Phone +41 (0)27 948 43 48
Managing Director: Markus Burgener
Link to Imprint: http://www.jodernkellerei.ch/impressum/
Types of data processed:
- User data (e.g. names, addresses).
- Contact details (e.g. e-mail, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. websites visited, interest in content, access times).
- Metadata/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online offer (hereinafter we will refer to data subjects collectively as "users").
Purpose of the processing
- Provision of the online offer, its functions and content.
- Responding to contact requests and communication with users.
- Security measures.
- Reach measurement/marketing
“Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term has a broad scope and covers practically every way data are handled.
"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
"Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
In accordance with Art. 32 GDPR and taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling the physical access to the data as well as their receipt, input, transmission, ensuring availability and their separation. Furthermore, we have established procedures to ensure that data subjects' rights are exercised, that data are deleted and that we respond to any threats to the data. Furthermore, we take the protection of personal data into account even in the development and selection of hardware, software and processes, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).
Cooperation with processors and third parties
If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transfer data to them or otherwise grant them access to the data, this is only done on the basis of a legal authorisation (e.g. if the data have to be transferred to third parties, such as payment service providers, in accordance with Art. 6 para. 1 letter b GDPR for the fulfilment of the contract), if you have given your consent, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
If we commission third parties to process data on the basis of a "data processing agreement", this is done on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of third parties or disclosure or transfer of data to third parties, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual authorisation, we process or arrange for the processing of the data in a third country only if the special conditions of Art. 44 ff. GDPR are in place. In other words, the processing is carried out on the basis of specific guarantees, such as the officially recognised establishment of a level of data protection equivalent to that in the EU (e.g. for the US through the Privacy Shield) or compliance with officially recognised specific contractual obligations (“standard contractual clauses”).
Rights of data subjects
You have the right to obtain confirmation as to whether or not data concerning you are being processed and to obtain information about these data and to receive further information and a copy of the data in accordance with Art. 15 GDPR.
You have the right in accordance with Art. 16 GDPR to request the completion of data concerning you or the correction of incorrect data concerning you.
In accordance with Art. 17 GDPR, you have the right to request that data concerning you be deleted immediately, or alternatively, in accordance with Art. 18 GDPR, to request that the processing of the data be restricted.
You have the right to receive the data concerning you which you have provided to us in accordance with Art. 20 GDPR and to request the transmission of these data to other controllers.
Under Art. 77 GDPR, you also have the right to lodge a complaint with the competent supervisory authority.
Right of withdrawal
You have the right to withdraw consent granted in accordance with Art. 7 para. 3 GDPR with future effect.
Right to object
You can object to the future processing of data concerning you in accordance with Art. 21 GDPR at any time. You may object, in particular, to processing for the purposes of direct marketing.
Cookies and right to object in relation to direct marketing
Cookies are small files that are stored on the user's computer. Various information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his/her visit to an online offer. Temporary cookies, or "session cookies" or "transient cookies", are cookies that are deleted after a user leaves an online offer and closes his/her browser. For example, the contents of a shopping cart in an online shop or a login status can be stored in this type of cookie. Cookies are described as "permanent" or "persistent" if they remain stored even after the browser is closed. For example, the login status may be saved if users visit the site after several days. Similarly, the interests of users may be stored in such a cookie. These are used for measuring reach or marketing purposes. Third-party cookies are cookies that are supplied by providers other than the controller responsible for the online offer (otherwise, if it is only the latter’s cookies, they are referred to as "first-party cookies").
If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional limitations of this online offer.
Deletion of data
According to legal requirements in Germany, the storage period is, in particular, 10 years according to Section 147 para. 1 of the German Fiscal Code (AO), Section 257 para. 1 nos. 1 and 4, para. 4 of the German Commercial Code (HGB) (books, records, management reports, accounting vouchers, trading books, documents relevant for taxation, etc.) and 6 years according to Section 257 para. 1 nos. 2 and 3, para. 4 HGB (commercial letters).
According to legal requirements in Austria, the storage period is, in particular, 7 years in accordance with Section 132 para. 1 of the Austrian Federal Fiscal Code (BAO) (accounting documents, vouchers / invoices, accounts, receipts, business documents, statement of income and expenditure, etc.), 22 years in connection with real estate and 10 years in the case of documents related to electronically provided services and telecommunication, radio and television services provided to non-business customers in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.
Additionally we process
- contract data (e.g. subject matter of the contract, duration, customer category).
- payment data (e.g. bank details, payment history)
of our customers, interested parties and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.
Order processing in the online shop and customer account
We process our customers’ data in the context of the order procedures in our online shop, in order to enable them to select and order the chosen products and services, as well as for payment and delivery or execution of the products and services.
The processed data include user data, communication data, contract data and payment data, and the data subjects include our customers, interested parties and other business partners. Processing is carried out for the purpose of providing contractual services in the context of operating an online shop, billing, delivery and customer services. We use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.
