooperation under private law, we are subject to the provisions of the European General Data Protection Regulation and the regulations of the Federal Data Protection Act. We have taken technical and organisational measures which ensure that the data protection regulations are adhered to by us as well as our external service providers.
The legislative authority demands that personal data is processed in the right manner, in good faith and in a manner that is comprehensible to the data subject (“legitimacy, processing in good faith, transparency). In order to guarantee this, we are informing you about the individual legal definitions which are also used in this data protection statement:
1. Personal data
“Personal data” is all the information referring to an identified or unidentified natural person (hereinafter ‘data subject’); a natural person is considered identifiable if he/she can be identified – directly or indirectly – particularly by reference to an identifier such as a name, an identification number, location data, online identifier or to one or several special features which are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
“Processing” is any process carried out with or without the help of an automated procedure or any such set of operations in connection with personal data such as collecting, compiling, organising, sorting, saving, adaptation or amendment, reading out, retrieving, utilisation, disclosure via transmission, dissemination or another form of provision, alignment or combination, restriction, erasure or destruction.
3. Restriction of processing
“Restriction of processing” is the marking of saved personal data with the aim of restricting its future processing.
“Profiling” is any kind of automated processing of personal data which consists in using this personal data in order to evaluate certain personal aspects which refer to a natural person especially in order to analyse or predict aspects relating to performance, economic position, health, personal preferences, interests, reliability, conduct, residence or change of location of this natural person.
“Pseudonymisation” is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without adding additional information as long as this additional information is saved separately and is subject to technical and organisational measures which guarantee that the personal data cannot be attributed to an identified or unidentified natural person.
6. File system
“File system” is any structured collection of personal data which is accessible according to certain criteria regardless of whether this collection is classified in a central or decentralised manner or according to functional and geographical aspects.
“Controller” is a natural person or legal entity, agency, establishment or other authority which decides alone or together with others about the purposes and means of processing personal data; if the purposes and means of processing are predefined by the European Union law or the law of Member States, the controller or the specific criteria of its appointment may be provided for by the European Union law or the Member States law.
“Processor” is a natural person or legal entity, agency, establishment or other authority which processes personal data on behalf of the controller.
“Recipient” is a natural person or legal entity, agency, establishment or other authority to which personal data is disclosed regardless of whether it involves a third party or not. Agencies that receive personal data in the course of particular enquiries as per the European Union law or the Member States law are not considered as recipients; the processing of this data by the mentioned agencies is done in accordance with the applicable data protection regulations as per the purposes of processing.
10. Third party
“Third party” is a natural person or legal entity, agency, establishment or other authority apart from the data subject, the controller, the processor and the persons who are authorised to process personal data under the direct responsibility of the controller or the processor.
“Consent” issued by the data subject is any statement of intent issued voluntarily for a particular case in an informed and clear manner in form of a declaration or other conclusive affirmative action with which the data subject clarifies that he consents to the processing of his personal data.
Legitimacy of processing
The processing of personal data is only legitimate if there is a legal basis for the processing. According to article 6 para. 1 lit. a – f of the General Data Protection Regulation, legal basis for the processing could be:
a. The data subject has consented to the processing of his personal data for one or several particular purposes;
b. The processing is for the fulfilment of a contract whose contractual partner is the data subject or the processing is necessary for carrying out pre-contractual measures which is done at the request of the data subject;
c. The processing is necessary for the fulfilment of legal duties which the controller is subject to;
d. The processing is necessary in order to protect vital interests of the data subject or another natural person;
e. The processing is necessary for the execution of a task which is carried out in the interest of the public or in exercising official authority vested in the controller;
f. The processing is necessary for the protection of the legitimate interests of the controller or a third party unless the interests or basic rights and fundamental freedoms of the data subject which call for the protection of personal data prevail especially if the data subject is a child.
Information regarding data collection
(1) Below we are going to inform you about the collection of personal data when using our website. Personal data is, for instance, name, address, e-mail addresses, user behaviour.
(2) When you contact us via e-mail or a contact form, we save the data you have given (your e-mail address, your name where applicable and your telephone number) in order to answer your questions. The data collected in this connection is deleted when it is no longer necessary to save it or processing it is restricted in case there are legal obligations to retain data.
