Data Processing Controller
Email address: firstname.lastname@example.org
Managing directors: Sue Giers, Vanessa Gieser
Link to imprint: www.so-sue.com/impressum/
Types of data processed
- Core data (e.g. names and addresses).
- Contact data (e.g. email, telephone numbers).
- Content data (e.g. text entries, photos, videos).
- Usage data (e.g. websites visited, interest in content, access times).
- Meta/communication data (e.g. device information and IP addresses).
Categories of data subjects
Visitors and users of the online offer (hereinafter we refer to these data subjects as “users”).
Purpose of the processing
- Providing the online offer, its functions and contents.
- Answering contact requests and communicating with users.
- Security measures
- Reach measurement/Marketing
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); a natural person is regarded as identifiable, who can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, to an identification number, to location data, to an online identifier (e.g. cookie), or to one or more special features, are the expression of the physical, physiological, genetic, mental, economic, cultural, or social identity of this natural person.
“Processing” means any process performed with or without the aid of automated procedures, or any such process associated with personal data. The term is far reaching and includes virtually all handling of data.
“Pseudonymization” means the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without additional information being provided, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data are not assigned to an identified or identifiable natural person.
“Profiling” means any kind of automated processing of personal data which involves the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to job performance, economic situation, health, personal preferences, interests, reliability, behavior, whereabouts, or relocation of that natural person.
“Controller” means the natural or legal person, authority, or institution which, alone or together with others, decides on the purposes and means of processing personal data.
“Processor” means a natural or legal person, authority, or institution that processes personal data on behalf of the controller.
Relevant legal bases
In accordance with Article 32 of the GDPR, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the different likelihood and severity of the access risk to the rights and freedoms of natural persons we undertake technical and organizational measures to ensure a level of protection appropriate to the risk.
Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well their access, input, disclosure, availability, and separation. In addition, we have established procedures to ensure the implementation of data subject rights, the deletion of data, and the response to data threats. Furthermore, we consider the protection of personal data already in the development or selection of hardware, software, and procedures, according to the principle of data protection through technology design and privacy-friendly default settings (Article 25 of the GDPR).
Collaboration with processors and third parties
Insofar as we, in the context of our processing, disclose data to other persons and companies (processors or third parties), transmit to them, or otherwise grant access to the data, this may only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties is required by payment service providers, pursuant to Article 6 para. 1 lit. b of the GDPR to fulfill the contract), if you have consented, if it is a legal obligation, or if it is on the basis of our legitimate interests (e.g. the use of agents, webhosts, etc.).
Insofar as we commission third parties to process data on the basis of what is known as an “order processing contract,” this is done on the basis of Article 28 of the GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or in the context of the use of third party services or disclosure or transmission of data to third parties, this will only be done if it is to fulfill our (pre) contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only in the presence of the special requirements of Article 44 ff. of the GDPR. This means that the processing takes place for example on the basis of specific guarantees, such as the officially recognized level of data protection (e.g. for the US through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (what are known as “standard contractual clauses”).
Rights of data subjects
You have the right to request a confirmation as to whether the data in question are being processed and request information about these data as well as further information and a copy of the data in accordance with Article 15 of the GDPR.
In accordance with Article 16 of the GDPR, you have the right to demand the completion of the data concerning you or the correction of the incorrect data concerning you.
In accordance with Article 17 of the GDPR, you have the right to demand that the relevant data be deleted without delay, or, alternatively, to require a restriction of the processing of data in accordance with Article 18 of the GDPR.
You have the right to demand that the data relating to you, which you have provided to us, be obtained in accordance with Article 20 of the GDPR and request its transmission to other responsible persons.
You also have the right in accordance with Article 77 of the GDPR to file a complaint with the competent supervisory authority.
Right to withdraw
You have the right to withdraw consent given in accordance with Article 7 para. 3 of the GDPR with effect for the future.
Right to object
You may at any time object to the future processing of your data in accordance with Article 21 of the GDPR. The objection in particular may be made against processing for direct marketing purposes.
