Data protection

Statement
This Data Protection Statement explains the way we process personal data (hereafter “Data”) as part of our online offering and its associated web pages, functions and content, to what extent and for what purpose, and as part of our external online presence, such as our social media profiles (hereafter referred to jointly as “Online Offering”). We refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR) for terminology used, such as “processing” or “controller”.

The provider and controller within the terms of the General Data Protection Regulation are

Erbslöh Geisenheim GmbH
Erbslöhstraße 1
65366 Geisenheim, Germany

Data Protection Officer:
Harald Pultar
EDV-Beratung Pultar GmbH
Bäckergasse 4
55128 Mainz, Germany
Telephone: +49 (0)6131 330821
Fax: +49 (0)6131 330822
E-mail: info@pultar.de
Internet: www.pultar.de

Types of data processed:
- Core data (e.g. names, addresses)
- Contact details (e.g. e-mail, telephone numbers)
- Metadata/Communications data (e.g. device information, IP addresses)

Categories of data subjects
Visitors to and users of the Online Offering (hereafter we will also refer to the data subjects jointly as “Users”).
Processing purpose
- Provision of the Online Offering, its functions and content.
- Response to contact enquiries and communication with Users.
- Security measures.

Terminology used
“Personal data” is any information relating to an identified or identifiable natural person (hereafter “Data Subject”); a natural person who can be directly or indirectly identified as a natural person, in particular by correlation to an identifier, such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more particular characteristics that express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person is regarded as identifiable. 
“Processing” is any process or any such sequence of processes in connection with personal data executed with or without the aid of automated procedures. The term is far-reaching and encompasses almost any use of data.
“Pseudonymisation” is processing of personal data in such a way that it is no longer possible to relate the personal data to a specific Data Subject without consulting additional information, if this additional information is stored separately and is subject to technical and organisational measures that ensure that the personal data cannot be related to an identified or identifiable natural person.
“Profiling” is any type of automated personal data processing that consists of this personal data being used to analyse specific personal aspects that relate to a natural person, in particular to analyse or predict aspects regarding this natural person’s performance, financial situation, health, personal preferences, interests, reliability, behaviour, abode or change of abode. 
“Controller” is the term for the natural person or legal entity, authority, institution or other body that decides, individually or jointly with others, the purpose and method for processing personal data.
“Data processor” is a natural person, legal entity, authority, institution or other body that processes personal data on the Controller’s behalf.

Authoritative legal basis
In accordance with Article 13 GDPR, we hereby inform you of the legal basis for our processing of your data. If the Data Protection Statement does not mention the legal basis, the following shall apply: Articles 6 (1a) and 7 GDPR form the legal basis for obtaining consent; the legal basis for processing for rendering of our services and performance of contractual activities and responding to enquiries in Article 6 (1b) GDPR; the legal basis for processing for fulfilment of our legal obligations is Article 6 (1c) GDPR, and the legal basis for processing to preserve our legitimate interests is Article 6 (1f) GDPR. Article 6 (1d) GDPR shall serve as the legal basis in the event that the vital interests of the Data Subject or another natural person require processing of personal data.

Security measures
Pursuant to Article 32 GDPR, we take appropriate technical and organisational measures to ensure a level of protection commensurate with the risk, taking into consideration the state of the art, the implementation costs and the nature, scope, circumstances and purpose of processing, as well as the various likely incursions and severity of the risk to the rights and freedoms of natural persons.
In particular the measures include securing data confidentiality, integrity and availability by controlling physical access to the data, as well sharing, entry, forwarding, ensuring availability and separation thereof. We have furthermore established procedures that ensure observance of Data Subjects’ rights, erasure of data and response to jeopardization of data. In accordance with the principle of data protection by means of technological design and data-protection-friendly defaults, we furthermore take into consideration protection of personal data when developing and selecting hardware and software and procedures (Article 25 GDPR).

Cooperation with Data Processors and third parties

If we disclose data to other people and enterprises (Data Processors or third parties), transmit it to them or otherwise grant them access to the data as part of our processing, this occurs only on the basis of statutory permission (e.g. if transmission of the data to a third party, such as a payment service provider, is required for fulfilment of contract in accordance with Article 6 (1b) GDPR), if you have consented to it, a legal obligation makes provision for this, or on the basis of our legitimate interest (e.g. when using agents, web hosters, etc.).
If we instruct third parties to process data on the basis of a “data processing agreement”, this occurs on the basis of Article 28 GDPR.

Transmission to third countries
If we process data in a third country (i.e. outside the European Union (EU) or European Economic Area (EEA), or this occurs as part of recourse to third-party services or disclosure and/or transmission of data to third parties, this occurs only if required to fulfil our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Notwithstanding statutory or contractual permission, we process the data, or cause it to be processed, in a third country only if the special conditions of Article 44 et seq GDPR are present.  This means that processing takes place on the basis of specific guarantees, such as officially recognised determination of an EU-compliant level of data protection (by the Privacy Shield in the USA, for example), or observance of officially recognised specific contractual obligations (“standard contractual clauses”).