Collection of personal data when visiting our website
If you solely use our website for informational purposes, i.e. if you don't register or give us further information, we only collect the personal data which your browser transmits to our server. If you want to see our website, we collect the following data which is technically necessary for us in order for us to show you our website and to guarantee stability and security (legal basis is Art. 6 para. 1 sentence 1 lit. f of the General Data Protection Regulation):
- IP address
- Date and time of query
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (precise page)
- Access status/HTTP status code
- Volume of data transmitted
- Website from which the request is coming
- Operating system and its interface
- Language and version of the browser software
Usage of cookies
(1) In addition to the data mentioned previously, cookies will be saved on your computer when you visit our website. Cookies are small text files which are saved on your hard disc by the browser you are using which transmit certain information to the authority which sets the cookies. Cookies cannot run programs or transmit viruses to your computer. They serve the purpose of making the website more user-friendly and more effective.
(2) This website uses the following types of cookies, whose scope and functionality are explained below:
- Transient cookies (a)
- Persistent cookies (b)
a. Transient cookies are automatically deleted when you close the browser. This includes session cookies in particular. These save a so-called session ID which assigns different requests made by your browser to a common session. Your computer can be recognised in this manner when you come back to our website. The session cookies are deleted when you log out or when you close the browser.
b. Persistent cookies are automatically deleted after a specified period of time which differs depending on the cookie. You can delete the cookies in your browser’s security settings at any time.
c. You can configure your browser settings according to your wishes and e.g. reject the acceptance of third-party cookies or all cookies. So-called third-party cookies are cookies which are set by a third party, hence not by the actual website on which one is visiting at the moment. We would like to point out that by deactivating the cookies you will probably not be able to use all functions of this website.
Other functions and offers on our website
(1) Apart from using our website purely for information purposes, we offer different services which you could use if you are interested. As a rule, you must provide additional personal data which we shall use to provide the respective service and to which the aforementioned fundamentals of data processing apply.
(2) We sometimes use external service providers to process your data. These are carefully selected by us and commissioned, are bound to our instructions and are regularly monitored.
(3) Moreover, we can forward your personal data to third parties if we are offering promotions, competitions, contract conclusions or similar services together with our partners. You will receive further information in this regard when giving your personal data or below in the description of the offer.
(4) If our service providers or partners are based in a country outside the European Economic Area, we shall inform you about the consequences of this circumstance in the description of the offer.
Usage of our web shop
1) If you want to order from our web shop, it is necessary for you to provide your personal data for the purpose of contract conclusion. We need your personal data for processing your order. For the processing of contracts, necessary mandatory information is specially marked while other details are voluntary. We use the data you provide to process your order. In this regard, we can forward your payment details to our principal bank. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b of the General Data Protection Regulation. You can open a client account through which we can save your data for other subsequent purchases. When opening an account under “my account”, the data you provide shall be saved revocably. You can delete all other data including your user account data. It suffices if you send us an e-mail to: firstname.lastname@example.org with the reference: Deletion of User Account
(2) Due to commercial law-related and fiscal provisions, we are obligated to save your address, payment and order data for a period of ten years. However, after two years we restrict processing i.e. your data will be used only to adhere to the legal obligations.
(3) In order to hinder third parties from accessing your personal data without authorisation, especially financial data, the order process is coded via TLS technology.
(1) With your consent, you can subscribe to our newsletter with which we inform you about our current interesting offers. The acquired goods and services are mentioned in the declaration of consent.
(2) To register for our newsletter we use the so-called double-opt-in procedure. This means that we will send you an e-mail after registration to the e-mail address you provided. In this e-mail, we will ask for your consent so that we can send you the newsletter. If you don't confirm your registration within 24 hours, your information will be blocked and after one month it will be deleted automatically. Furthermore, we will save your IP address and the time of registration and confirmation. The purpose of this procedure is to prove your registration and if necessary, to be able to clarify potential misuse of your personal data.
(3) Mandatory information for sending the newsletter is just your e-mail address. The provision of other specially marked information is voluntary and it will be used in order to approach you personally. After receiving your confirmation, we shall save your e-mail address for the purpose of sending the newsletter. The legal basis is Article 6 para. 1 sentence 1 lit. a of the General Data Protection Regulation.