Cookies and the right to object to direct advertising
“Cookies” are small files that are stored on users’ computers. Different information can be stored within the cookies. A cookie serves primarily to store the information about a user (or the device on which the cookie is stored) during or after the visit to an online offer. Temporary cookies, or “session cookies,” or “transient cookies” are cookies that are deleted after a user leaves an online service and closes their browser. In such a cookie, e.g. the contents of a shopping cart are stored at an online store or a login status. “Permanent” or “persistent” refers to cookies that remain stored even after the browser has been closed. Accordingly, for example the login status will be saved if users visit it after several days. Likewise, the interests of the users can be stored in such a cookie, which are used for range measurement or marketing purposes. A “third-party cookie” refers to cookies that are offered by providers other than the person responsible for providing the online offer (otherwise, if it only involves their cookies, they are called “first-party cookies”).
Deletion of data
According to legal requirements in Germany, the storage takes place in particular for 10 years according to sections 147 (1) of the AO [German Revenue Code], 257 (1) Nos. 1 and 4, (4) of the HGB [German Commercial Code] (books, records, management reports, accounting documents, trading books, for taxation-related documents, etc.) and 6 years in accordance with section 257 (1) nos. 2 and 3, (4) HGB [German Commercial Code] (commercial letters).
According to legal regulations in Austria the storage takes place in particular for 7 years in accordance with section 132 (1) of the BAO [Federal Taxation Regulations] (accounting documents, receipts/invoices, accounts, statements, business papers, statement of income, and expenses, etc.), for 22 years in connection with State and for 10 years in the case of documents related to electronically supplied services, telecommunications, broadcasting and television services provided to non-EU companies in EU Member States for which the Mini-One-Stop-Shop (MOSS) is used.
Additionally, we process
- Contract data (e.g., subject, term, customer category).
- Payment data (e.g., bank details, payment history)
of our customers, interested parties and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.
Order processing in the online shop and customer account
We process the data of our customers as part of the ordering process in our online shop to allow them to select and order the selected products and services, as well as their payment and delivery or performance.
The processed data include inventory data, communication data, contract data, payment data and those affected by the processing belonging to our customers, interested parties and other business partners. Processing is for the purpose of providing contractual services in the context of operating an online shop, billing, delivery and customer service. We use session cookies to store the shopping cart contents and permanent cookies for the storage of the login status.
The processing is based on Article 6 para. 1 lit. b (performance of order transactions) and c (legally required archiving) of the GDPR. The information marked as mandatory for the establishment and fulfillment of the contract is required. We disclose the data to third parties only in the context of delivery, payment or in the context of legal permissions and obligations to legal advisors and authorities. The data are processed in third countries only if it is necessary for the fulfillment of the contract (for example, at the customer's request regarding delivery or payment).
Users can optionally create a user account, in particular to be able to view their orders. As part of the registration, the required mandatory information will be communicated to the users. The user accounts are not public and can not be indexed by search engines. If users have cancelled their user account, their data will be deleted with regard to the user account, subject to their retention for commercial or tax law reasons according to Article 6 para. 1 lit. c of the GDPR. Data in the customer's account remains until their deletion with subsequent archiving in the case of a legal obligation. It is the responsibility of the users to save their data upon termination prior to the end of the contract.
As part of the registration and re-registration and use of our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the interests of the user in the protection against misuse and other unauthorized use. A transfer of these data to third parties does not take place, unless it is required to pursue our claims or there is a legal obligation in accordance with Article 6 para. 1 lit. c of the GDPR.
The deletion takes place after expiration of legal warranty and comparable obligations, the necessity of the storage of the data is checked every three years; in the case of legal archiving obligations, the deletion takes place after the expiry (end of commercial law (6 years) and tax law (10 years) of its retention obligation).
External payment service providers
As part of the fulfillment of contracts, we include the payment service providers on the basis of Article 6 para. 1 lit. b. of the GDPR. For the rest, we use external payment service providers on the basis of our legitimate interests pursuant to Article 6 para. 1 lit. b. of the GDPR in order to offer our users effective and secure payment options.
For the payment transactions, the terms and conditions and the privacy policies of the respective payment service providers apply, which are available within the respective websites or transaction applications. We also refer to these for further information and assertion of rights of withdrawal, information and other data subjects.
