Registered office of the KG
Enger, AG Bad Oeynhausen HRA 3912
Personally liable company
Hera Verwaltungs GmbH, Sitz Enger
AG Bad Oeynhausen HRB 5594
Dr. Philipp Andrae
(in the following supplier)
Data protection officer:
towards the users of the website hera-shop.com. With the following declaration we inform you about the type, scope and purposes of the collection, processing and use of your data in connection with the visit to our website.
The provider saves and processes your personal data in compliance with the relevant data protection regulations, in particular the Basic Data Protection Regulation (DSGVO), the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG).
The provider observes the principle of data minimization. This means that data is collected and processed only to the necessary extent for the purposes of processing, as it is appropriate and necessary for the provision of a functional website and with regard to the content and services offered. The processing is carried out either on the basis of prior consent or if this is permitted by legal regulations.
If you call up the provider's website, the provider processes certain usage data to enable you to use his offer.
If you enter data into the provider's contact form, the provider processes these data exclusively for the purposes stated in each case.
All processed personal data will be deleted by the provider after expiry of the storage period.
You have a right of access to your data or the right to correct, delete or limit the processing of your data, a right to object to the processing, a right to data transferability and a right of appeal to a supervisory authority.
More detailed information is available below.
II. data protection information according to Art. 13, 14 DSGVO and according to §§ 32 ff. BDSG 2018
a. Personal data
Personal data shall mean any information relating to an identified or identifiable natural person (hereinafter referred to as 'data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b. Inventory data
Inventory data are personal data of a user, which are necessary for the establishment, content design or modification of a contractual relationship between the service provider and the user regarding the use of telemedia.
c. Usage data
Usage data are personal data of a user, which are necessary to enable and invoice the use of telemedia. This includes in particular features for the identification of the user, information on the beginning and end as well as the scope of the respective use and information on the telemedia applied by the user.
Processing is any operation or set of operations, performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, organising, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the inclusion of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data is not attributed to an identified or identifiable natural person;
Cookies are small text files that are stored on your computer. Cookies always have a period of validity which may be limited to the end of the user session (so-called session cookies) or may exist for a longer period of time (so-called permanent cookies). These permanent cookies remain on your computer and enable the provider or its partner companies (so-called third party cookies) to recognize your computer during your next visit. You can set your browser so that you are informed about the setting of cookies and can decide individually whether to accept or reject them in certain cases or generally. If cookies are not accepted, the functionality of the website may be limited.
Every browser differs in the way it manages cookie settings. This is described in the help menu of each browser, which explains how to change your cookie settings.
g. Use of Google Analytics
If you have given your consent via our consent tool, Google Analytics will be used on our website. This is a web analytics service provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043 USA (hereinafter: "Google"). "Google" is a group of companies and consists of the companies Google Ireland Ltd. (provider of the service), Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA and other affiliated companies of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043 USA.
Google Analytics uses so-called "cookies", i.e. text files that are stored on your computer to enable an analysis of user behavior. The information about your usage behavior obtained by the cookie is usually transmitted to a Google server in the USA and saved there. However, due to the activation of IP anonymization on our website, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address sent to a Google server in the USA and then shortened there.
https://www.google.com/analytics/terms/de.html und unter https://policies.google.com/?hl=de.
We have concluded an order data processing contract with Google. On our behalf, Google will use this information to evaluate your user behavior (analysis of website activity).
The data sent by us is automatically deleted monthly after 14 months.
h. Use of Google Tag Manager
We use the service called Google Tag Manager from Google. With the Google Tag Manager we can integrate various codes and services on our website. In doing so, Google may process information (including personal data). It cannot be ruled out that Google will also transmit the information to a server in a third country. The following personal data is processed by the Google Tag Manager:
• Online identifiers (including cookie identifiers)
• IP address
Further information is available at https://www.google.de/tagmanager/use-policy.html as well as below https://www.google.com/intl/de/policies/privacy/index.html under the section “Data we receive as a result of your use of our services”.
We have concluded an order processing contract with Google for the use of the Google Tag Manager (Article 28 GDPR).
