Privacy Policy

We take data protection seriously and want to do everything we can to protect your privacy when you use our web sites. That’s why we have drafted this privacy policy to explain how we use your data.

We reserve the right to change the content from time to time. We thus recommend consulting our privacy policy again at regular intervals.

I. Definition of Terms

The privacy policy is based on terms used when the General Data Protection Regulations were instituted by the European guidelines. Our privacy policy is meant to be easy to read and understand both for the general public as well as for our customers and business partners. To ensure that this is the case, we would like to explain the terms used.

In this privacy policy, we use the following terms, among others:

1. Personal data
   Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Data subject
   A data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for processing.
3. Processing
   Processing means any operation or set of operations which is performed on personal data or on sets of personal
   data, whether or not by automated means, such as collection, recording, organization, structuring, storage,
   adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Restriction of processing
   Restriction of processing means the marking of stored personal data with the aim of limiting their processing in
   the future.
5. Pseudonymization
   Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. Controller or the person responsible for processing
   Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
7. Processor
   Processor means a natural or legal person, public authority, agency or other body which processes personal data
   on behalf of the controller.
8. Recipient
   Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the 4.5.2016 EN Official Journal of the European Union L 119/33 framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
9. Third party
   Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
10. Consent
    Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

II. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:

experimenta gGmbH
Experimenta-Platz
74072 Heilbronn

Tel.: +49 (0) 7131-88795 250
email: [email protected]
Website: www.experimenta.science

III. Name and address of the data protection officer:

The controller’s data protection officer is:

Mirella Eiberger
Tel.: +49 (0) 7131-88795 621
email: [email protected]

IV. General information on data privacy

1. Scope of the processing of personal data
   As a rule, we process the personal data of our users only to the extent necessary to offer a functioning website as well as our content and services. We only regularly process the personal data of our users subject to the user’s consent. An exception applies in those cases in which it is not possible to obtain previous consent for actual reasons and the processing of data is permitted by legal regulations.
2. Legal basis for the processing of personal data
   The legal basis for our seeking to obtain the consent of the data project to process personal data is Art. 6, para. 1 lit. a of the EU General Data Protection Regulation (GDPR).
   The legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract is Art. 6 para. 1 lit. b GDPR.
   The legal basis for processing of personal data necessary for compliance with a legal obligation to which our company is subject is Art. 6 para. 1 lit. c GDPR.
   The legal basis for processing of personal data necessary in order to protect the vital interests of the data subject or of another natural person is Art. 6 para. 1 lit. d GDPR.
   The legal basis for processing necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data is point (f) of Article 6(1) GDPR.
3. Erasure of data and storage period
   The data subject’s personal data are erased or blocked as soon as the purposes for which said data were stored are no longer necessary. Data can also be stored when required by European or national legislatures for compliance with Union or Member State directives, laws or other regulations to which the controller is subject. Blocking or erasure of data also occurs if a prescribed retention period stipulated by said standards expires unless a need for continued storage of data exists to conclude or fulfill a contract.
4. The personal data collected during registration are used and processed internally. If a query is received from the public health authority after becoming aware of a SARS-CoV-2 infection, we are obligated to provide the data to the authority within a period of four weeks (in compliance with the provisions of Articles 16 and 25 of the Infection Protection Law).

V. Provision of the website and creation of log files

1. Description and scope of data processing
   Our system automatically collects data and information from the computer system of the requesting computer every time our website is accessed.The following data are collected in this context:
   (1) Information about the browser type and version
   (2) user operating system
   (3) the user’s internet service provider
   (4) the user’s IP address
   (5) date and time of access
   (6) websites from which the user’s system linked to our website
   (7) websites that can be launched from our website by the user’s system
   Data are also stored in our system’s log files. Not affected by this are the user’s IP address or other data that allow the allocation of data to a user. This data are not stored together with the user’s personal data.
2. Legal basis for data processing
   The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit f GDPR.
3. Purpose of data processing
   The system needs to store the IP address temporarily to deliver the website to the user’s computer. In order to do so, the user’s IP address must remain stored for the duration of the session.
4. Storage period
   Data is deleted as soon as it is no longer required for the purpose it was collected. This is the case if the respective session ended in instances in which data was collected to provide the website.
5. Right to object and right to erasure
   The collection of data for the provision of the website and storage of data in log files is absolutely necessary for the operation of the website. The user consequently does not have a right to object.

