Privacy Policy

At Brunati Como, we are committed to protecting your privacy and handling your personal data responsibly.

This Privacy Policy explains how we collect, use, store, process, and protect personal data when you visit our website, place an order, subscribe to our newsletter, contact us, or otherwise interact with us.

We process personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or disclosure. However, please note that no method of transmission over the Internet or electronic storage can be guaranteed to be completely secure.

1. Definitions

The data protection declaration of the Brunati Como is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used.

In this data protection declaration, we use, inter alia, the following terms:

1. a)    Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1. b) Data subject

Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

1. c)    Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1. d)    Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

1. e)    Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

1. f)     Pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

1. g)    Controller or controller responsible for the processing

Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

1. h)    Processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

1. i)      Recipient

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

1. j)      Third party

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

1. k)    Consent

Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and Address of the controller

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

Brunati Como
Thomas Ziegler GbR
Columbusstrasse 76
40549 Düsseldorf
Germany 
Phone: +49 (0) 211 13 06 86 82
Email: contact@brunaticomo.com
Website: www.brunaticomo.com 

3. Cookies

Our website uses cookies and similar technologies to provide essential website functionality, improve user experience, analyse website performance, and support marketing activities.

Cookies are small text files that are stored on your device by your web browser. Some cookies are necessary for the operation of our website, while others help us understand how visitors interact with our website or allow us to provide personalised content and advertising.

We use a consent management platform to obtain and manage your cookie preferences where required by applicable law. You may accept, reject, or modify your consent preferences at any time through our cookie settings.

You can also configure your browser to block or delete cookies. Please note that disabling certain cookies may affect the functionality and performance of our website and may prevent some features from operating correctly.

For detailed information about the cookies and technologies we use, their purposes, retention periods, and providers, please refer to our cookie preferences centre available on our website.

4. Collection of general data and information

When you visit our website, certain information is automatically collected and stored in server log files.

This information may include:

• browser type and version
• operating system
• referring website
• pages visited on our website
• date and time of access
• IP address
• internet service provider
• device and technical connection information

This information is processed to ensure the functionality, security, stability, and optimisation of our website, to detect and prevent misuse, and to improve the user experience.

The processing is based on our legitimate interest in maintaining a secure and reliable online presence in accordance with Article 6(1)(f) GDPR.

Server log data is generally stored separately from other personal data provided by users and is retained only for as long as necessary to fulfil the purposes described above or to comply with legal obligations.

5. Customer Accounts and Registration

Customers may choose to create an account on our website or place orders as a guest, where available.

When a customer creates an account, we collect and process the personal data provided during registration, such as name, email address, billing and shipping information, and other information voluntarily provided by the customer.

The purpose of processing this data is to provide and manage customer accounts, facilitate future purchases, process orders, provide customer support, and improve the user experience.

For security and fraud prevention purposes, we may also record technical information associated with the registration or login process, including IP address, date, and time of registration.

Personal data may be shared with carefully selected service providers where necessary for the operation of our online store, order fulfilment, payment processing, shipping, fraud prevention, or customer support.

Customers may access, update, or request deletion of their account information at any time, subject to applicable legal retention obligations.

The processing of personal data in connection with customer accounts is based on Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interests in maintaining secure customer accounts and preventing misuse).

6. Subscription to our newsletters

Users may subscribe to our newsletter through our website.

When subscribing to the newsletter, we collect and process the information provided during registration, such as the email address and, where applicable, additional information voluntarily provided by the subscriber.

Newsletter subscriptions are processed using a double opt-in procedure. After registration, a confirmation email is sent to the email address provided. The subscription is only activated once the confirmation link has been clicked.

For documentation and security purposes, we may store the IP address, date, and time of the subscription and confirmation process.

We use this information to send newsletters, promotional communications, updates about our products and services, and other marketing communications where the subscriber has provided consent.

Subscribers may withdraw their consent and unsubscribe from the newsletter at any time by clicking the unsubscribe link included in every newsletter or by contacting us directly.

The processing of personal data for newsletter subscriptions is based on the subscriber's consent in accordance with Article 6(1)(a) GDPR.

7. Newsletter-Tracking

Our newsletters may contain technologies that allow us to measure the performance of our email communications, such as whether a newsletter has been opened, whether links have been clicked, and how recipients interact with the content.

The information collected may include technical information about the recipient's device, email client, interactions with the newsletter, and related usage statistics.

We use this information to evaluate the effectiveness of our newsletters, improve our communications, better understand subscriber interests, and optimise future marketing campaigns.

Newsletter performance measurement is carried out only where permitted by applicable law and, where required, on the basis of the subscriber's consent.

Subscribers may withdraw their consent to receive newsletters at any time by using the unsubscribe link included in every newsletter or by contacting us directly.

The processing of personal data in connection with newsletter tracking is based on Article 6(1)(a) GDPR (consent) and, where applicable, Article 6(1)(f) GDPR (legitimate interest in analysing and improving our communications).

8. Contact possibility via the website

Our website contains contact forms and provides contact details that enable users to communicate with us electronically.