The processing is based on Art. 6 para. 1 letter b (execution of ordering processes) and c (legally required archiving) GDPR. The information marked as required is necessary for the justification and fulfilment of the contract. We disclose the data to third parties only within the scope of delivery, payment or within the scope of legal authorisations and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfilment of the contract (e.g. on customer request for delivery or payment).
Users can optionally create a user account, in which they can view their orders in particular. In the course of registration, the required mandatory data will be communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users cancel their user account, their user account data will be deleted, unless retention of these data is necessary for reasons of commercial or tax law in accordance with Art. 6 para. 1 letter c GDPR. Data in the customer account remain until deletion of the account with subsequent archiving in the case of a legal obligation. It is the responsibility of the users to back up their data before the end of the contract if the contract is terminated.
During registration and renewed logins as well as use of our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the user's protection against misuse and other unauthorized use. In principle, these data are not passed on to third parties, unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 para. 1 letter c GDPR.
Deletion takes place after the expiry of statutory warranty and similar obligations, and the necessity of retaining data is reviewed every three years; in the case of statutory archiving obligations, deletion takes place after their expiry (end of commercial (6 years) and tax (10 years) retention obligation).
Administration, financial accounting, office organisation, contact management
We process data within the framework of administrative tasks as well as the organisation of our operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process within the scope of providing our contractual services. The processing bases are Art. 6 para. 1 letter c GDPR, Art. 6 para. 1 letter f GDPR. The processing relates to customers, interested parties, business partners and website visitors. The purpose of and our interest in processing lies in administration, financial accounting, office organisation, archiving of data, i.e. tasks that help us to maintain our business activities, perform our duties and provide our services. The deletion of data in relation to contractual services and contractual communication is in accordance with the information provided for these processing activities.
We disclose or transfer data to the tax authorities, consultants, such as tax advisors or auditors, as well as other fee earners and payment service providers.
Furthermore, we store information on suppliers, event organisers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. We store these data, most of which are company-related, permanently.
When contacting us (e.g. by contact form, e-mail, telephone or via social media), the user's details are processed for the purpose of handling the contact request and its processing in accordance with Art. 6 para. 1 letter b GDPR. The information provided by users may be stored in a customer relationship management system ("CRM system") or comparable enquiry organisation system.
We will delete the enquiries if they are no longer required. We review their necessity every two years; furthermore, the statutory archiving obligations apply.
Below we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights to object. By subscribing to our newsletter, you agree to receive it and to the procedures described.
Content of the newsletter: We send newsletters, e-mails and other electronic notifications containing promotional information (hereinafter "newsletters") only with the consent of the recipients or with a legal authorisation. If the contents of the newsletter are specifically described when registering for the newsletter, they are applicable to the consent of the users. Our newsletters also contain information about our products and accompanying information (e.g. safety instructions), offers, promotions and information about our company.
Double opt-in and logging: Registration to our newsletter takes place via a double opt-in procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with third-party e-mail addresses. Newsletter registrations are logged in order to be able to provide evidence of the registration process according to the legal requirements. This includes storage of the registration and confirmation time as well as the IP address. Changes to your data stored by the dispatch service provider are also logged.
Registration data: To subscribe to the newsletter, it is sufficient to enter your e-mail address. As an option, we may ask you to enter a name for the purpose of addressing you personally in the newsletter.
The dispatch of the newsletter and the associated measurement of its success is based on the consent of the recipients in accordance with Art. 6 para. 1 letter a, Art. 7 GDPR in conjunction with Section 107 para. 2 of the German Telecommunications Act (TKG) or on the basis of legal permission in accordance with Section 107 paras. 2 and 3 TKG.
The registration procedure is logged on the basis of our legitimate interests in accordance with Art. 6 para. 1 letter f GDPR. Our interest centres on the use of a user-friendly and secure newsletter system that serves our business interests as well as meets the expectations of the users and also allows us to provide evidence of their consent.
Cancellation/revocation – You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. A link to cancel the newsletter can be found at the end of each newsletter. We may store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to provide evidence of previously given consent. The processing of these data is limited to the purposes of a potential defence against claims. An individual request for deletion is possible at any time, provided that previous existence of consent is confirmed at the same time.
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this online service.
In this context, we and/or our hosting provider process user data, contact data, content data, contract data, usage data, metadata and communication data of customers, interested parties and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 para. 1 letter f GDPR in conjunction with Art. 28 GDPR (conclusion of data processing agreement).
Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the Internet. Pseudonymous usage profiles of users can be created from the processed data.
We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is shortened by Google within member states of the European Union or in other states that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.
The IP address transmitted by the user's browser is not combined with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting data generated by the cookie related to their use of the online offer and processing these data by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en-GB.
Users’ personal data will be deleted or anonymised after 14 months.
Created with Datenschutz-Generator.de provided by the lawyer Dr Thomas Schwenke