VI. Use of cookies

1. Description and scope of data processing
   Our website uses cookies. Cookies are text files stored in the internet browser or by the internet browser on the user’s computer system. When a user visits a website, a cookie can be stored on the user’s operating system. This cookie contains a distinctive character sequence that uniquely identifies the browser the next time the website is visited. We use cookies to make our website user-friendly. Some elements of our website demand that the requesting internet browser is identifiable even when moving to another page. The cookies store and transmit the data listed under the following link:  Cookies
2. Legal basis for data processing
   The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit f GDPR.
3. Purpose of data processing
   Cookies are technically necessary for the purpose of making websites easier for users to use. Some of our website functions cannot be offered without using cookies. For these functions, it is necessary for the browser to be able to be recognized even after changing pages. We use cookies to deliver our content optimally or for the booking process of our lab courses. The user data collected by cookies that are technically necessary is not used to create user profiles.
4. Storage period, opt-out and delete options
   Cookies are stored on the user’s computer and are transmitted to our site from the computer. Consequently, you as the user also retrain full control over how cookies are used. By changing the settings in your internet browser, you can deactivate or limit the transfer their transmission. Cookies already saved on your system can be deleted at any time. They can also be deleted automatically. If cookies are deactivated for our website, the full functionality of all website functions may no longer be possible.Instructions on how to disable cookies in your browser can be found in your browser’s Help function or under the following links:
   • Mozilla Firefox
   • Google Chrome
   • Microsoft Edge
   • Opera
   • Safari
   • Microsoft Internet Explorer 11
   Using the corresponding tools or browser add-ons, you can also disable the use of pixels on our website (e.g. through the add-on “AdBlock”). Other opt-out options can be found in the information about the tracking and targeting measures we use.

VII. Newsletter

1. Description and scope of data processing
   Our website also includes an option to subscribe to our free newsletter. During registration, the following data from the entry mask are transmitted to us (first name, last name, email address as well as visitor property. Visitor properties include:
   • General (everyone)
   • Educators
   Your consent for the processing of data is requested during the registration process and reference is made to this privacy statement. We use newsletter software from CleverReach GmbH & Co. KG, Mühlenstrasse 43, 26180 Rastede, Germany to create and manage our newsletters. The data required from the newsletter recipients are hosted on a CleverReach server application to which we have password-protected access. The contractual basis between CleverReach and us are the CleverReach Terms of Service which can be found at www.cleverreach.com/en/terms-of-service These state that CleverReach will not access data of newsletter recipients nor use said data in any way. We carefully selected and commissioned the service provider. This service provider is bound by our instructions and is regularly audited for their use of suitable technical and organizational measures to safeguard data against misuse. No data is transferred to countries outside of the EEA. The newsletter software from CleverReach analyzes the range of the respective newsletter to determine whether mail items actually reach the intended recipients. Identifiable individual behavior patterns are only used for the statistical evaluation of the newsletter’s success and under no circumstance are they disclosed to third parties or used for any other purposes.
2. Legal basis for data processing
   The legal basis for data processing after the user has registered for the newsletter is point (a) of Article 6 (1) GDPR provided the user has given consent.
3. Purpose of data processing
   The purpose of collecting the user’s email address and visitor properties is to deliver the corresponding newsletter. We send different newsletters for the respective visitor properties. The purpose of collecting any personal data within the framework of the registration process is to prevent misuse of the services or the email address used.
4. Storage period
   All data is deleted as soon as it is no longer required to achieve the purpose of its collection. The user’s personal data are thus only stored for as long as the newsletter subscription is active.
5. Opt-out and delete options
   The user affected can cancel the newsletter subscription at any time. A corresponding link to unsubscribe from the newsletter is found in every newsletter for this purpose.