Administration, financial accounting, office organization, contact management
We process data in the context of administrative tasks and organization of our business, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of rendering our contractual services. The processing principles are Article 6 para. 1 lit. c of the GDPR, Article 6 para. 1 lit. f of the GDPR. The processing affects customers, interested parties, business partners, and website visitors. The purpose and interest in processing lies in administration, financial accounting, office organization, data archiving, that is, tasks that serve to maintain our business, perform our duties, and provide our services. The deletion of the data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities.
We disclose or transmit data to financial administration, consultants, such as tax accountants or auditors, and other fee agents and payment service providers.
Furthermore, based on our business interests, we store information about suppliers, operators, and other business partners, e.g. for later contact. We generally store the majority of company-related data permanently.
Business analysis and market research
In order to operate our business economically, to be able to recognize market trends, wishes of the contracting parties and users, we analyze the available data for business transactions, contracts, inquiries, etc. We process stock data, communication data, contract data, payment data, usage data, metadata on the basis of Article 6 para. 1 lit. f. of the GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.
The analyses are carried out for the purpose of business analysis, marketing and market research. In doing so, we can provide the profiles of the registered users with information, e.g. taking into account the services they have used. The analyses serve to increase the user-friendliness, the optimization of our offer and the business economy. The analyses are for us alone and will not be disclosed externally unless they are anonymous, with combined values.
Insofar as these analyses or profiles are personal, they will be deleted or anonymized upon termination of the users, otherwise after two years from the conclusion of the contract. For the rest, the overall business analyses and general trend provisions are created anonymously wherever possible.
Participation in Affiliate programs
Within our online offer, on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economical operation of our online offer) pursuant to Article 6 para. 1 lit. f of the GDPR, we implement industry-standard tracking measures, as far as these are necessary for the operation of the affiliate system. Below we clarify the technical background for the users.
The services offered by our contractual partners can also be advertised and linked to other websites (so-called affiliate links or after-buy systems, if, for example, links or services of third parties are offered after the conclusion of a contract). The operators of the respective websites receive a commission if users follow the affiliate links and then take advantage of the offers.
In conclusion, our online offer requires us to be able to keep track of whether users who are interested in affiliate links and/or the offers available to us then take advantage of the offers on the affiliate links or on our online platform. For this purpose, the affiliate links and our offers are supplemented by certain values that are part of the link or otherwise can be set, for example in a cookie. The values include, in particular, the source website (referrer), time, an online identifier of the operator of the website on which the affiliate link was located, an online identifier of the respective offer, an online identifier of the user, as well as tracking specific values such as Ad ID, affiliate ID, and categorizations.
The online user IDs used by us are pseudonymous values. That means the online identifiers themselves do not contain personal data such as names or email addresses. They only help us determine whether the same user who clicked on an affiliate link or was interested in an offer through our online offer, obtained the offer, i.e. has concluded a contract with the provider. However, the online identification is personal insofar as the partner company and also us, present the online identifier together with other user data. Only in this way can the partner company tell us whether the user has taken up the offer and for example we can pay the bonus.
Users can create a user account. As part of the registration, the required mandatory information is communicated to the users and based on Article 6 para. 1 lit. b of the GDPR is processed for purposes of establishing the user account. The processed data include in particular the login information (name, password and an email address). The data entered during registration will be used for the purpose of using the user account and fulfilling its purpose.
Users may be informed by email about information relevant to their user account, e.g. technical changes. If users have terminated their user account, their data will be deleted with respect to the user account, subject to a statutory retention requirement. It is the responsibility of the users to save their data upon termination prior to the end of the contract. We are entitled to delete irretrievably all user data stored during the term of the contract.
In the context of the use of our registration and login functions as well as the use of the user account, the IP address and the time of the respective user action will be stored. The storage is based on our legitimate interests, as well as the interests of the user in the protection against misuse and other unauthorized use. A transfer of these data to third parties does not take place, unless it is required to pursue our claims or there is a legal obligation in accordance with Article 6 para. 1 lit. c of the GDPR. The IP addresses will be anonymized or deleted after 7 days at the latest.
Comments and posts
If users leave comments or other posts, their IP addresses will be stored for 7 days based on our legitimate interests within the meaning of Article 6 para. 1 lit. f. of the GDPR. This is for our own security, in case someone includes illegal content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we may be sued for the comment or post and are therefore interested in the identity of the author.
