This Data Protection Policy explains to you the nature, scope, and purpose of the processing of personal data in connection with the use our website and social media profiles. With respect to terminology used, please see the definitions in Article 4 of the EU General Data Protection Regulation (GDPR).
Company: webcuisine GmbH & Co. KG
Address: Goseriede 4
Postal code, city, country: 30159 Hannover, Germany
Commercial register/no. Local Court of Hannover, HRA 203017
General partner: united cuisines GmbH, Local Court of Hannover, HRB 216259
Represented by its general manager: Sascha-Matthias Kulawik
Phone number: 0511/1659090
Data protection officer:
Type of data processed:
- Identifier data (e.g. name, address)
- Contact data (e.g. email address, phone numbers)
- Content data (e.g. text entries, photographs, videos)
- Use data (e.g. visited websites, interest in content, access times)
- Meta/communication data (e.g. device information, IP addresses)
Processing of special categories of personal data (Article 9(1) GDPR):
No special categories of personal data are processed.
Categories of data subjects affected by processing
- Customers/potential customers/suppliers
- Website visitors and users
In the following, we also refer to data subjects collectively as “users”.
Purpose of data processing:
- For making available our website, its content, and its features
- For providing contractual and customer-care services
- For responding to queries and communicating with users
- For marketing, advertising, and market research
- For security measures
Last updated: 16 May 2018
Pursuant to Article 13 GDPR, we are notifying you of the legal bases for our data processing. If the legal basis is not specified in the Data Protection Policy, then the following applies: the legal basis for obtaining consent is Articles 6(1)(a) and 7 GDPR; the legal basis for processing for the purposes of performing our contracts and responding to enquiries is Article 6(1)(b) GDPR; the legal basis for processing for the purposes of complying with our legal obligations is Article 6(1)(c) GDPR; and the legal basis for processing for the purposes of our legitimate interests is Article 6(1)(f) GDPR. In the event that the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis is Article 6(1)(d) GDPR.
- Changes and updates to the Data Protection Policy
We ask that you regularly inform yourself about the content of our Data Protection Policy. We modify it where required by changes in the way we process data. We will inform you if the changes require action on your part (e.g. consent) or if some other individual notification is necessary.
- Security measures
- Pursuant to Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including ensuring the confidentiality, integrity and availability of data though the control of the physical access to them, as well as ensuring the access relating to them, entry, disclosure, ensuring the availability and its separation. In addition, we have established procedures to ensure the exercise by data subjects of their rights, the erasure of data and the response to threat to the data. Furthermore, we take into consideration the protection of personal data when developing and/or selecting hardware, software and processes, in accordance with the principle of data protection by design and by default (Article 25 GDPR).
- Security measures also include the encrypted transmission of data between your browser and our server.
- Collaboration with processors and third parties
- If in connection with our processing, we disclose data to other persons and companies (processors or third parties), transmit data to them or otherwise grant them access to the data, this occurs only on the basis of a statutory permission (e.g. if transmission of the data to third parties, such as to payment services providers, is necessary for contract performance pursuant to Article 6(1)(b) GDPR), you have consented, a legal obligation specifies this or on the basis of our legitimate interests (e.g. when making use of agents, webhosts, etc.).
- If we engage third parties to process data on the basis of a so-called “processor contract”, this takes place on the basis of Article 28 GDPR.
- Transmission to third countries
If we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)), or if this takes place in connection with the use of third-party services or disclosure or, as the case may be, transmission of data to third parties, this occurs only if it takes place for the purposes of performing our (pre-)contractual duties, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to statutory or contractual permissions, we process the data or have them processed in a third country only when the special conditions in Articles 44 et seq. GDPR are met. This means that processing occurs, e.g. on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to the EU (e.g. for the U.S., through the “Privacy Shield”), or in compliance with officially recognised special contractual obligations (so-called “standard contract clauses”).
- Rights of data subjects
- Pursuant to Article 15 GDPR, you have the right to obtain confirmation as to whether or not relevant data are being processed, as well as access to the data, further information and a copy of the data.
- Pursuant to Article 16 GDPR, you have the right to obtain the completion of data concerning you or the rectification of inaccurate data concerning you.
- Pursuant to Article 17 GDPR, you have the right to obtain the erasure of relevant data without undue delay or alternatively, pursuant to Article 18 GDPR, to obtain a restriction on the processing of data.
- Pursuant to Article 20 GDPR, you have the right to receive the data concerning you that you have provided to us and to have them transmitted to another controller.
- Pursuant to Article 77 GDPR, you furthermore have the right to lodge a complaint with the responsible supervisory authority.
- Right to withdraw
Pursuant to Article 7(3) GDPR, you have the right to withdraw consent with future effect.
- Right to object
Pursuant to Article 21 GDPR, you may at any time object to the future processing of data concerning you. The objection can be lodged, in particular, against processing for direct marketing purposes.
