Data Privacy Information
This privacy statement informs you about how we treat your data. To make the processing of your data transparent, we would like to provide you with the following information to give you an overview of these processing operations. To keep things fair, we additionally want to inform you about your rights pursuant to the EU-General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
NOHO I GMBH & CO. KG is the controller of the data processing (hereinafter referred to as ‘we’ or ‘us’).
I. General Information
NOHO I GMBH & CO. KG
C/O ONEVEST DEVELOPMENTS GMBH
Große Bleichen 35, 20354 Hamburg, Deutschland
2. Legal Basis
The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.
We process personal data in compliance with the data protection regulations, in particular the GDPR and the BDSG. We solely process data based on law. We process personal data
- solely with your consent (Art. 6 section 1 letter a GDPR),
- to perform a contract to which you are a party or to take steps at your request prior to entering into a contract (Art. 6 section 1 letter b GDPR),
- to comply with a legal obligation (Art. 6 section 1 letter c GDPR) or
- where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 section 1 letter f GDPR).
Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations. In particular, such statutory retention requirements may result from regulations under commercial or tax law.
From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting data for ten years and retain personal data present in commercial letters and contracts for six years. In addition, we will retain data in connection with consents requiring proof as well as with complaints and claims for the duration of the statutory limitation periods.
4. Recipients of Data
For certain processing activities, we rely on service providers. These processing activities include, for example, hosting, maintenance and support for IT systems, customer and client management, accounting or destruction of paper files and data carriers. A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors process data not for their own purposes but solely for the controller and are contractually obliged to implement appropriate technical and organizational measures ensuring data protection.
Apart from that, we may transfer your data to postal and delivery services, our bank, consultants/auditors or the fiscal authority if necessary. Should your data be transferred to further recipients, you can find this information under the description of the respective processing activity.
5. Data transfer to third countries
Visiting our website may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such a transfer shall be authorised if the European Commission has decided that an adequate level of data protection is ensured in such third country.
In the absence of such an adequacy decision by the European Commission, personal data will only be transferred to a third country if appropriate safeguards are in place in accordance with Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met.
Unless otherwise stated below, we use as appropriate safeguards the EU standard contractual clauses for the transfer of personal data to processors in third countries: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32010D0087.
6. Processing in the Exercise of your Rights pursuant to Art. 15 to 22 GDPR
If you exercise your rights pursuant to Art. 15 to 22 GDPR, we process the personal data transferred in order for us to grant you your rights and to acquire proof thereof. For the purpose of providing information and preparing such information, we will process the stored data only for this purpose as well as for purposes of data protection control and otherwise restrict processing in accordance with Art. 18 GDPR. These processing operations are based on Art. 6 section 1 letter c GDPR in combination with Art. 15 to 22 GDPR and section 34 para. 2 BDSG.
As the data subject, you are entitled to exercise your rights against us. In particular, you have the following rights:
- Pursuant to Art. 15 GDPR and section 34 BDSG, you have the right of access to information confirming whether and, if so, to what extent we are processing personal data concerning you.
- Pursuant to Art. 16 GDPR, you have the right to rectification of your data.
- Pursuant to Art. 17 GDPR and section 35 BDSG, you have the right to erasure of your personal data.
- Pursuant to Art. 18 GDPR, you have the right to require us to restrict the processing of your personal data.
- Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transfer such data to another controller.
- Where you have granted us specific consent to a processing activity, you can withdraw such consent at any time pursuant to Art. 7 section 3 GDPR. Any such withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to its withdrawal.
- If you are of the view that the processing of your personal data infringes GDPR provisions, you have the right to lodge a complaint with a supervisory authority pursuant to Art.77 GDPR.
8. Right to object
Pursuant to Art. 21 section 1 GDPR, you have the right to object to processing activities based on Art. 6 section 1 letter e or letter f GDPR on grounds relating to your particular situation. If we process your personal data for the purpose of direct marketing, you may object to such processing pursuant to Art. 21 section 2 and section 3 GDPR.
II. Data processing on our website
During use of our website, we collect information that you provide yourself. We also automatically collect certain information about your use of the site during your visit to the site. In data protection law, the IP address is also considered personal data. An IP address is assigned to each device connected to the internet by the internet provider so that it can send and receive data.