VIII. Newsletter tracking

1. Description and scope of data processing
   Our newsletters contain so-called tracking pixels. A tracking pixel is a tiny graphic embedded in emails sent in HTML format in order to record and analyze a log file. This is a way of performing a strategic analysis of the success or failure of online marketing campaigns. Using embedded tracking pixels, we can identify whether and when an email was opened by a person concerned and which links in the email the person concerned clicked on.
2. Legal basis for data processing
   The legal basis for data processing is point (f) of Article 6(1) GDPR.
3. Purpose of data processing
   Personal data collected by tracking pixels in the newsletters are stored and analyzed by the controller to optimize newsletter mailing and to adapt the content of future newsletters better to the interests of the person concerned. This personal data is not passed on to third parties.
4. Storage period
   Data is deleted as soon as said data is no longer necessary for the purpose for which it was collected. The user’s data is thus stored for as long as the newsletter subscription is active.
5. Opt-out and delete options
   Persons concerned have the right at any time to revoke the declaration of consent submitted separately using the double opt-in process. After opting out, the personal data is deleted by the controller. We automatically interpret opting out of the newsletter subscription as cancellation.

IX. Visitor Account (Digital Backpack, Talent Search, Visitor Station)

1. Create a Visitor Account
   A Visitor Account can be created at the visitor stations in the foyer of the exhibition, in the Forum or on our homepage to:a) to plan a tour for your visit;

   b) to fill the Digital Backpack and store content permanently.
   Content includes e.g.:
   photos (selfies, partly in abstracted form and drawings/montages);
   videos (selfies, partly in abstracted form and filed objects);
   audio files (pieces of music you’ve composed);
   documents in PDF format (texts you’ve written, collections of images and information);

   c) to store the results of the Talent Search permanently;

   d) to purchase tickets in the ticket shop (only possible with an account verified by email).

   Creation of a Visitor Account is entirely voluntary and not obligatory. Its only purpose is to be able use the aforementioned functions.

   The following data is collected (depending on use):

   • email address
   • first name
   • last name
   • nickname / pseudonym
   • sex
   • date of birth

   Using other social media logins (here via facebook or Google) only links to the login information – the privacy policies of the respective social media provider apply. No data is transferred to these companies by experimenta.

   The pseudonym (nickname) may be displayed on some of the stations at experimenta (e.g. “Super-Me” or “Postcards”) once users have finished at these stations and decided to publish the created content. Content may be posted on screen, for example.

2. Legal basis for data processing
   The legal basis for processing personal data is Art. 6 (1) of the EU General Data Protection Regulation (GDPR).
3. Purpose of data processing
   The purpose of processing the data stated under clause 1 is to make it possible for users to again access content played at the stations outside of experimenta through the Internet and to save and print said content as needed. It is also possible to access stored content during any other experimenta visit.
4. Storage period
   Users can delete the content of the Digital Backpack or parts thereof at any time using the delete function. Data is not deleted automatically.
5. Opt-out and delete options
   Users have the right at any time to revoke the declaration of consent to the processing of data. The “Delete visitor account” button below “Visitor Account” at the Visitor Station and the button “Delete profile” on the website can be used for this purpose. You can also write an email to [email protected] to request that a Visitor Account be deleted.

X. “Friends” Registration (“Freundeskreis”)

The Friends of experimenta is a group of individuals from the areas of education, business and schools. The members support experimenta with internal affairs and visibility and are its “ambassadors”. They promote the idea of experimenta in public and are dedicated in many different ways to educating children, young people and adults in science and technology.

1. Description and scope of data processing
   The members themselves provide experimenta with their personal data (first and last name, private and/or business address as well as phone numbers and email addresses). experimenta provides Friends members with a separate section of the experimenta website. The consent of the users to the processing of this data is obtained within the framework of the membership.
2. Legal basis for data processing
   The legal basis for data processing subject to the user’s consent is point (a) of Article 6(1) GDPR.
3. Purpose of data processing
   User registration is required to provide certain content and services on our website as well as for communication purposes.
4. Storage period
   Data is deleted as soon as said data is no longer necessary for the purpose for which it was collected. This is the case for data collected within the framework of the Friends membership when then Friends membership ends.
5. Opt-out and delete options
   Users receive general log-in details from the experimenta website administrator for an initial log-in. Users can then change the log-in details so that all members have their own personal log-in and have the option of changing the log-in at any time. The stored data can also be changed by the experimenta website administrator who also deletes the data once the membership has ended.