- Cookies and right to object in the case of direct marketing
- Erasure of data
- Pursuant to Articles 17 and 18 GDPR, data processed by us are erased or restricted in their processing. Unless expressly indicated in connection with this Data Protection Policy, the data stored by us are erased once they are no longer needed for their intended purpose and erasure is not prevented by statutory retention duties. If the data are not erased because they are needed for other purposes permitted by statute, their processing is restricted. This means that the data are blocked and are not processed for other purposes. That applies e.g. to data that are required to be retained for reasons of commercial law or tax law.
- Retention occurs for six years pursuant to section 257 (1) of the German Commercial Code (HGB) (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, booking receipts, etc.) and for ten years pursuant to section 147 (1) of the German Fiscal Code (AO) (books, records, management reports, booking receipts, commercial and business letters, documents relevant for taxation, etc.).
- Provision of contractual services
- Pursuant to Article 6(1)(b) GDPR, we process identifier data (e.g. names and addresses, as well as contact data of users), contract data (e.g. services made use of, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services. The entries designated as mandatory in online forms are necessary for contract conclusion.
- In connection with the use of our online services, we store the IP address and the time of the respective user action. Storage takes place on the basis of our legitimate interests, as well as that of users in protection against misuse and other unauthorised use. As a rule, these data are not disclosed to third parties, unless this is necessary for pursuing our claims or there is a legal obligation to do so pursuant to Article 6(1)(c) GDPR.
- Erasure takes place after expiry of the statutory warranty and comparable duties, the necessity of retention of the data is reviewed every three years; in the case of statutory archiving duties, erasure takes place after their expiry (end of retention duty under commercial law (six years) and tax law (10 years)); information in the customer account remains there until it is erased.
- When contacting us (using the contact form or by email), the user’s information is processed for handling the contact enquiry pursuant to Article 6(1)(b) GDPR.
- The information of users may be stored in our customer relationship management system (“CRM system”) or comparable enquiry organisation.
- We use the CRM system “Zoho CRM” of the provider Zoho Corporation Pvt. Ltd, 4141 Hacienda Drive, Pleasanton, California 94588, U.S., on the basis of our legitimate interests (quick, efficient handling of user enquiries). We have concluded a contract with Zoho with so-called standard contract clauses in which Zoho undertakes to process user data only in accordance with our instructions and in compliance with the EU level of data protection. Zoho undertakes to process user data in compliance with the EU level of data protection and is certified under ISO27001 and SOC 2 type 2. Furthermore, Zoho is certified under the Privacy Shield agreement and offers through this an additional guarantee to comply with European data protection law (https://www.zoho.com/de/gdpr.html).
- We erase the enquiries once they are no longer needed. We review the necessity every two years; we permanently store enquiries from customers with a customer account and refer with regard to erasure to the information concerning the customer account. In the case of statutory archiving duties, erasure takes place after their expiry (end of retention duty under commercial law (six years) and tax law (10 years)).
- When users leave comments, their IP addresses are stored on the basis of our legitimate interests within the meaning of Article 6(1)(f) GDPR for seven days.
- This takes place for our security in the event someone leaves unlawful content in comments (insults, prohibited political propaganda, etc.). In such case, we may be held responsible for the comment and are therefore interested in the identity of the author.
- Collection of access data and log files
- On the basis of our legitimate interests within the meaning of Article 6(1)(f) GDPR, we collect data about every access of our server on which this website is hosted (so-called server log files). The access data include the name of the accessed website, file, date and time of day of access, amount of data transferred, notification of successful access, type of browser, including version, the user’s operating system, referrer URL (of the site previously visited), IP address, and the requesting provider.
- For security reasons (e.g. to investigate acts of misuse or fraud), log file information is stored for a maximum of three months and then erased. Data that need to continue to be retained for evidentiary purposes are excluded from erasure until the relevant event has been definitively resolved.
- Online presence in social media
- We maintain an online presence on social networks and platforms in order to be able to communicate with customers, potential customer and users who are active there and inform them there about our services. When accessing the respective network and platforms, the business terms, conditions and data processing policies of their respective operators are applicable.
- Unless indicated otherwise in connection with our Data Protection Policy, we process the data of users if they communicate with us on social networks and platforms, e.g. write comments there or send us messages.
- Cookies and reach measurement
- Cookies are information that is transferred from our webserver or third-party webservers to the web browsers of users and stored there for later access. Cookies may involve small files or other types of information storage.
- We use session cookies, which are placed only for the duration of the current visit to our website. A so-called session ID is placed in each session cookie, i.e. a randomly generated, unique identification number. In addition, a cookie contains information about its origin and storage period. These cookies cannot store any other data. Cookies are deleted when you end the use of our website and e.g. log out or close your browser.
- If users do not wish to have cookies stored on their computer, they are requested to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies may result in restrictions in the features of this website.
- Google Analytics
- Google is certified under the Privacy Shield agreement and offers through this an additional guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use this information on our behalf in order to evaluate the use of our website by users, to compile reports about activities within this website and to provide other services to us related to the use of this website and internet usage. In this regard, pseudonymous use profiles of users may be generated from the processed data.
- We use Google Analytics only with activated IP anonymisation. This means that the IP address of users is first shortened by Google within the Member States of the European Union or in other Contracting States of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the U.S. and shortened there.