(4) You can revoke your consent regarding sending the newsletter at any time and stop receiving the newsletter. You can revoke this by clicking on the link included in every newsletter e-mail, via this website’s form, via e-mail to email@example.com or by sending a message to the contact data indicated in the legal notice.
(5) We would like to point out that we shall evaluate your user behaviour when sending the newsletter. For this evaluation, the e-mails sent contain the so-called web beacons or tracking pixels which present one pixel image files which are saved on our website. For the evaluations we link the data mentioned in § 3 and the web beacons with your e-mail address and an individual ID. The data is collected in a pseudonymised manner and the IDs are not linked with your other personal data. A direct personal reference is hence excluded. You can revoke this tracking any time by clicking the separate link which is in every e-mail or inform us via another means of contact. The information will be saved as long as you subscribe for the magazine. Upon deregistration, we shall save your data statistically and anonymously.
Our offer is basically for adults. Persons under 18 years should not send us personal data without the consent of the parents or a guardian.
Rights of the data subject
(1) Revocation of consent
If the processing of personal data is based on consent issued, you have the right to revoke the consent at any time. By revoking the consent, the legitimacy of the processing that was carried out on the basis of the consent shall not be affected.
You can always contact us to exercise the revocation right at any time.
(2) Right of confirmation
You have a right to request for confirmation from the controller whether we are processing your personal data. You can request for the confirmation at any time using the contact details stated above.
(3) Right to information
If personal data is being processed, you can request for information regarding this personal data and the following information:
a. Purpose of processing;
b. The categories of personal data which are being processed;
c. The recipient or categories of recipients to whom the personal data has been revealed particularly recipients in non-member countries or international organisations;
d. If possible, the planned duration for which the personal data is saved or if this is not possible, the criteria for the determination of this duration;
e. The existence of a right to correction or erasure of the personal data concerning you or to the restriction of processing by the controller or a revocation right against this processing;
f. The existence of a right of objection by a supervisory authority;
g. If the personal data is not collected from the data subject, all available information regarding the source of the data;
h. The existence of an automated decision-making including profiling pursuant to Article 22 paragraphs 1 and 4 of the General Data Protection Regulation and – at least in these cases – significant information on the logic involved as well as the scope and the target consequences of such processing for the data subject.
If personal data is transmitted to a non-member country or to an international organisation, you have the right to be informed about the suitable guarantees as per Article 46 of the General Data Protection Regulation in connection with the transmission. We shall provide a copy of the personal data which is the subject manner of the processing. All other additional copies which you request for can be provided at a fee so as to cover administrative costs. If you make the request online, the information is to be availed in a commonly used electronic format unless it states otherwise. The right to receive a copy pursuant to paragraph 3 should not affect the rights and freedoms of other persons.
(4) Right of correction
You have the right to request for the immediate correction of your incorrect personal data. Considering the purpose of processing, you have the right to request for the completion of incomplete personal data – even by means of a supplementary statement.
(5) Right to erasure (“Right to be forgotten”)
You have the right to request the controller to delete your personal data immediately and we are obligated to delete personal data immediately if one of the following reasons applies:
a. The personal data is no longer needed for the purpose for which it was collected or it is processed in another manner.
b. The data subject revokes his consent on which the processing is based pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a of the General Data Protection Regulation and there is no alternative legal basis for the processing.
c. The data subject objects the processing pursuant to Article 21 paragraph 1 of the General Data Protection Act and there are no overriding justified reasons for the processing or the data subject objects the processing as per Article 21 paragraph 2 of the General Data Protection Act.
d. The personal data was wrongfully processed.
e. The erasure of personal data is necessary for the fulfilment of a legal obligation as per the European Union Law or the Member State law which the controller is subject to.
f. The personal data was collected with reference to the services offered by the information society as per Article 8 paragraph 1 of the General Data Protection Act.
If the controller has publicised the personal data and is obligated to erase it as per paragraph 1, the controller shall take appropriate measures, even of the technical kind, considering the available technology and the implementation costs in order to inform the persons responsible for processing who are processing the personal data that a data subject has requested them to erase all links to this personal data or copies or replications of this personal data.
