PRIVACY POLICY

I. Who is responsible for data processing on this website?

Person responsible within the meaning of Art. 4 (7) of the General Data Protection Regulation (GDPR) is the:

HABA Sales GmbH & Co. KG August-Grosch-Str. 28-38, 96476 Bad Rodach (nachfolgend HABA)

Tel.: +49 9564 929-60100

Fax: +49 9564 929 662300

E-Mail: info@haba.de

Registergericht Coburg, HRA 5220

USt-IdNr.: DE 815 831 282 WEEE-Reg.Nr.: DE 51463378

General Partner is the HABA Administration GmbH, August- Grosch-Str. 28-38, 96476 Bad Rodach, Deutschland, Register court Local court Coburg, HRB 4746, which in turns is represented by the Managing Director Dr. Mario Wilhelm

If you have any questions about data protection, you can contact our data protection officer by post: HABA Sales GmbH & Co. KG, Data Protection, August-Grosch-Str. 28-38, 96476 Bad Rodach or by e-mail: internet@haba.de and the subject: Data protection.

II. What data is stored and for what purpose?

1. For order processing:

We will ask for and use your personal data with mandatory fields in the online shop or when ordering by telephone. Mandatory fields are: Title (gender), first and last name, address, date of birth (for purchase on account) and your e-mail address.

All other information is voluntary. In order to deliver your order, we will pass on your delivery address to the delivery service commissioned with the delivery. We may also pass on your payment details to our bank. Art. 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data required for the fulfilment of a contract or for the implementation of a pre-contractual measure with you.

Customer account: You can shop with us as a guest or voluntarily create a customer account, which allows us to save your data for future purchases. When registering the customer account, the data you provide will be stored on a revocable basis. The legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR.

2. Payment Transaction:

As part of the payment process in our online shop, we collect certain personal data from you in order to fulfil the contract with you. The legal basis for this is Art. 6 para. 1 lit. b GDPR.

a. Purchase on account and advance payment

For the payment methods purchase on account and prepayment, we receive the information provided by you, such as account holder, IBAN, bank and intended use. The legal basis for the associated data processing is Art. 6 para. 1 lit. b GDPR.

b. Paypal

When paying with PayPal, your payment data will be forwarded to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter ‘PayPal’) as part of the payment processing. If you wish to pay for your order in the online shops with PayPal, the amount to be paid by you, together with your first and last name, delivery address, email address, telephone number and IP address, will be transmitted to PayPal so that you can authorize the payment to us via PayPal. The legal basis for the associated data processing is Art. 6 para. 1 lit. b GDPR, i.e. the processing of your data is necessary for the fulfilment of the agreement to pay for your purchase via PayPal. The data transmitted to PayPal may be transmitted by PayPal to credit agencies for identity and credit checks. Further information on data protection can be found in PayPal´s privacy policy https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

c. Payment per credit card

We also offer you the option of making your payments by credit card. The legal basis for the associated data processing is Art. 6 para. 1 lit. b GDPR, i.e. the processing of your data is necessary for the fulfilment of the agreement to pay for your purchase by credit card. When paying by credit card, the following data is processed:

• Card type (American Express, Mastercard or VISA),

• Name of the cardholder,

• card number,

• check digit,

• period of validity.

Note on credit assessment:

We transmit personal data collected within the scope of the contractual relationship regarding the application, execution and termination of this business relationship as well as data on non-contractual or fraudulent behaviour to CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich.

The legal basis for this transfer is Art. 6 para. 1 sentence 1 lit. b, f GDPR. The data exchange with CRIF Bürgel GmbH also serves to fulfil legal obligations to carry out creditworthiness checks (Sections 505a and 506 of the German Civil Code). CRIF Bürgel GmbH processes the data received and also uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland and, if applicable, other third countries (insofar as an adequacy decision of the European Commission exists for these) to provide information, among other things, for assessing the creditworthiness of natural persons.

Further information on the activities of CRIF Bürgel GmbH can be found in their information sheet or online at www.crifbuergel.de/de/datenschutz.

3. Questions about the product:

You can ask questions about the product on our website. Your contribution will be published with your specified user name. We recommend using a pseudonym instead of your real name. Your username and e-mail address are required, all other information is voluntary. We need your e-mail address in order to contact you if a third party objects to your comment as unlawful, which is in our legitimate interest. We reserve the right to delete comments if they are objected to as unlawful by third parties. The legal basis for this is Art. 6 para. 1 lit. f GDPR.