When you contact us by email, contact form, live chat, or other communication channels, we process the personal data you provide, such as your name, email address, order information, and the content of your enquiry.

We process this information solely for the purpose of responding to your enquiry, providing customer support, processing requests, and maintaining our business relationship with you.

Where necessary, personal data may be shared with carefully selected service providers who assist us in operating our website, managing customer communications, or providing customer support.

The processing of personal data in connection with enquiries is based on Article 6(1)(b) GDPR (performance of a contract or pre-contractual measures) and Article 6(1)(f) GDPR (legitimate interest in responding to enquiries and providing customer service).

9. Routine erasure and blocking of personal data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including the provision of our services, the performance of contracts, compliance with legal obligations, the resolution of disputes, and the enforcement of our agreements.

Where personal data is no longer required for the purposes for which it was collected, and no statutory retention obligations apply, the data will be deleted, anonymised, or otherwise securely disposed of in accordance with applicable legal requirements.

Where retention periods are prescribed by law, the relevant personal data will be retained for the duration required by the applicable legal provisions and deleted thereafter.

10. Rights of the data subject

1. a) Right of confirmation

Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the controller.

1. b) Right of access

Each data subject shall have the right granted by the European legislator to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
• the existence of the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller.

1. c) Right to rectification

Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.

1. d) Right to erasure (Right to be forgotten)

Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
• The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
• The personal data have been unlawfully processed.
• The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
• The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by Brunati Como, he or she may, at any time, contact any employee of the controller. An employee of Brunati Como shall promptly ensure that the erasure request is complied with immediately.

Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. An employees of Brunati Como will arrange the necessary measures in individual cases.

1. e) Right of restriction of processing

Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead.
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
• The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by Brunati Como , he or she may at any time contact any employee of the controller. The employee of the Brunati Como will arrange the restriction of the processing.

1. f) Right to data portability

Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.

In order to assert the right to data portability, the data subject may at any time contact any employee of Brunati Como .

1. g) Right to object

Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.

Brunati Como shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If Brunati Como processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to Brunati Como to the processing for direct marketing purposes, the Brunati Como will no longer process the personal data for these purposes.

In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by Brunati Como for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In order to exercise the right to object, the data subject may contact any employee of Brunati Como . In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.

1. h) Automated individual decision-making, including profiling

Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (3) is not based on the data subject's explicit consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject's explicit consent, the Brunati Como shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.

If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact any employee of Brunati Como.

1. i) Right to withdraw data protection consent

Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time.

If the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact any employee of Brunati Como .

11. Data protection provisions regarding Meta Pixel

We use Meta Pixel, a service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Meta Pixel enables us to measure the effectiveness of our advertising campaigns, understand how visitors interact with our website, and deliver relevant advertisements to users on Meta platforms, including Facebook and Instagram.

Meta Pixel may collect information about your interaction with our website, including pages visited, products viewed, purchases made, device information, browser information, IP address, and other online identifiers.

The processing of personal data through Meta Pixel takes place only where the user has provided the required consent through our consent management platform.

The information collected may be transmitted to Meta and processed in accordance with Meta's Privacy Policy.

Users may withdraw their consent at any time through the cookie settings available on our website.

Further information can be found at:

https://www.facebook.com/privacy/policy/

12. Data protection provisions regarding Google Analytics 4

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics 4 helps us understand how visitors use our website, evaluate website performance, improve user experience, and optimise our products, services, and marketing activities.

Google Analytics 4 may collect information including pages visited, interactions with the website, approximate geographic location, device information, browser information, and online identifiers.

The processing of personal data through Google Analytics 4 takes place only where the user has provided the required consent through our consent management platform.

Users may withdraw their consent at any time through the cookie settings available on our website.

Google may process certain information on servers located outside the European Union. Where personal data is transferred internationally, appropriate safeguards are implemented in accordance with applicable data protection laws.

Further information can be found at:

https://policies.google.com/privacy

https://support.google.com/analytics

13. Data protection provisions about the application and use of Google Ads and Remarketing

We use Google Ads and Google Ads Remarketing services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to advertise our products and services through Google Search, Google Shopping, YouTube, and the Google advertising network.

Google Ads Conversion Tracking allows us to measure the effectiveness of our advertising campaigns by determining whether users perform specific actions on our website after interacting with an advertisement, such as completing a purchase or submitting an enquiry.

Google Ads Remarketing enables us to display personalised advertisements to users who have previously visited our website and shown interest in our products or services.

For these purposes, Google may process information including pages visited, products viewed, interactions with our website, browser information, device information, IP address, and online identifiers.

The processing of personal data through Google Ads and Remarketing takes place only where the user has provided the required consent through our consent management platform.

Users may withdraw their consent at any time through the cookie settings available on our website.

Google may process certain information on servers located outside the European Union. Where personal data is transferred internationally, appropriate safeguards are implemented in accordance with applicable data protection laws.