XI. Email contact

1. Description and scope of data processing
   It is possible to establish contact (‘communicate’) using the email address provided. In this case, the user’s personal data transmitted by email is stored. No data is passed on to third parties in this context. Data are only used to process the conversation.
2. Legal basis for data processing
   The legal basis for processing data transmitted when an email is sent is point (f) of Article 6(1) GDPR. If the purpose of email contact is to conclude a contract, the additional legal basis for processing is point (b) of Article 6(1) GDPR.
3. Purpose of data processing
   When contact is established by email, it represents the required legitimate interest in the processing of data.
4. Storage period
   Data is deleted as soon as said data is no longer necessary for the purpose for which it was collected. This is the case for personal data sent by email once the respective conversation with the user has ended. The conversation is over when it can be determined from the circumstances that the matter or issue in question has been conclusively resolved.
5. Opt-out and delete options
   If a user contacts us by email, he can withdraw his or her consent to the storage of his or her personal data at any time. In this case, the conversation will not be continued. All personal data stored during communication will be deleted in this case.

XII. Use of Google Analytics

1. Scope and purpose of the processing of personal data
   We use Google Analytics, a web analytics service provided by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). Use includes Universal Analytics. This makes it possible to assign data, sessions and interactions over several devices to a pseudonymized user ID and thereby analyze user activities across several devices. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. In case of activation of the IP anonymization, Google will truncate/anonymize the last octet of the IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area. Only in exceptional cases, the full IP address is sent to and shortened by Google servers in the USA. Google will not associate your IP address with any other data transmitted by your browser within the framework of Google Analytics. On behalf of the website provider Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage to the website provider. This represents a legitimate interest in data processing.
2. Legal basis for the processing of personal data
   The legal basis for the use of Google Analytics is Section 15 (3) of the German Telemedia Act (TMG) and point (f) of Article 6(1) GDPR.
3. Storage period
   Data whose storage period has expired is deleted automatically once every month. Form more information on our Terms of Use and Privacy Policy go to https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=de
4. Opt-out and delete options
   You may refuse the use of cookies by selecting the appropriate settings on your browser software. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore you can prevent collection and use of data (incl. your IP address) by Google by downloading and installing the browser plug-in available under https://tools.google.com/dlpage/gaoptout?hl=en-GB Opt-out cookies prevent the future collection of your data when you visit this website in the future.

XIII. Use of Google Maps

1. Scope of the processing of personal data
   We use Google Maps to display interactive maps and to prepare driving directions. Google Maps is a mapping service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When calling up the pages on which the Google Maps map is embedded, information about your use of this website including your IP address and the (start) address entered within the framework of the route planning function is transmitted to the Google server in the USA. When you visit a page on our website that contains Google Maps, your browser connects directly to the Google servers. Google transmits the map content directly to your browser and links the content to the page. We have no influence on the amount of data Google collects in this way. Based on the information available to us, it includes at least the following data:
   • Date and time of the visit to the website,
   • Internet address or URL of the accessed website,
   • IP address, the (start) address entered within the framework of route planning. We have no influence on how Google processes and uses data and assume no responsibility for how Google processes and uses data. If you object to Google processing of using data collected by our website, deactivate JavaScript in your browser. In this case, however, you cannot use the map display.
2. Purpose of the processing of personal data
   The purpose and extent to which data is collected and the further processing and use of data by Google as well as your rights and setting options to protect your privacy, can be found in the Google Privacy Policy. In the Google Safety Center, you can change your settings so that you are able to manage and protect your data. By using our website, you declare that you agree to the processing of data collected by the Google Maps route planner in the manner described above and for the previously stated intended purpose.
3. Opt-out and delete options
   Instructions on how to manage your data in connection with Google products can be found here.