4. Conduct us by post, e-mail or contact form:

If you contact us in this way, the personal data transmitted by post, e-mail or online contact form will be processed. If you contact us via the contact form, the following data is required: gender, name, address details, email address, reason for the enquiry and your personal message.

This data is used exclusively for processing the conversation. The legal basis for the processing of your data is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. If your message is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR. Your data processed in this context will be deleted as soon as it is no longer required to achieve the purpose for which it was collected (conversation, contract fulfilment). In addition, you have the option of objecting to the processing of your personal data by contacting us via the contact channels mentioned under Section I.

5. Information about the product:

HABA may also process the data you provide in order to inform you by post about other interesting products from our entire portfolio or to send you emails with technical information about our online shop. The legal basis for this is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. As a customer, you will also occasionally informed by e-mail about similar offers / goods of your purchase from the area of HABA Sales GmbH & Co. KG that may be of interest to you. You receive this information on the basis of Section 7 (3) UWG, which is in our legitimate interest. You can of course object to the further receipt of such messages at any time in the future without incurring any costs other than the transmission costs according to the basic rates. An objection can be sent to the contact details listed under Section I.

6. When you register for the newsletter:

With your consent, you can subscribe to our newsletter, which we use to inform you about our current offers. In some cases, the newsletter sent by HABA may also advertise goods and services of HABA Sales GmbH & Co. KG if these match your interests in our products. We use the services of Emarsys - emarsys eMarketing Systems AG, Märzstraße 1, 1150 Vienna, Austria to support the sending of e-mails.

We use the so-called double opt-in procedure to register for our newsletter. This means that after you have registered, we will send you an e-mail to the e-mail address you have provided in which we ask you to confirm that you wish to receive the newsletter. We store your IP address and the time of registration and confirmation. The purpose of this procedure is to prove your registration and, if necessary, to be able to clarify any possible misuse of your personal data.

The only mandatory information for sending the newsletter is your e-mail address. The provision of further, separately marked data is voluntary and is used to be able to address you personally. The legal basis for sending the newsletter is your consent in accordance with Art. 6 para. 1 lit. a GDPR.

You can revoke your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can declare your cancellation by clicking on the link provided in every newsletter or by contacting the addresses listed under Section I.

We would like to point out that we evaluate your user behaviour when sending the newsletter. For this analysis, the e-mails sent contain so-called web beacons or tracking pixels from our e-mail dispatch service provider Emarsys and our web analytics technology Exactag. This technology allows us to record your opening and clicking behaviour. In addition, this data can be merged with the behaviour of this pseudonymous profile on our website. We use the data obtained in this way to create a user profile in order to tailor the newsletter to your individual interests. In doing so, we record when you read our newsletter, which links you click on in it and deduce your personal interests from this. We link this data to the actions you take on our website.

7. When visiting the website:

When you access our website, data is automatically collected by the system of the accessing computer / end device. This is the following data:

IP address,

• Date and time of the enquiry,

• time zone difference,

• Content of the request,

• Access status / HTTP status code,

• amount of data transferred in each case,

• Website from which the request originates,

• Browser,

• Operating system and its interface,

• language and version of the browser software.

This data is also logged and stored in the log files of our system on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest in processing this data lies in the fact that processing this data makes it possible to deliver the website to your computer in the first place and guarantees the functionality of the website. This data is also necessary to ensure the security of our IT systems. The data is deleted as soon as the purpose for which it was collected no longer applies, i.e. in the case of data collection for website provision, when the respective session has ended and in the case of data storage in log files after seven days at the latest. This data is not stored together with other personal data collected from you.

8. Further Services:

We also offer other services that you can use if you are interested. The information is provided by you voluntarily and on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR or for the processing of a resulting contractual relationship in accordance with Art. 6 para. 1 lit. b GDPR. Your data must sometimes be passed on to our carefully selected service providers for the provision of services. The following services are currently offered

• Dispatch of press releases,

• Participation in customer loyalty campaigns,

• Participation in competitions,

• Personalisation of product orders,

• spare parts service.

III. Will cookies processed?

Our website uses cookies in several places. They serve to make our website more user-friendly, effective and secure.