The legal basis for the processing of personal data described here within the framework of Google Analytics and Google Tag Manager is your express consent pursuant to Article 6 (1) (a) GDPR via our consent tool.
i. Withdrawal of consent:
You can prevent tracking by Google Analytics on our website and the use of the Google Tag Manager by clicking on this link , which will install an opt-out cookie on your device. This can also be achieved through a setting in the browser menu (see II. 1. f).
2. description and scope of the processing of your data
With this section we inform you about the purposes for which the personal data will be processed and the legal basis for the processing.
a. Processing affecting the entire website
The provider processes the data provided by you to enable you to use this website. The provider uses technology to measure reach in the context of advertising and market research. You can find more detailed explanations in the following explanations.
b. Processing in case of sending e-mails and contacting by telephone
You can contact the provider via the e-mail address and telephone numbers provided on the website. The provider processes the data you provide to answer your contact request.
Data collection (stock data):
- First and last name
In the case of sending an e-mail or making contact by telephone, the aforementioned inventory data will be processed if you communicate this to the provider.
The legal basis for the processing of the data is Art. 6 Para. 1 letter a DSGVO, if you have given your consent to the provider, and furthermore the protection of legitimate interests in accordance with Art. 6 Para. 1 letter f DSGVO. If the purpose of the contact is to initiate a contract, Art. 6 para. 1 lit. b DSGVO is also a legal basis for data processing.
Data provided by you will be deleted immediately after the completion of your request, in case of missing completion at the latest after 1 year after the last contact, unless your data is subject to a longer storage period for a separate reason (e.g. storage of information which serves the fulfilment of the contract). The request is completed when it can be concluded from the circumstances that the matter in question has been finally clarified.
You have the possibility at any time to revoke your consent to the processing of personal data or to object to data processing which is not based on consent. The exercise of the revocation or objection can be made in particular by e-mail to the above-mentioned contact e-mail addresses. All personal data that the provider has stored in the course of your contact will be deleted in this case.
In principle, your right of revocation does not refer to such data which the provider requires in the context of the fulfilment of a contract or of pre-contractual measures.
c. Processing of log data
When accessing the provider's website, your internet browser automatically transmits certain data to the provider's server for technical reasons. The following data is collected by the provider separately from other data that you may transmit to the provider and used for the aforementioned purposes:
Data collection (usage data)
- Name of the accessed website or url
- Date and time of retrieval
- Access status / Http status code
- Website through which the request comes
- IP address (anonymized, shortened by the last 3 digits)
- randomly generated key number of the cookie or session.
The legal basis for the storage of the data and the log files are the legitimate interests of the provider (including the detection of hacker attacks) in accordance with Art. 6 para. 1 lit. f DSGVO.
In case of storage of the data in log files, the usage data will be deleted after 7 days at the latest. Storage beyond this period is possible in accordance with data protection laws. In this case, the IP addresses are deleted or alienated, so that it is no longer possible to allocate the Internet page retrieval to your computer.
The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. There is therefore no possibility of objection on the part of the user. However, you can exercise your right of objection by means of automated procedures in which technical specifications are used, e.g. in the case of anonymisation of your IP address by VPN providers.
d. Processing in case of the use of forms (contact form, order function in the webshop, newsletter subscription)
The provider provides contact forms which you can use to send the provider a message.
Data collection (stock data):
The data collected is derived from the respective form. As a rule, the data is as follows:
- First and last name
- Street (regarding contact, invoice- and delivery address)
- Postcode (regarding contact, invoice- and delivery address)
- Place (regarding contact, invoice- and delivery address)
The legal basis for the processing of the data is Art. 6 para. 1 letter a DSGVO if you have given your consent to the provider, and furthermore in the case of data processing for legitimate interests of the provider also Art. 6 para. 1 letter f DSGVO. If the purpose of the contact is to initiate a contract, Art. 6 para. 1 lit. b DSGVO is also a legal basis for data processing.
