WESTERMANN

Karl Westermann GmbH & Co.KG

Albstrasse 1
D-73770 Denkendorf
Telephone +49 (0711) - 93 44 60 -0
Fax +49 (0711) - 93 44 60 -50
Email info@westermann.com
Karl Westermann Administration GmbH
Commercial register Stuttgart HRB 213062

Managing Directors: Frank Westermann, Meike Deuschle

I. Definitions

'Personal data' means any information relating to an identified or identifiable natural person; A natural person is considered to be identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special features that express the physical , physiological, genetic, psychological, economic, cultural or social identity of that natural person;

'Processing' is any operation or series of operations carried out with or without the aid of automated procedures in connection with personal data, such as collecting, recording, organizing, classifying, storing, adapting or modifying, reading out, querying Use, disclosure by transmission, distribution or other form of making available, alignment or combination, restriction, deletion or destruction;

'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, decides on the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

'Recipient' means a natural or legal person, public authority, agency or other body to which personal data is disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the context of a specific investigative task under Union or Member State law shall not be deemed to be recipients; the processing of these data by the said authorities will be carried out in accordance with the applicable data protection rules in accordance with the purposes of the processing;

II. General information

1. Person responsible for data processing

Karl Westermann GmbH & Co.KG
Albstrasse 1
73770 Denkendorf
Germany
Telephone: +49 (0711) - 93 44 60 -0
Fax: +49 (0711) - 93 44 60 -50
Email: info@westermann.com

2. Contact details of the company data protection officer

OBSECOM GmbH
Königstr. 40
70173 Stuttgart
Germany
Telephone: 0711 / 4605025-40
Fax: 0711 / 4605025-49
Email: datenschutz@obsecom.de
Website: https://www.obsecom.de

3. Legal basis

We process personal data based on at least one of the following legal bases:

• Consent of the data subject to the processing of personal data concerning him or her for one or more specific purposes (Art. 6 Para. 1 Sentence 1 Letter a GDPR);


• Fulfillment of a contract with the data subject or to carry out pre-contractual measures at the request of the data subject (Art. 6 para. 1 sentence 1 lit. b GDPR);


• Fulfillment of a legal obligation to which we are subject (Art. 6 Para. 1 Sentence 1 Letter c GDPR);


• To protect the vital interests of the data subject or another natural person (Art. 6 Para. 1 Sentence 1 Letter d GDPR);
• Safeguarding our legitimate interests or those of a third party (Art. 6 Para. 1 Sentence 1 Letter f GDPR)
  
  

In this data protection declaration we refer to the respective legal basis below
individual processing operations.

4. Transfer of data to recipients

We pass on personal data to recipients (processors or other third parties)
only to the extent necessary and only under one of the following conditions:

• The person concerned has consented to the disclosure;


• The transfer serves to fulfill contractual obligations or pre-contractual measures at the request of the person concerned;


• We are legally obliged to pass it on;


• The transfer is based on legitimate interests of us or a third party.

5. Third countries

The transfer of personal data to a country or an international organization outside the European Union (EU) or the European Economic Area (EEA) will only take place in accordance with the requirements of Art. 44 ff. GDPR, subject to legal or contractual permissions. That means that for that
the country in question has an adequacy decision by the EU Commission in accordance with Art. 45 GDPR, suitable guarantees for data protection in accordance with Art. 46 GDPR or binding internal data protection regulations in accordance with Art. 47 GDPR exist. In individual cases, data transfer may be possible on the basis of an exception
Art. 49 GDPR may be permissible.

We may have integrated external services on our website whose providers are based in the USA. When these services are active, personal information is collected in connection with the provision of the respective service and may be transferred to and stored on servers in the USA. The European Court of Justice considers the USA to be a country with an inadequate level of data protection. When data is transferred to the USA, there is a fundamental risk that this data will be accessed by US authorities and used for control and monitoring purposes without this being communicated
and without any legal remedies available.

6. Rights of those affected

As a data subject, you have the following rights:

• In accordance with Art. 15 GDPR, you can request information about your personal data processed by us; You can also request information regarding the processing purposes, the categories of personal data processed, the recipients or categories of recipients to whom your data has been disclosed or is still being disclosed, the planned storage period or the criteria for determining the storage period, the origin your data, provided it was not collected from you, the existence of automated decision-making including profiling and, if necessary, meaningful information on its details such as logic, scope and effects, the existence of a right to correction or deletion of the data concerning you, the right to restriction the processing or objection to this processing, the existence of a right to lodge a complaint with the supervisory authority; Finally, you have the right to know whether personal data has been transferred to a third country or to an international organization and, if so, about the appropriate safeguards in connection with the transfer;
• In accordance with Art. 16 GDPR, you can request the immediate correction of incorrect personal data stored by us or the completion of your personal data;