1. Will cookies processed?

A cookie is a small data file that we transfer to your browser when you browse our site. We use cookies for the following purposes:

• So that we can recognize you on future visits, to display your preferred settings in the shopping cart (language, delivery country, user name),

• so that you can use other specific services: e.g. displaying the site in your language, personalizing our site, etc,

• so that we can customize our site even better to your needs.

Personal data will only be stored with your express consent or if this is absolutely necessary in order to be able to use the service offered and accessed by you accordingly.

Order processing: We have concluded an order processing contract with the third-party providers (third-party cookies).

Our website uses the cookie consent technology of OneTrust, 82 St John St Farringdon, London EC1M 4JN, United Kingdom, to obtain your consent to the storage of certain cookies in your browser and to document this in accordance with data protection regulations.

Cookie consent technology is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

2. How can you revoke the use of cookies?

You can revoke your consent to the use of cookies, unless they are absolutely necessary cookies, at any time with effect for the future under the cookie settings. You have this right in accordance with Art. 7 para. 3 sentence 1 GDPR. You also have the option of deactivating cookies in your browser at any time. If you deactivate cookies, certain features on our website may not be available to you and some web pages may not be displayed correctly.

3. Which Cookies do we use?

Various cookies are set on our website. These can be divided into 3 categories according to their purpose and function:

• Strictly necessary cookies,

• Functional or performance cookies,

• marketing and analysis cookies.

a. Strictly necessary cookies

Strictly necessary cookies guarantee functions so that you can use our website at all. As a rule, these cookies are only set in response to actions you take that correspond to a service request, such as setting privacy preferences, logging in or filling out forms. You can set your browser so that you block these cookies or are notified accordingly. If you make these settings, some areas of the website may not work.

The legal basis for the use of strictly necessary cookies is Art. 6 para. 1 lit. b GDPR (fulfilment of contract), Art. 6 para. 1 lit. c GDPR (legal obligation) or Art. 6 para. 1 lit. f GDPR (balancing of interests, based on our legitimate and overriding interest in the technically smooth provision of our website).

aa. One Trust Cookie-Consent

Our website uses the cookie consent technology of OneTrust, 82 St John St Farringdon, London EC1M 4JN, United Kingdom, to obtain your consent to the storage of certain cookies in your browser and to document this in accordance with data protection regulations. A cookie is set for this purpose. Cookie consent technology is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR. bb. Tealium Consent Preferences

bb. Tealium Consent Preferences

To manage consent preferences via third-party tags, we set a cookie that is linked to our consumer data platform Tealium. The provider is Tealium, 11095 Torreyana Road, San Diego, CA 92121, and the user data itself is hosted on Tealium's servers in Frankfurt am Main, Germany. The legal basis for the processing of your data is Art. 6 para. 1 lit. c GDPR.

b. Functional cookies or performance cookies

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we use on our sites. These cookies also allow us to count visits and traffic sources so that we can measure and improve the performance of our website. If you do not allow these cookies, some or all of these services may not work properly.

The legal basis for the use of functional cookies is Art. 6 para. 1 lit. a GDPR in conjunction with your consent.

Revocation:

You have the option to revoke your consent to the use of functional cookies at any time with effect for the future in the cookie settings. The legal basis for this is Art. 7 para. 3 sentence 1 GDPR.

aa. Google 360 Analytics, Google Tag Manager

Our website uses Google Analytics and Google Tag Manager as web analytics services provided by Google LLC. (‘Google’) based in the USA. Google Analytics / Google Tag Manager use cookies, which are stored on your computer and enable your use of the website to be analysed. This allows us to regularly improve our website and make it more interesting.

The information generated by the cookie about your use of our website (including your IP address in anonymised form) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of analysing your use of the website, compiling reports on website activity for us as the website operator and providing other services relating to website activity and internet usage.

The legal basis for the processing is Art. 6 para. 1 lit. a GDPR.

In addition to revoking the functional cookies in the cookie settings, you also have the option of preventing the collection of the data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

Overview to data protection: https://policies.google.com/?hl=de&gl=de

Privacy Policy: http://www.google.de/intl/de/policies/privacy.

bb. Google Enhanced Conversion

Within the Google Tag Manager as a tag management system, we use Google Enhanced Conversions from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

When you visit our website and are redirected from a Google advert, we send a hashed identifier and information about potential purchases to Google. To do this, the secure one-way hash algorithm SHA256 is applied to the email address we collect from you before it is sent to Google. The hash data is then matched with logged-in Google accounts. Google processes the data to understand which ad you have clicked on, to measure the success of this and to provide us with this information in aggregated form. This allows us to track sales and measure the success of adverts. Google stores the data for a period of 140 days if it was possible to link the conversions to a Google user, otherwise the data is deleted after 60 days.

