Hama GmbH & Co KG
Dresdner Straße 9
Phone.: +49 9091 502-0
Place of Business - D-86653 Monheim, Dresdner Str. 9
Commercial Register - County Court Augsburg A 12159
Managing Director: Christoph Thomas, Christian Sokcevic
We only process our users’ personal data to the extent necessary for the provision of a functionalwebsite as well as the provision of our content and services. In general, we only process our users’ personal data with the users’ consent. One exception is in cases when it is not possible to obtain the user’s consent in advance for practical reasons and the company is permitted to process this data within the scope of the law.
When consent has been obtained from the data subject for the processing operations for the processing of personal data, point (a) of Article 6(1) of the EC General Data Protection Regulation (GDPR) serves as the legal basis.
When the processing of personal data is necessary for the performance of a contract to which the data subject is party, point (b) of Article 6(1) of the GDPR serves as the legal basis. This also applies for processing operations that are required in order to take the necessary steps prior to entering into a contract.
When the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, point (c) of Article 6(1) of the GDPR serves as the legal basis.
When processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, point (d) of Article 6(1) of the GDPR serves as the legal basis.
If the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, then point (f) of Article 6(1) of the GDPR serves as the legal basis for the processing.
The personal data of the data subject is deleted or made unavailable to users once the purpose of the storage of the data no longer applies. Furthermore, data may also be stored if this storage is permitted by the European or national legislative authorities in EU regulations, laws or other guidelines that the controller is subject to. Data is also deleted or made unavailable to users once the storage period defined by the specified norms elapses as long as continued storage of the data is not required in order to conclude or perform a contract.
Every time our website is accessed, our system automatically records data and information from the system of the computer that is being used to access the website.
We use our website to collect personal data, e.g. your name and address or e-mail address, that you voluntarily provide us with in the form of entries made in contact forms or data entered for newsletter subscriptions. We store and use this data in order to process your requests and orders, maintain your customer account, or to provide you with access to specific information. We do not share this confidentialinformation with third parties.
Furthermore, information is automatically collected that is not assigned to a specific person (e.g. the IP address currently being used by your end device, the browser and operating system used to access the website, the date and time the website was accessed, the number of visits, average time spent on the website, pages accessed). We use this information to determine the appeal of our website and improve its functions and content.
This data is also stored in our system’s log files. This data is not stored together with the user’s other personal data.
The legal basis for the temporary storage of data and log files is point (f) of Article 6(1) of the GDPR.
The system must temporarily store the IP address so that it can transmit the website to the user’s computer. In order to do this, the user’s IP address must be stored during the entire session.
The IP address is then saved in a log file in order to ensure that the website works properly. Furthermore, we use this information to optimise our website and ensure that our information technology systems are secure. The data saved for these reasons is not used for marketing purposes.
These purposes also constitute legitimate interests within the scope of point (f) of Article 6(1) of the GDPR.
Data is deleted as soon as it is no longer required for the purpose for which it was obtained. In terms of the data recorded for the provision of the website, this is the case as soon as the session in question ends.
Data saved in the log files is deleted after 30 days. It is possible that data could be stored for longer than 30 days. In this case, the IP address of the user is deleted or anonymised so that it is no longer possible to associate it with the client that accessed the website.
The collection of data required for the provision of the website and the storage of data in log files is essential in order to operate the website. For this reason, the user cannot opt out.
This website uses two different types of cookies:
Persistent cookies are stored on your computer and stay there until they expire or are deleted. Closing your browser does not delete these cookies.
Session cookies are generated every time you visit one of our website pages. A session cookie is automatically deleted when you close your browser. All of the information saved in the cookie file is also deleted then.
With cookies, it is impossible to download personal information from the user’s computer on which the cookies are saved.
Tracking cookies collect data about how the user uses the websites that he or she accesses.
Cookies store information about the way the website is used in terms of the history, favourite content and personal settings.
Third-party cookies make it possible to exchange data with third-party websites.
Advertising cookies make it possible to show the user personalised advertising.
The user must give their consent to allow cookies to store information on their computer and allow the information stored in those cookies to be retrieved. This consent is given via the cookie settings in the user’s installed browser. Every Internet browser automatically has cookies enabled as standard. To this effect, we ask that our customers check their browser settings and, if necessary, change the settings to enable cookies.
The legal basis for the processing of personal data using the technically required cookies is point (f) of Article 6(1) of the GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes with the consent of the user is point (a) of Article 6(1) of the GDPR.