Data provided by you will be deleted immediately after completion of your request, in case of missing completion at the latest after 1 year after the last contact, unless your data is subject to a longer storage period for a separate reason (e.g. the storage of information which serves the fulfilment of the contract). The request is deemed to have been completed when it is clear from the circumstances that the matter in question has been definitively clarified. You have the possibility at any time to revoke your consent to the processing of personal data or to object to data processing which is not based on consent. The exercise of the revocation or objection can be done in particular by e-mail to the above-mentioned contact e-mail addresses. All personal data that the provider has stored in the course of your contact will be deleted in this case. Your right of revocation does not generally refer to such data which the provider requires in the context of the fulfilment of a contract or of pre-contractual measures. However, you may be entitled to further rights.
- randomly generated key number of the cookie or session (session cookie). The session cookie is technically necessary to ensure the shop function of the website (shopping cart, order/enquiry).
The legal basis for the storage of the data and log files are the legitimate interests of the provider in accordance with Art. 6 para. 1 lit. f DSGVO. These consist in guaranteeing the functionality of the website, which serves the purpose of advertising the provider.
f. Content tool
In addition, when you enter the site via a content tool, you will be asked whether you wish to have other cookies set in addition to those technically required. Only if you confirm this by ticking the appropriate box will cookies other than those required for technical reasons be set. The legal basis for the storage of data and log files for technically not necessary cookies is your consent in accordance with Art. 6 Para. 1 lit. a DSGVO.
3. existence of appropriate guarantees
As far as the provider collects usage data, he always saves them under pseudonyms (in case of cookies e.g. via a unique session key). The provider does not combine pseudonymous data with the data about the bearer of the pseudonym (such as inventory data).
b.Use of encryption technologies
When transferring data between your computer or mobile device and the provider's server, the provider uses the SSL (Secure Socket Layer) security system. This technology is intended to protect your data from being read by unauthorized third parties and offers a very high standard of security. You can recognize that your data is transmitted in encrypted form by the closed display of a key or lock symbol in the lower status bar of your browser.
4. recipients of the personal data in the EU
The provider transfers your data to the following companies:
Mittwald CM Service GmbH & Co. KG (Hosting-Dienstleister)
Königsberger Straße 4-6
5. recipients of the personal data in third countries
The provider will not transfer your data to recipients outside the EU.
6. further processing for other purposes
Unless otherwise stated above, your data will not be passed on to third parties or processed for purposes other than those stated.
7. rights of data subjects
You have a right of access to personal data concerning you and the right to rectify or erase such data or to limit processing or to object to processing, the right of data transfer and the right of appeal to a supervisory authority in accordance with the description below.
a. Your right to information
You have the right to request confirmation from the provider as to whether personal data concerning you is being processed. If this is the case, you have the right to be informed about this personal data and to receive the following information: the purposes of the processing; the categories of personal data processed; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations; if possible, the envisaged duration for which the personal data will be kept or, if that is not possible, the criteria for determining that duration; the existence of a right of rectification or erasure of personal data relating to him or her or of a right of the controller to restrict processing or object to such processing; the existence of a right of appeal to a supervisory authority; if the personal data are not collected from the data subject, any available information concerning the origin of the data; the existence of automated decision making including profiling (according to Article 22(1) and (4) DPA) and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.
b. Right of rectification
You have the right to request the provider to correct incorrect personal data concerning you without delay. You have the right to request the completion of incomplete personal data - also by means of a supplementary declaration - if this is compatible with the above-mentioned purposes of processing or if there is a factual reason for this.
c. Right of cancellation
You have the right to demand from the provider that personal data concerning you be deleted immediately. We are obliged to delete personal data immediately if one of the following reasons applies:
The personal data are no longer necessary for the purposes for which they were collected or otherwise processed; the data subject withdraws the consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) FADP and there is no other legal basis for the processing; the data subject objects to the processing pursuant to Article 21(1) DPA and there are no overriding legitimate reasons for processing, or the data subject objects to the processing pursuant to Article 21(2) DPA; the personal data have been processed unlawfully; the deletion of the personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which the responsible person is subject; the personal data was collected in relation to information society services offered, in accordance with Article 8(1) of the DSGVO (consent of a child in relation to information society services).