The legal basis for the processing is Art. 6 para. 1 lit. a GDPR.

In addition to revoking the functional cookies in the cookie settings, you also have the option of preventing Google from collecting the data generated by the cookie and relating to your use of the website and from processing this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

c. Marketing and analysis cookies

These cookies may be set through our website by our marketing and analytics partners. They may be used by these companies to build a profile of your interests and show you relevant adverts on other websites. If you do not allow these cookies, you will experience less targeted advertising.

The legal basis for the use of marketing and analysis cookies is Art. 6 para. 1 lit. a GDPR in conjunction with your consent.

Revocation:

You have the option to revoke your consent to the use of marketing and analysis cookies at any time with effect for the future under the cookie settings. The legal basis for this is Art. 7 para. 3 sentence 1 GDPR.

aa. Optimization of the display of advertising offers using Dynamic Yield

This website uses the services of Dynamic Yield Ltd., Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, England, RG7 1NT (https://www.dynamicyield.com). With the recommendation tool Dynamic Yield, our website is optimized to make your website visit a personal experience through tailor-made recommendations and content. We use the page content you access to offer you equivalent or thematically related products or other content that is relevant to you recommend.

Dynamic Yield collects pseudonymized information about your usage activities on our site. Cookies are used to store only pseudonymized information under a randomly generated ID (pseudonym). A direct personal reference is therefore not possible.

The legal basis for the processing of your data is Art. 6 (1) (a) GDPR.

In addition to the option of deselecting processing for marketing and analysis purposes in the cookie settings, you can also delete the cookies stored on you after visiting our website or set your internet browser so that none of these cookies can be stored on your computer.

bb. Facebook Website Custom Audiences

Users of the social network Facebook, a product of the provider Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, should note that the communication tool Website Custom Audiences or Facebook Custom Audience with Facebook's Facebook Pixel is used on this website. For this purpose, so-called Facebook pixels are integrated into our websites, which mark you as a visitor to our website without identifying you as a person. If you are later logged in to Facebook, a non-reversible and thus non-personal checksum (profile) from your usage data will be transmitted to Facebook for analysis and marketing purposes. Each Facebook user has a unique and device-independent Facebook ID, which allows us to address users across multiple devices on the Facebook social network. We do not become aware of any personal information about individual website visitors. Further information about the purpose and scope of the data collection and the further processing and use of the data by Facebook as well as your setting options for the protection of privacy can be found in Facebook's privacy policy, which can be found on https://www.facebook.com/about/privacy, https://www.facebook.com/ads/website_custom_audiences/ among other places.

The legal basis for the processing of your data is Art. 6 (1) (a) GDPR.

In addition to the option of deselecting processing for marketing and analysis purposes in the cookie settings, you can also delete the cookies stored on you after visiting our website or set your internet browser so that none of these cookies can be stored on your computer.

cc. Integration of Youtube videos

We have integrated YouTube videos into our online offering, which are stored on http://www.YouTube.com and can be played directly from our website. This is an offer from YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, a subsidiary of Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. These are all integrated in the "extended data protection mode", i.e. no data about you as a user is transmitted to YouTube if you do not play the videos. Only when you play the videos will the following data be transferred. We have no influence on this data transfer.

By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our website. This happens regardless of whether you provide YouTube with a user account that you're logged in with or whether you don't have an account. If you're logged in to Google, your data will be directly associated with your account. If you do not want to be assigned to your YouTube profile, you must log out before activating the button. YouTube stores your data as user profiles and uses it for the purposes of advertising, market research and/or needs-based design of its website. Such an evaluation is carried out in particular for the purpose of providing needs-based advertising and to inform other users of the social network about your activities on our website.

The legal basis for the processing of your data is Art. 6 (1) (a) GDPR. You have the option of opting out of processing for marketing and analysis purposes at any time in the cookie settings.

For more information on the handling of user data, please see the privacy policy at: https://policies.google.com/privacy?hl=de&gl=de.

dd. Tealium

On this website, we use Tealium's technologies. The provider is Tealium, 11095 Torreyana Road, San Diego, CA 92121. Tealium is a consumer data platform that allows us to segment and target in order to get a uniform view of our website visitors. Tealium collects movement and behavioral data on the Site. In addition, all transaction data about purchases is sent to Tealium. For this purpose, the following personal data will be processed: contact details (e-mail, title, first and last name, postal address), transaction data (purchases, products purchased, payment method), website behavioural data (sessions, views, clicks, conversions).