The user data recorded by technically required cookies is not used to create user profiles. Analysis cookies are used for the purpose of improving the quality of our website and its content. The analysis cookies tell us how the website is used. These purposes also constitute legitimate interests for the processing personal data within the scope of point (f) of Article 6(1) of the GDPR.
Our website contains contact forms that can be used to contact us electronically. If a user takes advantage of this opportunity, we will record and store the data that they enter into the fields of the form. The personal data that is transmitted in this way is determined by the fields in the form.
Furthermore, when the user sends a message, the following data is also saved:
The user’s IP address; however this information is masked by a byte
The date and time the user registered
Alternatively, the user can also contact us by writing an e-mail to the e-mail address provided. In this case, the user’s personal data that is transmitted with the e-mail will be saved.
The data collected in this way is not passed on to third parties. The data is only used to process the user’s e-mail.
The legal basis for the processing of data with the consent of the user is point (a) of Article 6(1) of the GDPR.
The legal basis for the processing of the data that is transmitted when the user sends an e-mail is point (f) of Article 6(1) of the GDPR. If the purpose of the e-mail is to conclude a contract, then the additional legal basis for the processing is point (b) of Article 6(1) of the GDPR.
We only process the personal data included in the contact form to process the user’s message. If the user contacts us via e-mail, this also constitutes a legitimate interest in the processing of the data. Any other personal data processed during the sending operation is used to prevent third parties from misusing the contact form and to ensure the security of our information technology systems.
Data is deleted as soon as it is no longer required for the purpose for which it was obtained. In terms of the personal data from the fields in the contact form and the personal data that is sent via e-mail, this is the case when the conversation in question with the user comes to an end. The conversation ends when it is clear from the circumstances that the issue in question has been clarified conclusively.
The user has the option at any time to revoke his or her consent to the processing of his or her personal data. If the user writes us an e-mail, he or she can object to the storage of his or her personal data at any time. Furthermore, the user can contact one of our employees at any time. In this case, the conversation cannot be continued.
All personal data that is stored during the course of the user contacting us will be deleted in this case.
We use the open-source software tool Matomo (formerly PIWIK) on our website to analyse the surfing patterns of our users. The software saves a cookie in the user’s browser (for more information on cookies, see above). When a user accesses individual pages on our website, the following data is stored:
A byte of the IP address of the system the user is using to access the website
The website accessed
The website that referred the user to the website accessed (referrer)
The sub-pages that the user accesses from the accessed website
The amount of time spent on the website
The frequency with which the user accesses the website
The software runs solely on our website’s servers. The user’s personal data is not saved on these servers. The data is not passed on to third parties.
The software is set up so that IP addresses are not saved in full but rather two bytes of the IP addresses are masked (e.g.: 192.168.001.xxx). This masking means it is no longer possible to allocate the abbreviated IP address to the computer that accessed the website.
The legal basis for the processing of the user’s personal data is point (f) of Article 6(1) of the GDPR.
Processing the user’s personal data allows us to analyse the user’s surfing patterns and behaviour. By evaluating the data we obtain, we are able to compile information about the way the various components of our website are used. This helps us to continuously improve our website and make it more userfriendly. These purposes also constitute legitimate interests for the processing of personal data within the scope of point (f) of Article 6(1) of the GDPR. By anonymising the IP address, we sufficiently take into account the interests of the user regarding the protection of their personal data.
The data is deleted as soon as it is no longer required for our purposes.
When your personal data is processed, then you are a data subject as defined in the GDPR and you have the following rights vis-à-vis the controller:
You have the right to obtain confirmation from the controller as to whether or not we are processing any personal data which concerns you.
Where this is the case, you also have the right to access the following information from the controller:
the purposes for which the personal data is being processed
the categories of personal data being processed
the recipients or categories of recipient to whom the personal data has been or will be disclosed
the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
the right to lodge a complaint with a supervisory authority
where the personal data is not collected from the data subject, any available information as to the source
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to be informed if your personal data is to be transferred to a third country or to an international organisation. Where this is the case, you also have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
You have the right to obtain the rectification of inaccurate personal data from the controller in the event that the personal data being processed that concerns you is incorrect or incomplete. The controller must rectify the data without undue delay.
You have the right to obtain restriction of processing of the personal data that concerns you where one of the following applies:
you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead
the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where the processing of your personal data has been restricted, such personal data shall – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing pursuant to the grounds listed above, you will be informed by the controller before the restriction of processing is lifted.
You have the right to obtain the erasure of personal data concerning you without undue delay, and the controller is obligated to erase this personal data without undue delay where one of the following grounds applies:
the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
you withdraw the consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and there is no other legal ground for the processing
you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR
the personal data concerning you has been unlawfully processed
the personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
the personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
Where the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform the controllers who are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
The right to erasure does not apply to the extent that processing is necessary
for exercising the right of freedom of expression and information
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in Section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.