Rights of Data Subjects
According to Article 15 GDPR, you have the right to request confirmation of whether data concerning you is processed and to information about this data, as well as to further information and copies of the data.
In accordance with Article 16 GDPR, you have the right to completion of data concerning you, or rectification of incorrect data concerning you.
Pursuant to Article 17 GDPR you have the right to request that data concerning you is immediately erased or alternatively, pursuant to Article 18 GDPR, to request restriction of processing of your data.
You have the right to request that you receive data concerning you with which you have provided us pursuant to Article 20 GDPR and to request transmission thereof to other Controllers.
Furthermore, according to Article 77 GDPR, you have the right to object to the competent supervisory authority.

Right to withdraw consent
According to Article 7 (3) GDPR, you have the right to withdraw consents that you have given with future effect.
Right to object
You can object to future processing of data concerning you at any time pursuant to Article 21 GDPR. In particular you can object to processing for direct marketing purposes.

Cookies and right to object to direct marketing
“Cookies” is the term for little files that are stored on Users’ computers. Various information can be stored in the cookies. The primary purpose of a cookie is to store information about a User (or the device on which the cookie is stored) during or even after the User’s visit to an Online Offering. Cookies that are deleted after a User quits an Online Offering and closes the browser are known as temporary cookies, session cookies, or transient cookies. Such a cookie can store the content of an online store shopping basket, for example, or a login status. Cookies that continue to be stored even after the browser has been closed are known as “permanent” or “persistent”. The login status can be stored, for example, if Users visit the store again after several days. Such a cookie can also store the User’s interests and this information is used to measure reach, or for marketing purposes. Cookies that originate from providers other than the Controller who operates the Online Offering are known as “third-party cookies”. If the cookies originate from the Controller only, then these are known as “first-party cookies”.
We may use temporary and permanent cookies and explain this as part of our Data Protection Statement.
If Users do not want cookies to be stored on their computers they are requested to deactivate the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. If Users do not accept cookies this may restrict the Online Offering’s functionality.
You can also make a blanket objection to the use of cookies for online marketing purposes in the case of multiple services, above all in the case of tracking, through the US website http://www.aboutads.info/choices/ or EU site http://www.youronlinechoices.com/. It is also possible to prevent cookies being stored by switching them off in the browser’s settings. Please note that, as the case arises, it may not be possible to use all this Online Offering’s functions.

Erasure of data
The data we process is erased, or processing thereof restricted, pursuant to Articles 17 and 18 GPR. Unless expressly stated as part of this Data Protection Statement, the data we store is erased as soon as no longer required for its intended purpose and erasure is not opposed by any statutory duties of retention. If the data is not erased because it is required for other purposes permitted by law, processing thereof will be restricted. This means the data will be inaccessible and not processed for other purposes. This applies, for example, to data that has to be retained for commercial or tax law reasons.
According to legal stipulations in Germany, pursuant to sections 147 (1) German Fiscal Code (AO), sections 557 (1) subsections 1 and 4, (4) German Commercial Code (HGB) (books, records, management reports, posting vouchers, trading books, documents relevant to taxation, etc.) are to be retained for 10 years and for six years pursuant to section 257 (1) subsections 2 and 3, (4) Commercial Code (commercial papers).
According to legal stipulations in Austria, documents (accounting documents, receipts/invoices, accounts, vouchers, business documents, income and expenditure statement) are retained for seven years according to section 32 (1) Austrian Federal Fiscal Code, for 22 years in connection with real estate and for 10 years for documents in connection with electronic services, telecommunications, radio and television services rendered to non-entrepreneurs in EU Member States and for which recourse is made to the Mini One-Stop-Shop.

Contact
When contacting us (using the contact form, by e-mail, telephone, or via social media), the User’s details are used to process the contact request and handle it according to Article 6 (1b) (as part of contractual/precontractual relationships), Article 6 (1f) (other enquiries) GDPR.  The User’s details may be stored in a customer relationship management system (“CRM System”) or comparable enquiry processing system.
We erase the enquiries if these are no longer necessary. We review necessity every two years. The statutory duties of retention shall otherwise apply.