The cookies are stored for a maximum of 12 months and then deleted.

The user data itself is hosted on Tealium's servers in Frankfurt am Main, Germany.

The legal basis for the processing of your data is your consent within the meaning of Art. 6 (1) (a) GDPR.

You have the option of opting out of processing for marketing and analysis purposes at any time in the cookie settings.

For more information about Tealium's data processing, please visit: https://tealium.com/privacy-policy/.

ee. Google Ads

We use Google Ads from Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Ads allows us to draw attention to our attractive offers on Google search results pages, other external sites and within the Google Display Network. We use this to track your interest in showing you ads that may be of interest to you. In addition, we use the retargeting function to show visitors to our site targeted offers.

These advertising materials are delivered by Google via so-called "ad servers". For this purpose, we use ad server cookies, which can be used to measure certain parameters for measuring success, such as the display of ads or clicks. If you access our website via a Google ad, Google Ads will store a cookie in your device. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wants to be addressed) are usually stored as analysis values.

These cookies allow Google to recognize your internet browser. If a user visits certain pages of an Ads Client's website and the cookie stored on their computer has not expired, Google and the Ads Client can recognise that the user clicked on the ad and was redirected to that page. Each Ads customer is assigned a different cookie. Cookies cannot be tracked through the websites of Ads customers. Google provides us with statistical evaluations. Based on these evaluations, we can see which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising material, in particular we cannot identify the users on the basis of this information.

The legal basis for the processing of your data is Art. 6 (1) (a) GDPR.

In addition to the option of opting out of processing for marketing and analysis purposes in the cookie settings, you can prevent this tracking procedure in various ways: a) by setting your browser software accordingly, in particular the suppression of third-party cookies will result in you not receiving third-party ads; b) by disabling cookies for conversion tracking by setting your browser to block cookies, https://www.google.de/settings/ads, which setting will be deleted when you delete your cookies; c) by permanently deactivating it in your Firefox, Internet Explorer or Google Chrome browsers under the link http://www.google.com/settings/ads/plugin.

You can find more information about data protection at Google here: http://www.google.com/intl/de/policies/privacy.

ff. Google Customer Match

We use Google Customer Match as part of our Google Ads advertising activities, especially for remarketing. This allows us to show you targeted advertising content across the Google Display Network, Google Search, and YouTube. For this purpose, your email address, which is encrypted as a hash value, is compared with the email address stored with your Google account. Google does not have access to the actual email addresses. Google does not share the information with third parties, including other advertisers.

The legal basis for the processing of your data is Art. 6 (1) (a) GDPR.

You have the option of opting out of processing for marketing and analysis purposes at any time in the cookie settings.

You can find more information about data protection at Google here: http://www.google.com/intl/de/policies/privacy.

IV. Are social plug-ins used?

We use social plugins on our website for advertising purposes from the social networks Facebook, Pinterest, Instagram and YouTube on the basis of Art. 6 para. 1 lit. f GDPR. Plugins are small programs or extensions to use these additional functions.

In order to increase the protection of your data when you visit our website, the plugins are integrated into the site by means of a so-called "2-click solution". This integration ensures that when a page of our website that contains such plugins is accessed, no connection to the servers of Facebook, Google and Pinterest is established. Only when you activate the plugins and thus give your consent to the data transmission does your browser establish a direct connection to the servers of Google, Facebook or Pinterest. The content of the respective plugin is then transmitted directly to your browser by the associated provider and integrated into the page. By integrating the plugins, the providers receive the information that your browser has called up the corresponding page of our website, even if you do not have a profile with the corresponding provider or are not logged in at the moment. This information (including your IP address) is transmitted directly from your browser to a server of the respective provider and stored there. If you do not want social networks to collect data about you via our website, you must log out of the social networks before visiting our website.

On our website we have the social plug-ins of the followingCompanies involved:

Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Irland; http://www.facebook.com/policy.php; further informationen for data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo.

Google LLC., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de.

Pinterest Europe Ltd, WeWork, 2 Dublin Landings, N Wall Quay, Dublin 1, D01 V4A3, https://policy.pinterest.com/de/privacy-policy.