If you exercise your right of rectification, to erasure or to restriction of processing vis-à-vis the controller, the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
You also have the right to be informed about those recipients by the controller upon request.
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where:
the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and
the processing is carried out by automated means.
In exercising your right to data portability, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others may not be affected by the exercise of this right.
The right of data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.
The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services – and notwithstanding Directive 2002/58/EC – you may exercise your right to object by automated means using technical specifications.
You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal.
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. However, this does not apply if the decision:
is necessary for entering into or performance of a contract between you and the controller
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your express consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) of the GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to above in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you violates the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
Our website uses Facebook components. Facebook is a social network. Facebook is a service of Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, is responsible for the processing of personal data from persons in Europe. You can recognise the plugins by the use of the Facebook logo. For more information on all Facebook plugins, go to: https://developers.facebook.com/docs/plugins/. The plugin creates a direct connection between your browser and the Facebook servers. We have no influence on the nature and the scope of the data that the plugin transmits to the Facebook Inc. server. You can find more information on this here: https://www:facebook.comihelb/186325668085084 The plugin informs Facebook Inc. that you are a user of our website. It is possible that the plugin will save your IP address. If you are logged in to your Facebook account while you visit the website, the information specified will be linked to your account. If you use the functions of the plugin – for example, by sharing or liking an entry – the corresponding information will also be transferred to Facebook Inc. If you would like to prevent Facebook Inc. from linking this data to your Facebook account, please log out of Facebook before visiting our website.
Our website uses the G+ button from Google Plus. This plugin is operated by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). If you visit a website that includes the G+ button, a direct connection will be created between your browser and the Google servers. We have no influence on the nature or scope of the data that the plugin transfers to the Google Inc. servers. If you click the G+ button while you are logged in to Google Plus, you will share the content of the page on your public profile. According to Google Inc., they do not collect any personal data from you until you click the button. If you are a logged-in Google user, your IP address may be saved. If you would like to prevent Google Inc. from saving your data and linking it to your account, log out of Google before visiting our website. You can find more information on the “+1” button here: https://developers.p000le.com/+/web/buttonspolicy.
Our website uses the Twitter button. This button is operated by Twitter Inc. (795 Folsom St., Suite 600, San Francisco, CA 94107, USA). If you visit a page that has this button, it will create a direct connection between your browser and the Twitter servers. We have no influence on the nature or scope of the data that the plugin transfers to the Twitter Inc. servers. According to Twitter Inc., they will only collect and save your IP address. For more information on how Twitter Inc. uses your personal data, click here: https://twitter.com/privacy?lang=en
Among other providers, we use YouTube to embed videos on our website. YouTube is operated by YouTube LLC, which is headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube is represented by Google Inc., which is headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use plugins provided by YouTube on our website. If you access a page of our website on which one of these plugins is installed, the plugin will create a connection to the YouTube servers in order to display the plugin. As a result, the plugin tells the YouTube server which of our pages you visited. If you are logged in to your YouTube account, YouTube will allocate this information to your personal account. If you use the plugin, e.g. by clicking the start button of a video, this information is also allocated to your YouTube account. If you would like to prevent this information from being connected to your account, log out of your YouTube account as well as other accounts connected to the companies YouTube LLC and Google Inc. and delete the associated cookies before accessing our website. For more information about data processing and how YouTube (Google) protects your privacy, click here: www.google.de/intl/en/policies/privacy/.
Our website includes the Pinterest button from Pinterest Inc., 808 Brannan St, San Francisco, CA 94103, USA. This button transmits your IP address to Pinterest. If you are logged in to Pinterest in the same browser that you use to access our website, this information can be linked to your account. When you click the “Pin It” plugin, this information is also transmitted to Pinterest and published to your account. You can adjust your Pinterest privacy settings at http://pinterest.com/about/privacy/. If you do not consent to having your data sent to Pinterest, log out of Pinterest in the browser that you are using to visit our website.
The provision of personal data is legally required in some cases (e.g. in tax law) or is delineated in contractual provisions.
In order to conclude a contract, it may be necessary to provide us with personal data that we need to process for this purpose. Without the provision of this data, it may be impossible to conclude the contract.
For more information about the necessity of the provision of personal data with regards to a specific case, you can contact our employees at any time. Our employees will also inform you as to the possible consequences of the failure to provide this data.
Der Datenschutzbeauftragte des Verantwortlichen ist:
Hama GmbH & Co KG
Dresdner Str. 9