Furthermore, we reserve the right, in accordance with our legitimate interests pursuant to Article 6 para. 1 lit. f. of the GDPR to process the information of users for the purpose of spam detection.
The data provided in the comments and posts are stored by us permanently until the users object.
The follow-up comments by users can be subscribed with their consent pursuant to Article 6 para. 1 lit. a of the GDPR. Users will receive a confirmation email to verify that they own the email address they entered. Users can unsubscribe from ongoing comment subscriptions at any time. The confirmation email will contain notes on the withdrawal options. For the purpose of proving the consent of the users, we save the registration time together with the IP address of the users and delete this information when users unsubscribe from the subscription.
You can cancel the reception of our subscriptions at any time, i.e. revoke your consent. We can save the submitted email addresses for up to three years based on our legitimate interests before we delete them, in order to prove previously given consent. The processing of these data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that at the same time the previous existence of consent is confirmed.
When contacting us (for example, by means of contact form, email, telephone or via social media), the data of the user are processed in order to process the contact request and its conclusion pursuant to Article 6 para. 1 lit. b of the GDPR. User information can be stored in a Customer Relationship Management System (“CRM System”") or comparable request organization system.
We delete the requests, if they are no longer required. We check the requirement every two years; Furthermore, the legal archiving obligations apply.
The following notes are about our newsletter, its content and procedures regarding registration, distribution and statistical evaluation as well as explaining your right to objection. By subscribing to our newsletter, you agree to receive the newsletter and the related procedures for its distribution, etc.
Newsletter content We send newsletters, emails and other electronic notifications containing advertising information (hereinafter referred to as “newsletters”) only with the express consent of recipients or with statutory permission. Insofar as the content of a newsletter is specifically described in the context of the registration for the newsletter, it is decisive for the consent of the user. For the rest, our newsletter contains information about our services and us.
Double opt-in and logging: Registering for our newsletter takes place via a double opt-in procedure. This means that you will receive an email requesting confirmation of your subscription. The confirmation is required to ensure that no one else can subscribe using your email address. A record of subscriptions to the newsletter is kept to fulfil the legal requirements for recording the subscription process. The record contains the time of subscription and confirmation as well as the relevant IP address. Any changes to the data registered with the service provider sending the newsletter will also be recorded.
Registration data: To subscribe to the newsletter, simply enter your email address. Optionally, we ask you to give a name in the newsletter to address you personally.
The sending of the newsletter and the related success measurement are based on the consent of the recipient pursuant to Article 6 para. 1 lit. a, Article 7 of the GDPR in conjunction with § 7 para. 2 No. 3 of the German Fair Trade Practices Act (UWG) or if consent is not required, based on our legitimate interests in direct marketing pursuant to Article 6 para. 1 lit f. of the GDPR in conjunction with § 7 para. 3 of the German Fair Trade Practices Act.
The logging of the registration process is based on our legitimate interests pursuant to Article 6 para. 1 lit. f of the GDPR. Our interest is to implement a user-friendly and secure newsletter system that serves our business interests as well as meeting the expectations of users and allows us to prove the consent given.
Cancellation/withdrawal. You can cancel your subscription to our newsletter at any time by withdrawing your consent to receive it. You will find an unsubscribe link at the end of each newsletter. We can save the submitted email addresses for up to three years based on our legitimate interests before we delete them, in order to prove previously given consent. The processing of these data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that at the same time the previous existence of consent is confirmed.
Newsletter - Mailchimp
The distribution service provider may retrieve the data of the recipients in pseudonymous form, i.e. without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of sending and the presentation of newsletters or for statistical purposes. However, the distribution service provider does not use the data of our newsletter recipients to address them itself or to pass the data on to third parties.
Newsletter - Measurement of success
The newsletters contain a so-called “web beacon”, which means a pixel-sized file that is retrieved from the server when opening the newsletter from our server, or if we use a distribution service provider. During the download, technical information such as your browser and operating system, as well as your IP address and the time of the download, are collected.