V. To which categories of recipients do we share your data, if any?

The data we collect is not sold. We only share the information we receive with third parties for the following purposes:

• Affiliates

  (HABA Group B.V. & Co. KG, HABA Sales GmbH & Co. KG and, among others, their brands HABA, HABA Pro and JAKO-O) to compare the address database on the basis of Art. 6 (1) (f) GDPR, if they are either subject to this privacy policy or follow guidelines that offer at least as much protection as this privacy policy.

• Order processing and vicarious agents:

  We commission other companies and individuals to perform tasks for us. Examples include support in the organization of events, sending letters or e-mails, maintaining our contact lists, analyzing our databases and advertising measures. These service providers receive from us the personal information from you that is needed to perform their functions.

  However, these companies may not use it for any other purpose. In addition,

  cloud outsourcing partners or hosting service providers

  also act for us as processors.

• Payment/payment service providers

• Shipping service providers

• Brand manufacturers and publishers:

  Within the framework of Art. 6 para. 1 lit. f GDPR, we enable carefully selected shipping companies, brand manufacturers and publishers and our affiliated companies to provide you with information and offers as part of the advertising postal approach. For third-party marketing purposes, only data will be passed on where this is permitted by law. If you do not wish this, you can object to us using your data for marketing purposes at any time.

• Service providers for credit and credit information

In all other cases, we will notify you if personal information is shared with third parties.

VI. Will the personal data be transferred to an international organisation or a third country?

As a matter of principle, we do not share your data with an international organisation.

In the case of data transfer to recipients based outside the European Union or the European Economic Area (so-called third country), this is done on the basis of so-called standard contractual clauses of the EU Commission as a suitable guarantee to ensure the level of protection of your personal data.

VII. What profiling do we do?

In principle, we do not use fully automated decision-making in accordance with Article 22 GDPR to establish and carry out the business relationship.

VIII. What measures are taken to ensure the security of my data?

In order to avoid loss or misuse of the data stored by us, we take extensive technical and organizational security precautions, which are regularly reviewed and adapted to technological progress. Among other things, we use SSL (RSA 1024 bit) as encryption and security software, i.e. all your personal data (name, address, credit card number, bank code, account number, etc.) is encrypted and transmitted securely on the Internet. This method is successfully used throughout the World Wide Web. You can tell by a symbol (closed padlock) in the lower window bar of your browser that you are in the secured area.

IX. How long do we keep your data?

In principle, we anonymize and/or delete your personal data as soon as it is no longer required for the above-mentioned purposes and unless we are obliged to continue storing it by legal obligations to provide evidence and retention (e.g. according to the German Commercial Code, the German Fiscal Code).

X. What rights do you have?

The GDPR regulates your rights primarily in Articles 15 to 22 GDPR. Accordingly, you have the right to information at any time about the data stored regarding you, its origin and recipients as well as the purpose of storage. In addition, you have the right to request the deletion of your data as well as a restriction of processing, the correction of your data and the transfer of your data in a commonly used machine-readable format. In addition, there is information about the existence of automated decision-making, including profiling in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and intended effects of such processing with regard to your person.

Objection or revocation to the processing of your data: If you have given your consent to the processing of your data, you can revoke it at any time with effect for the future by contacting the postal or e-mail address listed in section I. Case-by-case right to object: If we base the processing of your personal data on a balancing of interests in accordance with Art. 6 (1) (f) GDPR, you can object to the processing. This also applies to profiling based on this provision within the meaning of Art. 4 (4) GDPR. If you exercise such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of a justified objection, we will examine the facts of the case and will either stop or adapt the data processing or show you our compelling legitimate grounds on the basis of which we continue the processing.

Of course, you can object to the processing of your personal data for advertising and data analysis purposes at any time; this also applies to profiling, insofar as it is related to such direct advertising. Please send your objection to advertising to the postal or e-mail address listed under section I.

XI. Which complaints office can you contact?

You have the option of contacting the address of the above-mentioned data protection officer. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes data protection regulations. The supervisory authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht Postfach 606 91511 Ansbach Deutschland Telefon: +49 (0) 981 53 1300 Telefax: +49 (0) 981 53 98 1300 E-Mail: poststelle@lda.bayern.de

If you want to file a complaint, you can use the online complaint form of the supervisory authority: (https://www.lda.bayern.de/de/beschwerde.html)