• According to Art. 17 GDPR, you can request the deletion of your personal data stored by us, unless the processing is carried out to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defense of legal claims is necessary;
• According to Art. 18 GDPR, you can request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful but you refuse its deletion and we no longer need the data, you do not need it from us you need data that is no longer required to assert, exercise or defend legal claims or you have objected to the processing in accordance with Art. 21 GDPR but it is not yet clear whether our legitimate reasons for data processing outweigh your interest;


• According to Art. 20 GDPR, you can request that your personal data that you have provided to us be provided in a structured, common and machine-readable format or that it be transmitted to another person responsible;
• According to Art. 21 GDPR, you can object to the processing of your personal data if there are reasons for doing so that arise from your particular situation or the objection is directed against direct advertising and the legal basis for the processing of the personal data is legitimate interests in accordance with Art 6 Paragraph 1 Sentence 1 Letter f GDPR are;


• In accordance with Art. 7 Para. 3 GDPR, you can revoke your consent to us at any time. This means that we are no longer allowed to continue the data processing based on this consent in the future;
• According to Art. 77 GDPR, you can complain to a supervisory authority, in particular in the member state of your usual place of residence, your place of work or the place of the alleged violation. You can find a list of contact details for the data protection officers in the federal states at the following link: https://www.bfdi.bund.de/DE/Service/Anschrift/Laender/Laender-node.html.
  
  

If you would like to assert the above data subject rights, you can contact us or our data protection officer at any time using the contact details listed above.

7. Deletion and restriction of personal data

Unless otherwise regulated in this data protection declaration for the individual case, personal data will be deleted if this data is no longer necessary for the purposes for which it was collected or otherwise processed and the deletion does not conflict with any legal retention obligations. We will also delete the personal data we process upon request in accordance with Article 17 of the GDPR if the conditions stipulated therein are met. If personal data is required for other legally permissible purposes, it will not be deleted, but rather its processing will be restricted in accordance with Article 18 of the GDPR. In the event of restriction, the data will not be processed for other purposes. This applies, for example, to personal data that we must retain for commercial or tax reasons. Documents in accordance with Section 257 Paragraph 1 Nos. 2 and 3 HGB and Section 147 Paragraph 1 No. 2,
3, 5 AO for 6 years, documents according to Section 257 Paragraph 1 Nos. 1 and 4 HGB and according to Section 147 Paragraph 1 Nos. 1, 4, 4a AO for 10 years.

8. Cookies

Cookies are used as part of our website. Cookies are small text files that your browser automatically creates and stores on your device (laptop, tablet, smartphone, PC, etc.) when you visit our site. Cookies do not cause any damage to your device and do not contain viruses or other malware. The cookie stores information that arises in connection with the specific end device used. However, this does not mean that we receive direct knowledge of your identity. Cookies are mainly used to make the Internet offering more user-friendly, effective and secure.

8.1 1. Necessary cookies

The data processed by necessary cookies is for the purposes mentioned to protect our legitimate interests and those of third parties in the provision and operation of our website in accordance with Article 6 Paragraph 1 Sentence 1 Letter f GDPR in conjunction with Section 25 Paragraph 2 No .2 TTDSG required.

Name: CONSENT
Provider: YouTube
Purpose: Stores the user's cookie choices
Term: 2 years
Further information: https://policies.google.com/technologies/cookies/embedded?hl=de-de

Name: YSC
Provider: YouTube
Purpose: This cookie is used by YouTube to store user input and associate a user's actions. The cookie ensures that the requests within a browser session are made by the user and not by other websites.
Duration: Expiry of the session
Example content: 4nkN1wXLb90
Further information: https://policies.google.com/technologies/cookies/embedded?hl=de-de

Name: VISITOR_INFO1_LIVE
Provider: YouTube
Purpose: This cookie is used to store users' preferences for embedded YouTube videos and to determine which version of the YouTube interface the user is using.
Duration: 180 days
Example content: 0sKDtZtp7Mw
Further information: https://policies.google.com/technologies/cookies/embedded?hl=de-de

8.2 3. Unclassified cookies

Name: VISITOR_PRIVACY_METADATA

Most browsers accept cookies automatically. If you do not want this, you can configure your browser so that no cookies are stored on your device or a message always appears before a new cookie is created. Information about removing cookies in Internet Explorer /
Edge can be found at: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies .
For information about removing cookies in Firefox, see: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectlocale=en-US&redirectslug=delete-cookies-remove -info-websites-stored .
Learn how to remove cookies in Safari here: https://support.apple.com/en-gb/guide/safari/sfri11471/mac .