XIV. Use of the contact form

1. Type and scope of processing
   Our website provides a form that can be used to contact us. The information collected in mandatory fields are required to be able to process your query. You may also provide additional information voluntarily which you deem necessary for us to process the contact request.
   No personal data is transmitted to third parties when the contact form is used.
2. Purpose and legal basis
   The data we process when you use our contact form takes place for the purpose of communication and processing your query based on your consent pursuant to point (a) of Article 6(1) GDPR. Insofar as your query refers to an existing contractual relationship with us, processing is used for the purpose of performance on the basis of point (b) of Article 6 (1) GDPR. No legal or contractual obligation on the provision of your data exists. However, it is not possible to process your query without providing the information in the mandatory fields. Insofar as you do not wish to provide this data, please contact us by other means.
3. Storage period
   Insofar as you use the contact form based on your consent, we store data collected from every request for a period of three years, starting with the processing of your request or until withdrawal of your consent.

XV. Use of social networks

We maintain so-called fan pages and accounts or channels on the networks below to be able to provide you with information and offerings on social networks and to offer you other ways of contacting us and informing yourself about our offerings. The following sections inform you which data belonging to you we or the respective social network process in conjunction with visiting and using our fan pages/accounts.

1. How we process your data
   Should you wish to contact us through Messenger or via Direct Message through the respective social network, we generally process the user name you use to contact us and as necessary store other data you share insofar as necessary to process/reply to your concerns and requests. The legal basis is point (f) of Article 6(1) GDPR (processing is necessary to protect the legitimate interests of the controller).
2. (Statistical) Usage data which we receive from social networks
   Using insight functionalities, we receive statistics about our accounts that are provided automatically. The statistics include the total number of visits to the page, Like information, information on page activities and posts, range and coverage, video views and displays as well as information on the percentage of men/women among our fans/followers.
   The statistics comprise aggregated data only which cannot be identified as related to individual persons. We cannot use the data to identify individuals.
3. How do social networks process your data
   You do not need to be a member of the respective social network to be able to see the content of our fan pages or accounts and insofar no user account for the respective social network is necessary.Please note, however, that social networks collect and store data even of website visitors who do not have a user account on that particular social network (e.g. technical data to be able to display the website) and use cookies and similar technologies over which we have no influence. Details related to this topic can be found in the privacy policies of the respective social network (see above for links)Insofar as you wish to interact with the content on our fan pages/accounts, to comment on, share or like our posts/contributions and/or contact us using Messenger functions, you must have previously registered on the respective social network and entered personal data.

   We have no influence on data processing by social networks in the context of your use of said networks. Based on the information available to us, your data, specifically in conjunction with the provision of the services of the respective social network, is stored and processed, and also used to analyze usage behavior (using cookies, pixel/web beacons and similar technologies) on the basis of which advertising is displayed based on your interests both on and outside of the respective social network. The possibility cannot be excluded that the social networks store your data outside of the EU/EEA and passed on to third parties.

   Information, including information related to the exact extend and purpose of processing of your personal data, the storage period/erasure as well as policies on the use of cookies and similar technologies within the framework of registration and use of social networks can be found in the privacy policies/cookie policies of the social networks. Information on your rights and opt-out options can also be found there.

XVI. Use of Facebook

When you visit our Facebook page, Facebook records your IP address as well as other information available on your PC in the form of cookies. This information is used to provide statistical information on the use of the Facebook page to us as the operator of the Facebook pages. Facebook provides more information on this topic under the following link: https://facebook.com/help/pages/insights.

It is not possible for us to identify individual users using the statistical information provided. We only use this information to be able to accommodate the interests of our users and to improve our online presence and ensure its quality.

We only collect data through our fan page to provide means of communicating and interacting with us. The information collected generally includes your name, message content, comment content as well as the “public” profile information you have provided.

Processing your personal data for our purposes stated above is based on our legitimate business and communication interests in the offerings of an information and communication channel pursuant to point (f) of Article 6(1) GDPR. If you as a user have given your consent to data processing to a provider of a social network, the legal basis includes processing as per point (a) of Article 6(1) GDPR.

Given the fact that the actual processing of data is done by the provider of the social network, our access to your data is limited. Only the social network provider is entitled to fully access your data. For this reason, only the provider can take and implement corresponding measures directly for the fulfillment of your user rights (request for information, request deletion / erasure / cancellation, object, etc.). The assertion of the corresponding rights is thus most effective when addressed to the respective provider directly.

Together with Facebook, we are responsible for the personal content of the fan page. The rights of the persons affected can be asserted both against Facebook Ireland as well as us.

Facebook has the primary responsibility for processing Insights data pursuant to GDPR, and Facebook fulfills all obligations under the GDPR in regard to the processing of Insights data. Facebook Ireland provides the affected persons with the substance of the page’s Insights addendum.

We make no decisions regarding the processing of Insights data and all other information arising from Article 13 GDPR, including legal basis, identity of the controller, storage period of cookies on user devices.

For more information, go to Facebook directly (Facebook addendum): https://www.facebook.com/legal/terms/page_controller_addendum.

XVII. Use of Twitter

Together with Twitter we are responsible for the personal content of the fan page. The rights of the persons affected can be asserted both against Twitter Inc. as well as us.

Twitter has the primary responsibility for processing Insights data pursuant to GDPR, and Twitter fulfills all obligations under the GDPR in regard to the processing of Insights data. Twitter Inc. provides the affected persons with the substance of the page’s Insights addendum.

We make no decisions regarding the processing of Insights data and all other information arising from Article 13 GDPR, including legal basis, identity of the controller, storage period of cookies on user devices.

For more information, go directly to Twitter: Privacy Policy.

XVIII. Use of Google Tag Manager

1. Type and scope of processing
   We use Google Tag Manager as provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to manage website tags using an interface and allows us to control how services are integrated on our website. This allows us to integrate additional services easily to analyze user access and visits to our website.
2. Purpose and legal basis
   Use of Google Tag Manager represents a legitimate interest, i.e. interest in optimizing our services pursuant to point (f) of Article 6(1) GDPR.
3. Storage period
   We cannot influence the specific storage period of processed data. This is determined by Google Ireland Limited. For more information, go to the Privacy Policy for Google Tag Manager: Google Tag Manager Use Policy.

XIX. Use of Google Web Fonts

1. Type and scope of processing
   We use Google Fonts as provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as a service that provides fonts for our online offerings. To load these fonts, you have to establish a connection to the servers of Google Ireland Limited. As a result, your IP address will be transmitted.
2. Purpose and legal basis
   The use of Google Fonts represents a legitimate interest, i.e. interest in a uniform provision as well as optimization of our online offerings pursuant to point (f) of Article 6(1) GDPR.
3. Storage period
   We cannot influence the specific storage period of processed data.
   This is determined by Google Ireland Limited. For more information, go to the Privacy Policy for Google Fonts: https://policies.google.com/privacy.

XX. Use of Hotjar Behavior Analytics

1. Type and scope of processing
   We have integrated Hotjar Behavior Analytics on our website. Hotjar Behavior Analytics is a service provided by Hotjar Ltd. and includes optimization tools that analyze user behavior and feedback on our websites through analysis and feedback tools.Hotjar Behavior Analytics uses cookies and other browser technologies to analyze user behavior and recognize users.This information is used among other things to prepare reports on website activity and to run a statistical analysis of visitor data. Hotjar Behavior Analytics also tracks clicks, mouse movement and scroll list height to create so-called heatmaps and session replays.
   In this case, your data is disclosed to the operators or Hot Jar Behavior Analytics, Hotjar Ltd., Hotjar Ltd, Level 2, St Julians Business Centre 3 Elia Zammit Street St Julians STJ 3155 Malta.
2. Purpose and legal basis
   We process your data using Hotjar Behavior Analytics for the purpose of optimizing our website and for marketing purposed based on your consent pursuant to point (a) of Article 6(1) GDPR.
3. Storage period
   Die We cannot influence the specific storage period of processed data. This is determined by Hotjar Ltd. For more information, go to the Hotjar Behavior Analytics privacy policy: https://www.hotjar.com/privacy/.

XXI. Use of Flow-Flow Social Feed Stream

1. Type and scope of processing
   We have integrated the plug-in Flow-Flow Social Feed Stream on our website. “Flow-Flow – WordPress Facebook Instagram Twitter Feed Grid Gallery” is a multipurpose social media wall plugin that makes it possible to display a mix of social media feeds in beautiful responsive galleries and widgets. The modules does not use any cookies or other browser technologies to analyze user behavior and recognize users. No data of website users is stored or transferred to third parties.
2. Purpose and legal basis
   The legal basis is the user’s declaration of consent to the presentations in those social networks.
3. Storage period
   No data on the website user is stored.

XXII. Use of YouTube

1. Type and scope of processing
   We have integrated YouTube Video on our website. YouTube Video is part of the YouTube, LLC, video platform to which users upload and share content across the Internet and can receive detailed statistics. YouTube Video lets us integrate content on the platform in our website.YouTube Video uses cookies and other browser technologies to analyze user behavior, recognize users and create user profiles. This information is used among other things to analyze the activity of content listened to and to prepare reports. If a user is registered with YouTube, LLC, YouTube Video can assign videos played to a profile.When you access this content, you establish a connection to the servers of YouTube, LLC, Google Ireland Limited, Gordon House, Barrow Street Dublin 4 Ireland. As a result, your IP address and as applicable, browser data, like your user agent, will be transmitted.
2. Purpose and legal basis
   Use of the service represents a legitimate interest, i.e. interest in the platform-independent provision of content pursuant to point (f) of Article 6(1) GDPR.
3. Storage period
   We cannot influence the specific storage period of processed data. This is determined by YouTube, LLC. For more information, go to the YouTube Video privacy policy: https://policies.google.com/privacy.

XXIII. Use of Facebook Pixel

1. Type and scope of processing
   We use Facebook Pixel from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, to create so-called Custom Audiences, specifically to segment groups of visitors to our website, to determine conversion rates and to optimize them. This occurs specifically when you interact with advertising that we have booked with Facebook Ireland Ltd.
2. Purpose and legal basis
   We process your data with the help of Facebook Pixel for the purpose of optimizing our website and for marketing purposes based on your consent pursuant to point (a) of Article 6(1) GDPR.
3. Storage period
   We cannot influence the specific storage period of processed data. This is determined by Facebook Ireland Ltd. For more information, go to the Facebook Pixel privacy policy: https://www.facebook.com/privacy/explanation.

XXIV. Disclosure of data to third parties

Specifically insofar as it is permitted by law and necessary pursuant to point (b) of Article 6(1) GDPR to settle contractual relations with you, your personal data will be disclosed to third parties.

1. For payment processing
   This includes disclosing payment data to payment service providers or credit institute to perform a payment transaction. It may be necessary for the handling and processing payment for us to disclose to the payment service provider personal data such as name, address, phone number, email address, credit card or bank account data and transaction dat collected during the payment process. Generally, the payment service providers collet this data on their own. The disclosed data may be used by the third party only for the stated purposes. In fulfillment of the contract pursuant to point (b) of Article 6(1) GDPR, we use the following payment service providers listed below for handling and processing payments.
   a) Payment by credit card
   When paying by credit card, the payment data you enter is collected, stored and disclosed only to companies involved in the payment process at
   GiroSolution GmbH, Hauptstraße 27, D-88699 Frickingen, Germany or
   BS PAYONE GmbH, Lyoner Straße 9, D-60528 Frankfurt/Main, Germany.
   We do not collect or store payment data. For more information about data protection at GiroSolutions, go to https://www.girosolution.de/rechtliches/datenschutz/
   For more information about data protection at BS PAYONE GmbH, go to https://www.bs-card-service.com/de/datenschutz
   b)  Payment with Girocard
   Bei Zahlung mittels Girocard werden Ihre Zahlungsdaten bei der
   BS PAYONE GmbH, Lyoner Straße 9, D-60528 Frankfurt/Main, Deutschland.
   erfasst, gespeichert und nur an die im Bezahlprozess beteiligten Unternehmen weitergegeben.
   Die Weitergabe der Nutzerdaten erfolgt ausschließlich zum Zwecke der Zahlungsabwicklung mit dem Payment-Dienstleister BS PAYONE GmbH. Nähere Informationen zum Datenschutz der BS PAYONE GmbH finden Sie unter https://www.bs-card-service.com/de/datenschutz .
   c)  Payment with PayPal
   We offer the option of paying through payment service provider PayPal of PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L- 2449 Luxembourg (hereinafter referred to as “Paypal”). If you pay using your PayPal account, you will be transferred to the PayPal website. You can log in using your PayPal account data and authorize payment. We have no access to the personal data collected by PayPal. Paypal is responsible for the processing of your data.
   For more information about data protection and PayPal, go to the PayPal privacy policy at https://www.paypal.com/de/webapps/mpp/ua/useragreement-full
   d) SEPA direct debit scheme
   When using theSEPA direct debit payment option through GiroSolution, payments are processed by payment service provider GiroSolution GmbH, Hauptstrasse 27, D-88699 Frickingen, Germany. The company handles cashless payment transactions primarly in the area of e-commerce. Using an interface to their system “GiroCheckout”, GiroSolution GmbH provides a secure connection for the SEPA direct debit payment scheme.
   In the payment process (“GiroCheckout”), data relevant for the transaction are sent to the PSP (payment service provider) platform for processing via a secure Internet connection. GiroSolution receives the details of the payment transaction via the HTTPS connection, coordinates it with the PSP platform and returns the results of the payment process to the webshop on a secure link.
   The contractual partner will find the details on how to pay using GiroSolution in the Terms and Conditions of GiroSolution at https://www.girosolution.de/ .
2. To dispatch your order
   To be able to send your order (point (b) of Article 6(1) as well as due to our legitimate interest in making shipment as uncomplicated as possible for you (point (f) of Article 6(1), we transmit your data which you divulged as delivery address to the delivery services that transport the shipment exclusively for the purposes of delivering goods as well as of notifying the recipient of the delivery of goods. These service providers are subject to postal secrecy.

XXV. Rights of the data subject

If your personal data is processed, you are an affected data subject within the meaning of the GDPR and you may assert the following rights against the controller:

1. Right of access (Right to information)
   The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
   a) the purposes of the processing;
   b) the categories of personal data concerned;
   c) the recipients or categories of recipients to whom the personal data have been or will be disclosed;
   d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
   f) the right to lodge a complaint with a supervisory authority;
   g) where the personal data are not collected from the data subject, any available information as to their source;
   h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
2. Right to rectification
   SThe data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to restriction of processing
   The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
   (1) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
   (2) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
   (3) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
   (4) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject who has obtained restriction of processing pursuant to these requirements shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure (‘Right to be forgotten’)
   a)  Obligation to erase
   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
   (1) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
   (2) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
   (3) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
   (4) the personal data have been unlawfully processed.
   (5) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
   (6) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR. b) Information to third parties.Where the controller has made the personal data public and is obliged pursuant to Article 17 paragraph 1 of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. c) ExceptionsThe right to erasure shall not apply to the extent that processing is necessary
   (1) for exercising the right of freedom of expression and information;
   (2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
   (3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
   (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
   (5) for the establishment, exercise or defense of legal claims.
5. Right to disclosure (‘right to be informed’)
   If you have asserted your right to rectification, erasure or restriction of processing, the controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
6. Right to data portability
   The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
   (1) the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) GDPR; and
   (2) the processing is carried out by automated means. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Freedoms and rights of others shall not be adversely affected hereby. The right to data portability shall not apply to the processing of personal data required in the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
   The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the
   extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 20022/58/EC, the data
   subject may exercise his or her right to object by automated means using technical specifications.
8. Right to withdrawal of consent
   You have the right to withdraw your declaration of consent under data protection law at any time without affecting the lawfulness of processing based on consent before its withdrawal.
9. Right to lodge a complaint with a supervisory authority
   Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

   To assert your right to lodge a complaint, contact:
   The Baden-Württemberg Data Protection Authority
   (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg)
   Dr. Stefan Brink
   Postfach 10 29 32
   70025 Stuttgart, Germany
   or:
   Königstraße 10a
   70173 Stuttgart, Germany
   Telefon: 07 11/61 55 41-0
   Telefax: 07 11/61 55 41-15
   E-Mail: [email protected]
   Homepage: http://www.baden-wuerttemberg.datenschutz.de

10. Assertion of rights of the persons affected
    If the person affected wishes to assert one or more of the rights of persons affected described above, he or she may contact our Data Protection Officer or one of the other staff responsible for data processing at any time.

XXVI. Security

We use technical and organizational security measures to protect data we manage from manipulation, loss, destruction and unauthorized access. We are constantly improving our security measures as new technology becomes available.