ChromoTek hereby brings the following explanations to the attention of its customers and third parties using our website for the purposes of fulfilling the information requirements under Art. 13 of the General Data Protection Regulation (“GDPR”).
1. Who is the controller and how can the controller be contacted?
Controller is ChromoTek GmbH, Am Klopferspitz 19, 82152 Planegg-Martinsried, Email: email@example.com.
You can contact ChromoTek’s data protection officer any time by sending an e-mail to DPO@chromotek.com with regard to any questions and remarks you may have in connection with your personal data.
2. What categories of personal data are being processed?
ChromoTek processes the following categories of personal data:
a) Automatically generated website visitor information
ChromoTek collects information and data that is automatically transmitted or generated by the visitor’s browser each time ChromoTek’s website is accessed. Such information includes the IP address, the URLs of the site you visited before accessing the ChromoTek website (“referrer”), the browser used, the operating system used, the access device used, date and time of your access, the pages viewed on the ChromoTek website, potentially your user behavior (e.g. data entered, objects clicked, mouse cursor movements) and the time you spend on the website. This data is automatically transferred by the browser, regardless whether you are a registered user or not.
b) Cookies, Web Beacons and similar technology
Cookies are small text files that are stored by your browser on your computer or mobile device and which allow re-identification of your computer or mobile device, potentially across numerous websites. These cookies contain no personal data. Some of the cookies we use are deleted again upon expiry of the session, that is, when you close your browser (these are referred to as session cookies). Other cookies remain stored on your device and allow us, or our business partners to recognize your browser during subsequent visits (persistent cookies).
Web beacons are small graphics files (pixels) that may be embedded in our website for the purposes of recording user behavior. Similar methods include, for example, flash cookies, HTML5 cookies or other local (browser or device) storage methods that – in a similar way to cookies – allow data to be saved to your browser or device so that your browser or device can be recognized during subsequent visits or during a session.
We use tracking facilities primarily for the purposes of providing shopping cart and order functionality and for providing user accounts and remembering your preferences and personalizing your use of the website. Such usage includes cookies that store your login credentials and ensure that your website session is always on and thereby saving you from the trouble to insert your password repeatedly on each visit as well as cookies that remember and recognize you during future visits of the website.
We also use tracking facilities for the purposes of activating the “advertisement technology” in order to offer you advertisement that may be of interest to you when you visit the search engines, website, mobile application and/or other internet sites advertised on the website. Advertisement technology uses information on your previous visits of the website and websites advertised on our website in order to provide tailor-made advertisement. While providing such advertisement, unique third party cookies may be placed on your browser so that the website recognizes you. See the section on “Retargeting” below for additional information.
In addition we use tracking facilities to generate pseudonymous website usage and behavior statistics and data.
You may prevent cookies by configuring your browser software accordingly. However, please note that certain areas of the websites or certain services may then not work as intended (such as logging in to your account or placing orders).
c) Google Analytics
The IP address sent by your browser to Google Analytics will not be merged with other Google data.
You can prevent the installation of cookies by changing the settings of your browser. Please note, however, that this may prevent some of our services’ feature from working correctly. Alternatively you can prevent the collection of the cookie data and your website usage data (including your IP address) by Google and the processing of such data by Google by downloading and installing a browser plugin available at: http://tools.google.com/dlpage/gaoptout .
This website utilizes Google Analytics with the extension “_anonymizeIP()”. This ensures processing of truncated IP addresses, so that no direct personal identification via IP addresses is possible.
d) Order and transaction data
If you place an order we will collect and process the respective order and transaction data, including
- your contact information and delivery address
- your order
- delivery and shipment status
- payment data and payment status
The processing of the aforementioned data is required to fulfil an order.
e) User accounts and communication
When you create a user account, we collect the following data:
- name, surname, user name, password, e-mail address, home and delivery address, TR ID no., demographic data, bank data
- administrative data, e.g. the date of your registration and your last visit
If you contact us (e.g. place an inquiry with our customer service), we also store and process your communication with us (e.g. e-mails).
f) Newsletter and marketing information
If you provide us with your contact information (e-mail) via placing an order or creating a user account and have given us your consent by agreeing to receive marketing information, we will regularly send you marketing information and our newsletter about our own products and services. We may also send you invitations to electronic surveys.
You can withdraw your consent and opt-out at any time by clicking on the opt-out link provided in all marketing mailings without incurring any costs (other than the usual transmission costs at the basic rates).