Further information can be found at:

https://policies.google.com/privacy

https://ads.google.com

14. Data protection provisions about the application and use of Instagram

Our website may display content from Instagram and may provide links to our Instagram presence. Instagram is a service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When Instagram content is displayed on our website, technical information such as your IP address, browser information, and device information may be transmitted to Instagram in order to display the content correctly.

If you are logged into your Instagram account while visiting our website, Instagram may associate your visit with your Instagram profile in accordance with Instagram's own privacy practices.

The integration of Instagram content and related processing of personal data takes place only where permitted under applicable data protection laws and, where required, on the basis of your consent.

Further information about how Instagram processes personal data can be found at:

https://privacycenter.instagram.com/

https://www.facebook.com/privacy/policy/

15. Payment Service Providers

To process payments for orders placed through our website, we work with various payment service providers and payment networks, including Shopify Payments, Stripe, PayPal, Shop Pay, Apple Pay, Google Pay, TWINT, Bancontact, EPS, iDEAL / Wero, UnionPay, Visa, Mastercard, American Express, Maestro, and other locally available payment methods.

Depending on the selected payment method, personal data required for payment processing may be transmitted to the respective payment service provider. This may include, for example, name, billing address, delivery address, email address, payment information, IP address, transaction details, and order information.

The transmission of data is carried out exclusively for the purpose of payment processing, fraud prevention, identity verification where required, and the fulfilment of contractual obligations.

The respective payment service provider processes personal data under its own responsibility and in accordance with its own privacy policy.

Further information can be found in the privacy policies of the principal payment providers:

PayPal: https://www.paypal.com/privacy

Shopify: https://www.shopify.com/legal/privacy

Stripe: https://stripe.com/privacy

16. Shopify and Shopify Analytics

We operate our online store using Shopify, a service provided by Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland.

Shopify provides the e-commerce platform through which we offer and sell our products. In connection with the operation of our online store, Shopify may process personal data such as name, email address, billing and shipping address, order details, payment information, IP address, device information, and usage data.

We may use Shopify Analytics and related reporting tools to understand website usage, customer behaviour, store performance, and sales activity. This information helps us improve our products, services, and customer experience.

Where available, customers may also choose to use Shop Pay and related Shopify services, including the Shop App, which may provide order tracking, accelerated checkout functionality, and additional customer account features.

Further information can be found in Shopify’s Privacy Policy:

https://www.shopify.com/legal/privacy

17. Pinterest

We use Pinterest Tag, a service provided by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

Pinterest Tag enables us to measure the effectiveness of our Pinterest advertising campaigns, understand how visitors interact with our website, and display relevant advertisements to users on Pinterest.

Pinterest may process information such as pages visited, products viewed, purchases made, browser information, device information, IP address, and online identifiers.

The processing of personal data through Pinterest Tag takes place only where the user has provided the required consent through our consent management platform.

Users may withdraw their consent at any time through the cookie settings available on our website.

Further information can be found in Pinterest’s Privacy Policy:

https://policy.pinterest.com/en/privacy-policy

18. Shipping and fulfilment Providers

To process and deliver orders, we share personal data with shipping and logistics providers where necessary.

This may include name, delivery address, email address, telephone number, order information, shipment details, and tracking information.

We currently work with shipping and logistics providers including DHL Express and UPS.

The processing of this data is necessary for order fulfilment, shipment processing, delivery notifications, tracking services, returns handling, and customer support.

The legal basis for this processing is Article 6(1)(b) GDPR, as it is necessary for the performance of the purchase contract, and Article 6(1)(f) GDPR, based on our legitimate interest in reliable and efficient order fulfilment.

Further information can be found in the privacy policies of the respective providers:

DHL: https://group.dhl.com/en/data-protection.html

UPS: https://www.ups.com/privacy

19. Consent Management

We use a consent management platform to obtain, manage, and document user consent for cookies and similar technologies where required by applicable law.

The consent management platform enables visitors to accept, reject, or customise their privacy preferences and allows us to document consent decisions in accordance with applicable data protection regulations.

Users may modify or withdraw their consent at any time through the privacy settings available on our website.

The legal basis for this processing is Article 6(1)(c) GDPR and Article 6(1)(a) GDPR where consent is required.

20. Legal basis for the processing

Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).

21. The legitimate interests pursued by the controller or by a third party

Where the processing of personal data is based on Article 6(1)(f) GDPR, our legitimate interests include the operation and improvement of our website, the provision of our products and services, customer support, fraud prevention, IT security, direct marketing where permitted by law, and the efficient administration of our business activities.

22. Period for which the personal data will be stored

The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfillment of the contract or the initiation of a contract.

1. Provision of personal data as statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal data; possible consequences of failure to provide such data

We clarify that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual provisions (e.g. information on the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with him or her. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded. Before personal data is provided by the data subject, the data subject must contact any employee. The employee clarifies to the data subject whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of non-provision of the personal data.

23. Automated decision-making

We do not use automated decision-making within the meaning of Article 22 GDPR that produces legal effects concerning individuals or similarly significantly affects them.