- The IP address transmitted by the user’s browser is not combined by Google with other data. Users can prevent the storage of cookies through a corresponding setting in their browser software; users can also prevent the collection of data generated by the cookie about their use of the website from being sent to and processed by Google by downloading and installing the browser plug-in available at the following link:https://tools.google.com/dlpage/gaoptout?hl=de.
- More information about the use of data by Google, settings and objection options can be found on Google’s websites:https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google in connection with your use of website or apps of our partners”), https://policies.google.com/technologies/ads (“Data use for advertising purposes”), https://adssettings.google.com/authenticated (“Managing information that Google uses to display advertising to you”, https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf&visit_id=0-636627491772075820-392588789&hl=de&rd=1 (“Application form for removing personal data”).
- With the following information, we inform you about the content of our newsletter, as well as about the subscription, mailing, statistical analysis procedures and your rights to object. By subscribing to our newsletter, you declare that you are in agreement with receiving it and with the described procedure.
- Content of the newsletter: We send newsletters, emails and other electronic notifications with advertising information (hereinafter, “newsletters”) only with the consent of recipients or statutory permission. If in connection with a subscription to the newsletter its content is specifically described, such content is controlling for the consent of users. In addition, our newsletters contain information about our products, offers, campaigns and our company.
- Double opt-in and logging: The subscription to our newsletter takes place using a so-called double opt-in procedure. This means that after subscribing, you will receive an email requesting that you confirm your subscription. This confirmation is necessary so that no one can subscribe with foreign email addresses. Subscriptions to the newsletter are logged in order to be able to demonstrate that the subscription process was consistent with legal requirements. This includes storage of the time of subscription and confirmation as well as the IP address. Changes to your data stored with the mailing provider are also logged.
- Mailing provider: The newsletter is mailed by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede (hereinafter, the “mailing provider”). You can view the mailing provider’s data protection provisions here: https: //www.cleverreach.com/de/datenschutz/
- In addition, the mailing provider states that it may use these data in pseudonymous form, i.e. without attribution to a user, for the purposes of optimising or improving its own services, e.g. for technical optimisation of the mailing and displaying the newsletter or for statistical purposes in order to determine the countries from which recipients come. However, the mailing provider does not use the data of our newsletter recipients to contact them directly or to disclose them to third parties.
- Subscription data: In order to subscribe to the newsletter, it is sufficient if you provide your email address. We ask that you voluntarily provide a name for the purpose of personally addressing the newsletter.
- Success measurement – The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is accessed by the mailing provider’s server when the newsletter is opened. In connection with this access, technical information is first collected, such as information about the browser and your system, as well as your IP address and time of access. This information is used for the purposes of technically improving the services on the basis of the technical data or the target groups and your reader behaviour on the basis of your location of access (which can be determined with the aid of the IP address). The statistical data collected also include the determination of whether the newsletters are opened, when they are opened and which links are clicked on. Although this information may for technical reasons be allocated to individual newsletter recipients, it not our intention nor that of the mailing provider to monitor individual users. Rather we use the assessments to identify the reading habits of our users and to modify our content to conform to them or to send different content in accordance with the interests of our users.
- The sending of the newsletter and success measurement take place on the basis of a consent by recipients pursuant to Articles 6(1)(a) and 7 GDPR in conjunction with section 7 (2) of the German Act Against Unfair Competition (UWG) or, as the case may be, on the basis of statutory permission pursuant to section 7 (3) UWG.
- The logging of the subscription procedure takes place on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR and is used to demonstrate consent to the receipt of the newsletter.
- Unsubscribing/revocation – You may unsubscribe from our newsletter at any time, i.e. revoke your consent. You can find a link for unsubscribing to the newsletter at the end of each newsletter. If users subscribed only to the newsletter and have cancelled this subscription, their personal data are erased.
- Embedding of services and third-party content
- On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our website within the meaning of Article 6(1)(f) GDPR), we use content or service offers of third-party providers on our website in order to embed their content and services, such as videos or fonts (hereinafter collectively referred to as the “content”). This always presupposes that the third-party providers of such content detect the IP addresses of users, since without the IP address they could not send the content to their browser. Thus, the IP address is necessary for displaying such content. We make an effort to only utilise content for which the relevant provider uses the IP address merely to deliver the content. In addition, third-party providers may use so-called pixel tags (invisible images, also called “web beacons”) for statistical or marketing purposes. The pixel tags enable the evaluation of information, such as visitor traffic to the pages of this website. Furthermore, the pseudonymous information may be stored in cookies on the device of users and may contain, inter alia, technical information about the browser and operating system, referring websites, visit time and other information about the use of our website, as well as be associated with such information from other sources.
- The following depiction offers an overview of third-party providers and their content, together with links to their data protection policies, which contain further information about the processing of data and, in some cases, abilities to object (so-called opt-out):
- External fonts of Google, LLC, https: //www.google.com/fonts (“Google Fonts”). Google Fonts are embedded when Google’s server is accessed (normally, in the U.S.). Data protection policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated.
- Maps of the service “Google Maps” of the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S. Data protection policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
- Videos of the platform “YouTube” of the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S. Data protection policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated.