The controller within the meaning of data protection legislation is Hanseatische Waren Handelsgesellschaft mbH & Co. KG, Bremen, Federal Republic of Germany (“HWH”).
We use this Data Protection Policy to inform you (also referred to in the following as the “user” or the “data subject”) in general terms about data processing at HWH and specifically about data processing when you access our website and contact us by email or telephone. We also provide you with information about our online presence in social media and about your rights with regard to the processing of your data. Please note that the terms “data processing” or “processing” used in this Data Protection Policy always refer to the processing of personal data.
1. General data processing policy
1.1 Categories of personal data
We process the following categories of personal data:
- basic data (e.g., names, addresses, functions, organizational affiliation, etc.);
- contact data (e.g., email, telephone/fax numbers, etc.);
- content data (e.g., text entries, image files, videos etc.);
- usage data (e.g., access data);
- meta/communication data (e.g., IP addresses).
1.2 Recipients or categories of recipients of personal data
If we disclose data to other persons and entities such as web hosting services, processors, or third parties in the course of our processing, provide it to them or otherwise grant them access to the data, we do this to the extent permitted by law (e.g., if data has to be provided to third parties in order to perform a contract pursuant to point (b) of Article 6(1) of the European General Data Protection Regulation [Regulation (EU) 2016/79 of April 27, 2016 – “GDPR”]), if the data subjects have given consent, or this is necessary for compliance with a legal obligation.
1.3 Storage period for personal data
The period for storing your personal data is the relevant statutory storage period. The data will be erased after this period has expired unless it is needed for achieving a purpose, performing a contract, or initiating a contract.
1.4 Transfers to third countries
If we process data in a third country (meaning a country outside the European Union (EU) or the European Economic Area (EEA)) or this happens when we use the services or third parties or disclose or transfer data to third parties, we will only do so to comply with our (pre-)contractual obligations, based on your consent, because of a legal obligation, or on the basis of our legitimate interests. Subject to statutory or contractual authorization, we will only process data or have it processed in a third country if the specific conditions set out in Article 44 et seq. of the GDPR are met, i.e., processing is subject to special safeguards such as an officially recognized level of data protection that is equivalent to EU standards (e.g., the Privacy Shield for the U.S.A.) or compliance with officially recognized specific contractual clauses (so-called “standard contractual clauses“).
2. Data processing when you visit our website
2.1 Log files
Whenever a data subject accesses our website, general data and information are stored in our system’s log files:
- the date and time of access (time stamp);
- request details and target address (protocol version, HTTP method, referrer, user agent string);
- the name of the accessed file and the data volume transferred (requested URL including query string, size in bytes);
- a message whether the retrieval was successful (HTTP status code).
We are not able to identify the data subject when we use this general data and information. We do not analyze personally identifiable data, and we do not analyze data for marketing purposes or profiling. The IP address is not stored in this context.
The legal basis for temporary storage of the data is point (f) of Article 6(1) of the GDPR. Reliable operation of our website requires to record data to provide the website and to store data in log files. The data subject cannot object to this.
2.2 Detecting malware and analyzing log data
We collect log data generated when communication systems of HWH are used and analyze it automatically where this is necessary to detect, limit, or rectify communication system malfunctions or errors or to defend against attacks on our information technology systems, or to detect and defend against malware.
The legal basis for temporary storage and analysis of the data is point (f) of Article 6(1) of the GDPR. Storage and analysis of the data is essential so that we can provide and reliably operate the website. Therefore, the data subject cannot object to this.
We use hosting services to provide the following capabilities: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services that we use to operate our website.
We and/or our processors use basic data, contact data, content data, contract data, usage data, meta data, and communication data of users of our website because of our legitimate interest in ensuring the efficient and reliable provision of this online offering pursuant to point (f) of Article 6(1) of the GDPR in conjunction with Article 28 of the GDPR (contract with a processor).
3. Data processing when you contact us
3.1 Email contact
You can contact HWH by email using the email addresses published on our website.
If you contact us by email, we will store the data you provide (e.g., first and last names, address), or as a minimum your email address as well as the information contained in the email and any personal data you provide, so that we can contact you and deal with your request. The following data will also be collected by our system:
- the IP address of the computer accessing our system;
- the date and time of the email.
The legal basis for processing personal data relating to emails we receive is point (b) and point (f) of Article 6(1) of the GDPR.
3.2 Contacting us by letter and fax
If you send us a letter or a fax, we will store the data you provide (e.g., first and last names, address), the information contained in the letter or fax, and any personal data you provide so that we can contact you and deal with your request.
The legal basis for processing personal data relating to letters and faxes we receive is point (b) and point (f) of Article 6(1) of the GDPR.
4. Online presence in social media
We maintain an online presence in a number of social networks to inform active social media users about our services and to communicate with them on the platforms if they are interested. In some cases, it may only be possible to access our social media channels using an external link. As soon as you access the relevant social media profiles in the network in question, the terms and conditions and data protection policy of that network’s operator will apply.
We have no influence on the collection of data and its subsequent use by social networks. We have no knowledge of the extent to which data is collected, where and for how long it is stored, the extent to which the networks comply with existing obligations to erase data, how the data is analyzed and linked, and to whom the data is transferred. We wish to expressly draw attention to the fact that your data (e.g., personal information, IP address) will be stored by the operators of the networks in accordance with their data protection policies and used for commercial purposes.
We process data with regard to our social media presence to the extent that comments or direct messages are sent to us via our social media presence. The legal basis for processing data following the consent of the user is point (a) of Article 6(1) of the GDPR.
5. Your rights
As a data subject, you have the following rights in connection with the processing of your personal data:
5.1 Right of access
(1) The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and, if that is the case, access to that personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations;
d) where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data is not collected from the data subject, any available information as to its source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(2) Where personal data is transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
5.2 Right to rectification
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed – including by means of providing a supplementary statement.
5.3 Right to erasure
(1) The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR, and there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
d) the personal data has been unlawfully processed;
e) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
(2) Where the controller has made the personal data public and is obliged pursuant to paragraph (1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
(3) Paragraphs (1) and (2) do not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
d) for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise, or defense of legal claims.
5.4 Right to restriction of processing
(1) The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise, or defense of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
(2) Where processing has been restricted under paragraph (1), such personal data may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
5.5 Right to data portability
(1) The data subject has the right to receive the personal data concerning him or her that he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and has the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and
b) the processing is carried out by automated means.
(2) In exercising his or her right to data portability pursuant to paragraph (1), the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The right referred to in paragraph (1) must not adversely affect the rights and freedoms of others.
That right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
5.6 Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her that is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
5.7 Right to withdraw consent
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
5.8 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.