This information is used for the technical improvement of the service, as technical data or target group data can be analyzed according to their reading behavior, their download locations (identifiable through IP addresses) or download times. Statistical data collection also includes an analysis of when the newsletters are opened, and which links are clicked upon. Although this information technically allows the tracking of individual newsletter recipients, however, it is neither our intention nor, if used, that of the distribution service provider to observe individual users. Data analysis is used to recognize patterns in the reading behavior of users, and to adapt contents accordingly or send different content according to the interests of our users.
A separate revocation of the measurement of success is unfortunately not possible, in this case, the entire newsletter subscription must be terminated.
Hosting and email sending
The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, email delivery, security and technical maintenance services which we implement to operate this online offer.
In doing so, we or our hosting provider process stock data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer pursuant to Article 6 para. 1 lit. f of the GDPR in conjunction with Article 28 of the GDPR (Conclusion of contract processing contract).
Collection of access data and log files
We, or our hosting provider, collect data on every access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Article 6 para. 1 lit. f. of the GDPR. Access data include the name of the requested website, file, date and time of access, amount of data transferred, report whether the site was successfully retrieved, browser type and version, the user's operating system, the referrer URL (the site visited before coming to our site), the user's IP address, and the requesting internet service provider.
Logfile information is stored for security reasons (for example, to investigate abusive or fraudulent activities) for a maximum of 7 days and is then deleted. Data whose further storage is required for evidential purposes are excluded from the erasure until the final clarification of the incident.
This website uses Squarespace Metrics, a web analytics service provided by Squarespace, Inc. (“Squarespace”).
The tracking of IP addresses in Squarespace Analytics has been disabled for the website contentessa.at.
More information: https://de.squarespace.com/privacy/
Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services related to the use of this online offer and the internet usage. Pseudonymous usage profiles of users may be created from the data processed in this respect.
We use Google Analytics only with activated IP anonymization. This means that the IP address of the user is shortened by Google within the member states of the European Union or in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address sent to a Google server in the US and truncated there.
The personal data of users will be deleted or anonymized after 14 months.
In addition or as an alternative to the browser add-on, you can prevent tracking by Google Analytics on our pages by clicking this link. This will save an opt-out cookie onto your device. This will prevent the collection of data by Google Analytics for this website and for this browser for as long as the cookie remains installed in your browser.
Google Adsense with personalized ads
We use the services of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, (“Google”) on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online service within the meaning of Article 6 para. 1 lit. f of the GDPR).
Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use the AdSense service, which allows ads to appear on our website and reward us for their display or other use. For these purposes, usage data, such as the click on an ad and the IP address of the users are processed, whereby the IP address is shortened by the last two places. Therefore, the processing of the data of the users is pseudonymized.
We use Google Adsense with personalized ads. In doing so, Google draws conclusions about their interests on the basis of the websites visited by users or apps used and the user profiles created. Advertisers use this information to align their campaigns with these interests, which benefits users and advertisers alike. For Google, ads are personalized when collected or known data determines or influences ad selection. These include previous searches, activities, website visits, apps, demographics, and location information. Specifically, this includes demographic targeting, interest category targeting, remarketing, and targeting of customer matching lists and audience lists uploaded to DoubleClick Bid Manager or Campaign Manager.
Online presence in social media
We maintain online presence within social networks and platforms in order to communicate with customers, interested parties and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
Integration of third-party services and content
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Article 6 para. 1 lit. f of the GDPR), we make use of content or services offered by third-party providers in order to provide their content and services, such as including videos or fonts (hereinafter referred to collectively as “content”).
This always presupposes that the third-party providers of this content perceive the IP address of the users, since they could not send the content to their browser without the IP address. The IP address is therefore necessary to display this content. We endeavor to use only content whose respective providers use the IP address only for the delivery of the content. Third parties may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information, such as visitor traffic, on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include, but is not limited to, technical information about the browser and operating system, referring web pages, time of visit, and other information regarding the use of our online offer.
Typekit fonts from Adobe
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Article 6 para.1 lit. f of the GDPR), we implement external type kit fonts of the provider Adobe Systems Software Ireland Limited, 4 -6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Adobe is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active).
Within our online offer, features and content of the Twitter service offered by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, may be incorporated. For this, content such as images, videos, or text and buttons that allow users to share content from this online offer within Twitter.