A general objection to the use of cookies used for online marketing purposes can be declared for a variety of services, for example at http://www.youronlinechoices.com/ or the deactivation page of the network advertising initiative http://optout.networkadvertising.org . However, deactivating cookies may mean that you cannot use all of the functions of our website.

III. Individual processing operations

1. Hosting

To provide our Internet offering, we use services from hosting companies, such as the provision of web servers, storage space, database services, security services and maintenance services. In doing so, we, or our hosting provider, process personal data from users of our Internet offering based on our legitimate interests in the efficient and secure provision of this online offering in accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR.

2. Access data and log files

When you access our website or individual pages, the browser on your device automatically sends information to the server of our website. This information is stored in so-called log files by us or our hosting provider and after 7 days at the latest
deleted.

The following information is stored:
• IP address of the requesting computer in anonymized form;
• Date and time of access;
• Name and URL of the retrieved file;
• Website from which access is made (referrer URL);
• the browser used and, if applicable, the operating system of your computer;
• Status codes and amount of data transferred;
• Name of your access provider.

This data is processed for the following purposes:
• Provision of the Internet offering including all functions and content;
• Ensuring a smooth connection to the website;
• Ensuring comfortable use of our website;
• Ensuring system security and stability;
• Anonymized statistical analysis of access;
• Optimization of the website;
• Disclosure to law enforcement authorities if there has been an unlawful interference/attack on our systems;
• Other administrative purposes.

The legal basis for data processing is Article 6 Paragraph 1 Sentence 1 Letter f GDPR. Our legitimate interest follows from the data collection purposes described above. Under no circumstances do we use the data collected for the purpose of drawing conclusions about a person.

3. General contact

If you contact us using the contact details published on our website (e.g. by email) and provide us with personal data, we will use this data to process your request on the basis of Art. 6 Para. 1 Sentence 1 lit . b GDPR, if your request is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, processing is based on your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a of the GDPR
and/or in our legitimate interest in effectively processing the inquiries addressed to us in accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR. The data will remain with us until you request us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular retention periods - remain unaffected.

4. Contact form

If you use the contact form, we need your email address, name and, if necessary, other contact details so that we can get in touch with you personally. Further information can be provided voluntarily. Data processing for the purpose of contacting us and answering you
Your request will be processed in accordance with Article 6 Paragraph 1 Sentence 1 Letter a of the GDPR on the basis of the consent you have given voluntarily. All personal data collected in connection with the contact form will be deleted after your request has been processed, unless it is retained for the documentation of others
processes are required (e.g. subsequent conclusion of contract).

5. Email direct marketing to customers

If you are a customer of ours and we have received your email address in connection with the sale of a good or service, we may use your email address for direct marketing of our own similar goods or services. This only applies if you have not objected and we clearly inform you of the possibility of objection when collecting the email address and every time it is used. The legal basis for processing is our legitimate interest in direct marketing in accordance with Article 6 (1) (f) GDPR. We store your personal data until you object to data processing.

6. Registration / user account

You have the option of registering on our website by providing personal data. Registration is voluntary and takes place in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR based on the consent you have given voluntarily. Which personal data is transmitted depends on the respective input mask used for registration. The personal data collected is used for the purposes of our offer and to contact you for offer and registration-relevant information. The user account and the data stored in this context are used in particular to make purchasing easier, to enable access to historical orders and to write customer reviews. You can view your personal data and make changes to this data via personal user access.

In principle, your data will not be passed on to third parties unless it is necessary to fulfill contractual obligations in accordance with Art Paragraph 1 lit. c GDPR. Your data will be stored until you delete the user account or instruct us to delete your data. If we need to store your personal data for legal reasons, in particular tax and
If you are obliged to comply with commercial law retention periods, the processing of your personal data will be restricted accordingly until the retention periods expire and then they will be processed
Data deleted.

If you register on our website or use the user account, we store the IP address and the time of the respective usage activity. The storage is based on our legitimate interests in accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR in order to provide our offer. Storage is also in your interest to protect you from misuse and other unauthorized persons
to protect use. The IP addresses will be anonymized or deleted after 7 days at the latest.

7. Contract data

In connection with and for the purpose of fulfilling pre-contractual measures and contractual obligations via our website, which are carried out at the request of the data subject, we process the data required by the data subject to fulfill the contract. These include:
• Data of the contractual partner, such as name, address and contact details, possibly different delivery or billing addresses or recipients;
• Contract data, such as subject matter of the contract, term, customer category;
• Payment data such as bank details, credit card details, payment history.

The legal basis for data processing is Article 6 Paragraph 1 Sentence 1 Letter b GDPR.