3. What is the purpose and legal basis of the data processing?
We process personal data in accordance with the requirements of the GDPR:
a) To perform a contract with the customer (Art. 6 (1)(b) GDPR)
We process personal data to perform our contract with our customers, including to:
- manage registered users’ accounts and personalize the website
- facilitate purchases and sales, including
- confirming the credentials of the party directly/indirectly shopping through the website,
- saving contact and other necessary information for communication purposes,
- contacting our customers for the purposes of providing information on the terms, current status of the distant sales agreement and other agreements executed in accordance with the relevant provisions under the Law on the Protection of Consumers and updates regarding thereto,
- taking orders, providing goods and services,
- realizing payment transactions,
- preparing all records and documents constituting the basis of the transaction either electronically (internet/mobile, etc.) or as hardcopies,
- fulfilling the obligations assumed under the distant sales agreement and any other agreement executed in accordance with the relevant provisions under the Law on the Protection of Consumers,
- ensure the performance of technical, logistical and other similar functions by third parties on behalf of the seller.
b) For the purposes of the legitimate interests pursued by ChromoTek (Art. 6 (1)(f) GDPR)
We process personal data for the purpose of our legitimate interests, including:
- Service improvements, for example
- providing a better shopping experience to our customers and visitors
- improving goods and services, resolving systemic problems
- continue to improve the websites and services technically and adapt them to the needs of our users and visitors
- evaluating customer complaints and suggestions concerning our services
- Analysis of aggregated, pseudonymous data e.g.
- analyzing customer environments
- analyzing website visitor behavior to compile statistical reports on website activity
- create aggregated statistics on access channels and the transition to our partner’s websites
- Marketing, e.g.
- providing information to our customers with respect to products that may be of interest to them, based on the customer’s field of interest
- providing information on campaigns
- providing information about our products and services
- various marketing and advertisement activities and in this regard, organizing electronic and/or physical surveys through contracted entities
- if you have given us your consent, SMS/short messages, instant messages to purchasers, use autodial, computer, phone, e-mail/mail, fax, other electronic communication tools and carry out commercial electronic communications in accordance with the applicable legislation with respect to presentation, advertisement, communication, promotion, sales and marketing purposes concerning the goods and services
- Providing marketing partners (e.g. retargeting / advertising providers) with pseudonymous data about website usage, in order to display “targeted” ads on third party websites (“retargeting”)
- ensuring the security of our IT environment, Website and business operations; recognize, identify and correct malfunctions and possible abuse and fraud.
c) Pursuant to legal obligations (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR)
We will provide information to public officials in accordance with the applicable law and upon demand in cases concerning public safety. In addition, we will fulfil our legal obligations and exercise our rights arising from the applicable legislation.
d) Consent based (Art. 6(1)(a) GDPR)
To the extent you have granted us consent to process your personal data for certain purposes, such processing is based on your consent. You can withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
e) Automatic individual decisions and profiling
ChromoTek does not make decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you pursuant to Art. 22 GDPR.
4. Who are potential recipients of personal data?
Generally, we do not give your personal data away to third parties, unless you have given consent to such transfer or the transfer is legally permitted. In particular, we do not give your e-mail address or other contact information to third parties for advertising purposes or as part of address trading.
That being said, personal data may be transferred to third parties as follows:
- To our external contractors and service providers, who act as data processors. These data processors receive personal data solely for the performance of their services for us. They are contractually obliged not to use personal data for other purposes. Data processors may include, without limitation, IT service and telecommunication providers (including e.g. hosting and cloud storage providers), logistics and shipping providers, accounting and business service providers, CRM, sales, advertising, survey and marketing service providers.
Our external contractors and service providers, who act as data processors, are:
- rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg i.Br., Germany: for sending newsletters
- LiveChat, Inc. One International Place, Suite 1400, Boston, MA 02110-2619, United States of America for online communication
- Hubspot Inc., 25 First Street, 2nd Floor Cambridge, MA 02141 United States for Marketing and Customer Relationship Management
- COCO new media GmbH Internetagentur München, Adams-Lehmann-Str. 56, 80797 München, Germany for administring our website
- Strato AG, Pascalstraße 10, 10587 Berlin, Germany for hosting our website
- Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA for sending and receiving Emails and other Outlook functions
- Banks and payment service provider, including the Interbank Card Centre, for the purpose for processing payments.
- Fraud prevention agencies/providers.
- Advertising and retargeting partners, as stated above, who may be permitted to set a cookie on your computer and receive your IP address and information about the visited webpages, for tracking and advertising purposes. No identification information (e.g. e-mail address, user name, name, address, ...) is being transmitted. See “Retargeting” above.
- Courts and other public institutions due to legal requirements.
5. Is data being transferred to a third country?
Since we are incorporated in and have our place of business in Germany, your personal data is necessarily transmitted to Germany. In addition, some of our contractors, service providers and other recipients as listed in Sec. 4 are located in the United States.
We entered into EC Model Contracts with all potential recipients of personal data of non-registered website visitors. You can find a copy of the EC Model Contracts at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm
6. How long will personal data be stored?
We process and store personal data as long as it is necessary for the purpose of processing, in particular for the performance of our contractual services or for the observance of legal obligations.
- Website visitor data is stored for five years.
- Transaction / order data is stored for the term of statutory retention periods as prescribed by tax law, i.e. ten years.
- User account data (with the exception of transaction data) will be deleted one year after the deletion of a user account.
7. What are my rights as a data subject?
You have right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDRP) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR). In addition, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
8. Changes to our privacy statement