Newsletter
The following information is provided to notify you of our newsletter’s content and the subscription, mailing and statistical analysis processes, as well as your right to object. By subscribing to our newsletter you are agreeing to receive the newsletter and to the procedure as described.
Newsletter content: We only send newsletters, e-mails and other electronic notifications containing promotional information (hereafter “Newsletter”) with the recipient’s consent, or a statutory permit. If the Newsletter’s content is specifically outlined as part of a subscription, this is authoritative for the User’s consent. Our Newsletters otherwise contain information about our services and about us.
Double opt-in and logging: A double opt-in procedure is used for subscription to our Newsletter. This means that after subscribing you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no-one can subscribe using third-party e-mail addresses. E-mail subscriptions are logged to be able to demonstrate that the subscription processes comply with legal requirements. This includes storing the time of subscription and confirmation, as well as the IP address. We also log amendments to your data stored by the dispatch service.
Subscription data: all you need to do to subscribe to the Newsletter is provide your e-mail address. We also offer the option of providing a name so that the Newsletter can be addressed to you in person.
Newsletter dispatch and associated performance measurement takes place on the basis of the recipient’s consent pursuant to Article 6 (1a), article 7 GDPR in conjunction with section 7 (2) no. 3 German Unfair Competition Act (UWG) or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Article 6 (1f) GDPR, in conjunction with section 7 (3) Unfair Competition Act. 
The subscription process is logged on the basis of our legitimate interests pursuant to Article 6 (1f) GDPR. Our interest lies in use of a user-friendly and safe Newsletter system that serves both our commercial interests and meets Users’ expectations and which furthermore allows us to prove consent.
Subscription cancellation/Withdrawal - you can cancel receipt of our Newsletter at any time, i.e. you can withdraw your consent. There is a link at the end of each Newsletter for unsubscribing from the Newsletter. On the basis of our legitimate interests we can store the e-mail addresses supplied for up to three years before we erase them, in order to prove that consent was formerly given. Processing of this data is restricted to potential defence of claims. You can apply individually for erasure at any time if the previous existence of consent is simultaneously confirmed.

Google Analytics
We use Google Analytics, a web analysis service from Google LLC (“Google), on the basis of our legitimate interests (i.e. interest in analysis, optimisation and economic operation of our Online Offering within the terms of Article 6 (1F) GDPR). Google uses cookies. The information about the User’s use of the Online Offering generated by the cookie is generally transmitted to a Google server in the USA and stored there.
Google is certified according to the Privacy Shield Agreement and hereby guarantees that it complies with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to analyse Users’ use of our Online Offering, to compile reports about activities within the Online Offering and to provide us with other services associated with use of this Online Offering and Internet use. Pseudonymized use profiles can be generated for Users from the data processed.
We only use Google Analytics with activated IP anonymisation. This means that Users’ IP addresses are abbreviated by Google within European Union Member States, or in other states that are parties to the European Economic Area Treaty. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there.
The IP address transmitted by the User’s browser will not be merged with other Google data. Users can prevent storage of cookies by appropriately adjusting their browser settings; Users can furthermore prevent capture by Google of the data generated by the cookie and relating to the User’s use of the Online Offering and processing of this data by Google by downloading and installing the browser plugin available from the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
You can obtain further information about Google’s use of data, settings options and the opportunity to object from Google’s data protection policy at (https://policies.google.com/technologies/ads) and in Google’s setting for displaying ads (https://adssettings.google.com/authenticated).
Users’ personal data will be erased or anonymised after14 months.

Google AdWords and conversion measurement

On the basis of our legitimate interests (i.e. interest in analysis, optimisation and economic operation of our Online Offering within the terms of Article 6 (1f) GDPR) we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
Google is certified according to the Privacy Shield Agreement and hereby guarantees that it complies with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use the Google AdWords online marketing method to place advertisements in Google advertising networks (e.g. in search results, in videos, on websites, etc.), so they are displayed to Users who have a presumed interest in the advertisements. This permits us to target advertisements more purposefully for and within our Online Offering, to present Users with adverts that potentially correspond to their interests. If a User is displayed advertisements for products in which he has shown an interest on other online offering, this is known as “remarketing”. For this purpose, when you download our web pages and others on which the Google network is active, Google immediately executes a Google code and what are known as (re)marketing tags (invisible graphics or code, also called “web beacons”) are incorporated into the web page. An individual cookie, i.e. a small file, is stored on the User’s device with the help of these tags (similar technologies can be used instead of cookies). This file notes which websites are visited by the User, the content in which the User shows an interest and the services on which the User clicks, as well as technical information about the browser and operating system, referring websites, length of visit and other information about use of the Online Offering.
We also receive an individual “conversion cookie”. The information obtained by the cookie helps Google to generate conversion statistics for us. We only learn, however, the total number of anonymous users who have clicked on our advertisement and been forwarded to a page equipped with a conversion tracking tag. We do no receive any information, however, by which Users can be identified in person.
User data is processed in a pseudonymised format within the Google advertising network. This means that Google does not store and process Users’ names or e-mail addresses, but processes the relevant data related to the cookie in pseudonymised user profiles. From Google’s point of view, this means that advertisements are not managed and displayed for a person who has been identified specifically, but for the cookie owner, regardless of who owns this cookie. This does not apply if a User has expressly allowed Google to process the data without this pseudonymisation. The information about Users collected is transmitted to Google and stored on Google servers in the USA.
You can obtain further information about Google’s use of data, settings options and the opportunity to object from Google’s data protection policy at (https://policies.google.com/technologies/ads) and in Google’s setting for displaying ads (https://adssettings.google.com/authenticated).

Data protection information obligations

Geisenheim, May 2018