Where we have made personal data public and are obliged to delete them, we shall take reasonable measures, including technical measures, taking into account available technology and implementation costs, to inform data controllers who process personal data that a data subject has requested us to delete all links to such personal data or copies or replications of such personal data.
However, you do not have a right of cancellation pursuant to Art. 17 (3) DSGVO to the extent that the processing is necessary for the exercise of the right to freedom of expression and information; to comply with a legal obligation to which the processing is subject under the law of the Union or of the Member States to which the controller is subject; or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest relating to public health pursuant to Article 9 paragraph 2 letters h and i and Article 9 paragraph 3 DSGVO; for archiving, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Article 89 paragraph 1 DSGVO, insofar as the right referred to in paragraph 1 is likely to make the attainment of the objectives of such processing impossible or seriously hamper it, or for the assertion, exercise or defence of legal claims.
d. Right to restrict processing
You have the right to ask us to restrict processing if one of the following conditions is met: the accuracy of the personal data is contested by the data subject for a period of time which allows the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject refuses to have the personal data deleted and instead requests the restriction of the use of the personal data; the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the purpose of asserting, exercising or defending legal claims, or the data subject has lodged an objection to the processing pursuant to Article 21(1), until such time as it is established that the controller's legitimate reasons outweigh those of the data subject.
If the processing has been restricted, such personal data may be processed, with the exception of storage, only with your consent or for the purpose of pursuing, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State. If you have obtained a restriction on processing, you will be informed by us before the restriction is lifted.
e. Right to data transferability
You have the right to receive the personal data concerning you that you have provided to a controller in a structured, common and machine-readable format and you have the right to transfer this data to another controller without hindrance from us or from the controller to whom the personal data has been provided, provided that the processing is based on consent pursuant to Article 6 paragraph 1 letter a DSGVO or Article 9 paragraph 2 letter a DSGVO or on a contract pursuant to Article 6 paragraph 1 letter b DSGVO and the processing is carried out using automated procedures.
When exercising your right to data transfer in accordance with paragraph 1, you have the right to obtain that personal data be transferred directly from one controller to another controller, as far as technically feasible. This right shall not prejudice the rights and freedoms of other persons.
The exercise of the right to data transferability is without prejudice to Article 17 DSGVO (right to deletion / "right to be forgotten"). This right does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f. Right to object to the processing
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is carried out pursuant to Article 6(1)(e) (performance of a task carried out in the public interest) or (f) (protection of the legitimate interests of the controller or a third party) FADP, including profiling based on these provisions. We then no longer process the personal data unless we can demonstrate compelling reasons for processing that are worthy of protection and outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.
If personal data are processed for the purpose of direct marketing, this is only done with prior consent. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising, including profiling, insofar as it is linked to such direct marketing. If you object to processing for the purposes of direct marketing, your personal data will no longer be processed for those purposes.
At the latest at the time of the first communication with you, we must expressly draw your attention to your right to object to the processing as described above; this information must be provided in a comprehensible form that is separate from other information.
In connection with the use of Information Society services, notwithstanding Directive 2002/58/EC, you may exercise your right of objection by means of automated procedures (e.g. by pressing "do not track" functions on the telephone, by changing browser settings and by making appropriate settings in the content tool when you enter the site ), using technical specifications.
You have the right to object, for reasons arising from your particular situation, to the processing of personal data concerning you which is carried out for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 paragraph 1 of the DSGVO, unless the processing is necessary for the performance of a task carried out in the public interest.
If you wish to exercise your right of objection, a telephone message or an e-mail to the above-mentioned contact e-mail address is sufficient.
g. Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State in which you are resident or in which you work or in which the alleged infringement occurred, if you consider that the processing of personal data relating to you is contrary to this Regulation.
The supervisory authority to which the complaint has been submitted will inform you as complainant of the status and the results of the complaint, including the possibility of a legal remedy under Article 78 DSGVO.