The right to erasure (“right to be forgotten”) does not exist if the processing is necessary:
- for the exercising of the right to free expression of opinion and information;
- for the fulfilment of a legal obligation which requires the processing as per the European Union law or Member State law which the controller is subject to or for the execution of a task which is carried out in the interest of the public or in exercising official authority vested in the controller;
- on public interest grounds in the field of public health as per Article 9 paragraph 2 letter h and i as well as Article 9 paragraph 3 of the General Data Protection Regulation;
- for archiving purposes which are in the interest of the public, for scientific or historic research purposes or for statistical purposes pursuant to Article 89 paragraph 1 of the General Data Protection Regulation if the right mentioned in paragraph 1 probably makes the realisation of the goals of this processing impossible or seriously affects it or
- for the establishment, exercise or defence of legal claims.
(6) Right to restriction of processing
You have the right to request us to restrict the processing of your personal data if one of the following conditions applies:
a. the accuracy of the personal data is contested by the data subject for a duration which enables the controller to check the accuracy of the personal data,
b. the processing is illegal and the data subject rejects the erasure of the personal data and instead requests for the restriction of usage of the personal data;
c. the controller no longer requires the personal data for the purposes of processing but the data subject requires it for establishment, exercise or defence of legal claims, or
d. the data subject objects the processing pursuant to Article 21 paragraph 1 of the General Data Protection Regulation as long as it has not been determined whether the legitimate grounds of the controller override those of the data subject.
If processing was restricted to the above-mentioned requirements, this personal data – with the exception of its storage – shall be processed only with the consent of the data subject or for establishment, exercise or defence of legal claims or for the protection of rights of another natural person or legal entity or for reasons of important public interest of the Union or a Member State.
In order to assert the right to restriction of processing, the data subject can contact us using the contact details given above at any time.
(7) Right to data portability
You have the right to obtain your personal data which you provided to us in a structured, commonly used and machine-readable format and you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided if
a. the processing is based on consent pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a or on a contract pursuant to Article 6 paragraph 1 letter b of the General Data Protection Regulation and
b. the processing is done using automated means.
In exercising the right to data portability as per paragraph 1, you have the right to have personal data transmitted directly from one controller to another if this is technically feasible. Exercising the right to data portability does not affect the right to erasure (“right to be forgotten). This right does not apply to processing which is necessary for the execution of a task which is carried out in the interest of the public or in exercising official authority vested in the controller.
(8) Right to object
You have the right to object, on grounds relating to your particular situation, against the processing of your personal data at any time which is done pursuant to Article 6 paragraph 1 letter e or f of the General Data Protection Regulation; this also applies to profiling based on these provisions. The controller no longer processes the personal data unless he can prove compelling grounds worth protecting for the processing which override the interests, rights and freedoms of the data subject or the processing serves the purpose of establishment, exercise or defence of legal claims.
If personal data is processed in order to do direct marketing, you have the right to object the processing of your personal data for the purpose of such marketing; this also applies to profiling if it is related to such direct marketing. If you object processing for purposes of direct marketing then the personal data will no longer be processed for this purpose.
In connection with the usage of services of the information society, you can exercise your right to object by automated means – notwithstanding Directive 2002/58/EC – using technical specifications.
You have the right – on grounds related to your particular situation – to object the processing of your personal data which is done for scientific or historic research purposes or for statistical purposes pursuant to Article 89 paragraph 1 unless the processing is necessary for the performance of a task carried out for reasons of public interest.
You can exercise the right to object at any time by contacting the respective controller.
(9) Automated decisions in individual cases including profiling
You have the right not to be subjected to a decision made exclusively on the basis of automated processing including profiling which produces legal effects concerning you or which significantly affects you in a similar manner. This does not apply if the decision:
a. is necessary for the conclusion or fulfilment of a contract between the data subject and the controller,
b. is permissible based on the legal regulations of the Union or the Member States to which the controller is subject and these legal regulations embody appropriate measures for the safeguarding of rights and freedoms as well as the legitimate interests of the data subject or
c. is made based on the data subject’s consent.