The data will only be passed on to third parties to the extent that this is necessary to fulfill pre-contractual measures and contractual obligations, e.g. to banks and payment service providers, credit card companies to process payments, to shipping service providers for shipping goods, lawyers and debt collection agencies.

8. Shopify

Our online shop uses the Shopify shop system. The provider is Shopify Inc., 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, Kanda. The person responsible for those affected in the EU is Shopify International Ltd., 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32, Ireland (hereinafter 'Shopify'). The data you enter in our online shop will be processed by Shopify on our behalf. We also use external plugins to improve the usability of our shop. The plugin providers process personal data of shop users on our behalf based on our legitimate interests in accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR. Our legitimate interest in data processing is the provision of a user-friendly online shop.

When you use Shopify Pay to pay, we transfer to Shopify Pay your name, email address, mobile phone number, credit card and billing address, shipping address, and the shipping method you select on the checkout page, and related information relating to your order for goods and services purchased from us in order to process payment. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b GDPR.

For more information on how Shopify handles your personal data, please see the relevant privacy policy: https://www.shopify.com/legal/privacy .

The provider of the following Google services is Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter 'Google').

The information collected by Google in connection with the provision of the respective
Services may be transferred to Google servers in the USA and stored there. Please also note our information above on data transfer to third countries.

Further information on how Google handles your personal data can be found in Google's privacy policy: https://www.google.com/intl/de/policies/privacy/ .

Information on the use of data for advertising purposes by Google, settings and objection options can be found on these websites: https://www.google.de/policies/privacy/partners/ , https://www.google.de/policies/technologies/ads / , https://adssettings.google.de/

1. Google services for which your consent is required

The legal basis for using the following Google services is your voluntarily given consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR. The legal basis for data transfer to the USA is also yours
Voluntarily given consent in accordance with Article 49, Paragraph 1, Letter a of the GDPR.

1.1 Google Analytics

This website uses Google Analytics from Google. Google collects data about your use of this website, your usage behavior and, among other things, information about the browser type/version, operating system used, referrer URL (the previously visited page), host name of the accessing computer (IP address), time of the server request. This data serves the purpose of ensuring a needs-based design and the ongoing optimization of our internet offering, measuring the success of marketing measures and creating statistical evaluations. In this context, pseudonyms are used
Usage profiles created and cookies used. User and event data is deleted after 26 months. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of us or Google. Under no circumstances will your IP address be merged with other Google data. The IP addresses are anonymized so that assignment is not possible. You can prevent the storage of cookies by setting your browser software accordingly. However, we would like to point out that in this case you may not be able to fully use all of the functions of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools .google.com/dlpage/gaoptout?hl=de .
You can prevent Google Analytics from collecting information by deactivating Google Analytics in your individual cookie settings . This cookie means that in the future no visitor data from your browser will be collected and stored by Google Analytics when you visit this website. Attention: If you delete your cookies, the opt-out cookie will also be deleted and may have to be activated again by you.

1.2 YouTube

Our website uses media content from the YouTube platform. The purpose is to display media content from the YouTube platform as part of our website. This service collects your IP address and any other data required by Google for YouTube. The information generated about your use of this
Internet offerings are stored on a server in the USA. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of us or Google. If you are logged in to YouTube at the same time, Google can assign your visit to our website directly to your user account there. If you do not want Google to be able to assign the data collected on our website to your respective YouTube user account, you must first log out of YouTube.

2. Other Google services

The legal basis for the use of the following Google services is our legitimate interests in accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR. Our legitimate interests are listed below for each service individually.

2.1 Google Tag Manager

This website uses Google Tag Manager for tagging. We use this service in our legitimate interest in maintenance-free and efficient programming and use of HTML tags. This service allows website tags to be managed via an interface. The Google Tool Manager only implements tags. This means: No cookies are used and no personal data is collected. The Google Tool Manager triggers other tags, which in turn may collect data. However, Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it remains in effect for all tracking tags if they are implemented with the Google Tag Manager. Our legitimate interests in using Google Tag Manager are the efficient maintenance of our website and the central management of HTML elements.

V. Links to social media profiles

As part of our website, we use hyperlinks to social media profiles in social networks. If you actively click on a link to such a profile, your browser establishes a direct connection to the respective provider's servers, which means that the provider becomes aware of your visit. If you are logged in to the respective social network at the same time, the provider can assign the visit to the profile to your user account there. In this context, personal data may be processed in the USA. Further information on the processing of personal data can be found in the data protection declaration of the respective social network. The purpose of linking our website to social media profiles is to make our website better known. The access to social media profiles is based on your voluntary decision in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR. The legal basis for the associated data transfer to the USA is also your voluntarily given consent in accordance with Article 49 (1) (a) GDPR.