The controller takes appropriate measures in order to safeguard the data subject’s rights and freedoms as well as the legitimate interests which include at least the right to human intervention on the part of the controller, to express a point of view and to contest the decision.
These rights can be exercised by the data subject at any time by contacting the respective controller.
(10) Right to lodge a complaint with a supervisory authority
Notwithstanding any other administrative regulation or judicial remedy, you have the right to lodge a complaint with a supervisory authority particularly in the Member State of your place of residence, your place of work or the place of alleged infringement if you are of the opinion that the processing of your personal data infringes this regulation.
(11) Right to an effective judicial remedy
Notwithstanding any available administrative or non-judicial remedy including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the General Data Protection Regulation, you have the right to an effective judicial remedy if you are of the opinion that the rights you are entitled to due to this regulation were infringed upon as a result of the processing of your personal data which was not commensurate with this regulation.
Usage of Google Analytics
(1) This website uses Google Analytics which is a web analysis service provided by Google Inc. (“Google”). Google Analytics uses the so-called “cookies”, text data files which are saved on your computer and which enable analysis of the usage of the website by you. The information generated by the cookies regarding your usage of this website is usually transmitted to Google’s server in the USA and saved there. In case of activation of the IP anonymisation on this website, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting member states of the European Economic Area. Only in exceptional cases shall the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google shall use this information in order to analyse your usage of the website, in order to compile reports on website activities and in order to provide the website operator other services associated with the usage of the website and the internet.
(2) The IP address transmitted from your browser in the context of Google Analytics shall not be merged with other Google data.
(3) You can prevent the saving of the cookies by selecting the appropriate settings on your browser software accordingly; however, we would like to point out that in this case you will not be able to use all functions of this website comprehensively. Moreover, you can prevent the gathering of the data generated by the cookie and which is related to the usage of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available here:
(4) This website uses Google Analytics with the "_anonymizeIp()" extension. This has the effect of truncating IP addresses before further processing so that the data cannot be related to any specific person. If the data concerning you that is collected allows conclusions about you as a person, this is immediately prevented and the relevant personal data is thus erased immediately.
(5) We use Google Analytics in order to analyse the usage of our website and in order to be capable of regularly improving it. The statistical data we receive in this way helps us to improve our website and to make it more interesting for you as a user. For exceptional cases in which personal data is transferred to the USA, Google has subjected itself to the EU-US Privacy Shield www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Article 6 para. 1 sentence 1 lit. f of the General Data Protection Regulation.
(6) Third-party provider information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 4361001.
Overview on data protection:
Data protection declaration:
Integration of Google Maps
(1) Our website uses the Google Maps service. Through this, we can show you interactive maps directly on the website and enable you to comfortably use the map function.
(2) By visiting the website, Google receives information that you have called up the corresponding subpage of our website. In addition, the data mentioned in § 3 of this declaration is transmitted. This happens regardless of whether Google provides a user account via which you have logged in or there is no user account. If you are logged on to Google, your data will be directly linked to your account. If you do not wish to have the data linked to your profile on Google, you have to log out prior to activating the button. Google saves your data as usage profiles and uses it for advertising, market research and/or needs-based designing of its website. Such evaluation is done particularly (even for users who haven’t logged in) in order to provide needs-based advertising and to inform other social network users about your activities on our website. You have a right to object the creation of these user profiles. In order to exercise this right you have to address Google.
(3) Further information regarding the purpose and scope of data collection and its processing by the plug-in provider is available in the provider’s data protection declarations. You will get additional information regarding your rights and setting options in this regard in order to protect your private sphere: www.google.de/intl/de/policies/privacy. Google processes your personal data in the USA as well and it has subjected itself to the EU-US Privacy Shield www.privacyshield.gov/EU-US-Framework.
We engage external service providers (processors) e.g. for the sending of newsletters or for processing payments. A separate data processing agreement was concluded with the service provider in order to guarantee the protection of your personal data.
We collaborate with the following service providers
For the newsletter dispatch:
Köpenicker Str. 126
Programming the website:
medienbüro // FRANK FREWER
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 4-6
Google Ireland Ltd
Gordon House Barrow Street Dublin 4
Only the German text of this data protection declaration is legally binding.