When using our website for informative purposes only, general information that your browser transfers to our server is initially stored automatically (not via registration). This includes by default: browser type/-version, operating system used, page called, the previously visited page (referrer URL), IP address, date and time of server request and HTTP status code. The processing is carried out in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f GDPR. This processing serves the technical administration and security of the website. The data collected will be deleted after seven days unless there is a justified suspicion of illegal use based on concrete indications and further examination and processing of the information is necessary for this reason. We are unable to identify you as a data subject based on the information collected. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11 section 2 GDPR, unless you provide additional information to enable your identification in order to exercise the rights set out in these articles.
Our website provides a contact form, through which you can enquire an offer from us. Your data is transferred encrypted (note the ‚https‘ in the address bar of your browser). All data fields marked as mandatory are necessary to be filled in for the handling of your request. Failure to provide the required information will result in us being unable to process your request. You have the alternative option to send us an email.
We process the data for the purpose of handling your request. If your request relates to the establishment or execution of a contract with us, the processing of your data is based on art. 6 sec. 1 letter b GDPR. In all other cases we process data out of our legitimate interest in contacting the person enquiring. The latter data processing finds its legal basis in Art. 6 section 1 letter f GDPR.
If you order a product via our website, we process personal data solely for the purpose of processing the contract or to provide you with the ordered product. In the booking or ordering process, we only process the data that you yourself have entered in the input mask and, if applicable, payment information. In order to be able to deliver the ordered products to you, we transmit your data required for delivery to one of our shipping service providers as specified in the order. The legal basis for the processing is in each case Art. 6 section 1 letter b DSGVO. All data fields marked as mandatory are required for processing your booking or order. Failure to provide them will result in us not being able to process your booking or order. The provision of further data is voluntary.
We work together with various payment service providers. Please note that the respective payment information is collected and processed by the respective payment service providers on their own responsibility.
We offer on our website the possibility to register for our newsletter. After registration we will inform you regularly about the latest news on our offers. A valid e-mail address is required to register for the newsletter. To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your e-mail address and name based on the consent you have given.
The processing is based on the legal basis of Art. 6 section 1 letter a GDPR. You can revoke the consent given at any time with effect for the future, for example via the "unsubscribe" link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations already carried out remains unaffected by the revocation. When registering for the newsletter, we also store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (Art. 6 section 1 letter c in conjunction with Art. 7 section 1 GDPR).
5. Facebook Pixel
We use the Facebook Pixel on our website, a Facebook business tool from Facebook Ireland Limited (Ireland, EU). For information on Facebook Ireland's contact details and the contact details of Facebook Ireland's data protection officer, please see Facebook Ireland's data policy at https://www.facebook.com/about/privacy.
- Information about actions and activities of visitors to our website, such as searching for and viewing a product or purchasing a product;
- Specific pixel information such as the pixel ID and the Facebook cookie;
- Information about buttons clicked by visitors to the website;
- Information present in HTTP headers, such as IP addresses, web browser information, page location, and referrer;
- Information about the status of disabling/restricting ad tracking.
In part, this event data is information stored in the device you are using. In addition, cookies are also used via the Facebook pixel, through which information is stored on your end device used.
The Facebook Pixel uses a cookie called _fbp with a storage period of three months.
Such storage of information by the Facebook pixel or access to information already stored in your end device will only occur with your consent.
Tracked conversions appear in the dashboard of our Facebook Ads Manager and Facebook Analytics. We may use the tracked conversions there to measure the effectiveness of our ads, set Custom Audiences for ad targeting, Dynamic Ads campaigns, and analyze the effectiveness of our website's conversion funnels. The features we use through the Facebook Pixel are described in more detail below.
Processing of Event Data for Advertising Purposes
Event data collected via the Facebook pixel is used for targeting our ads and improving ad delivery, personalizing features and content, and improving and securing Facebook products.
For this purpose, event data is collected on our website by means of the Facebook pixel and transmitted to Facebook Ireland. This only takes place if you have previously given your consent to this. The legal basis for the collection and transmission of personal data by us to Facebook Ireland is therefore Art. 6 section 1 letter a GDPR.
This collection and transmission of event data is carried out by us and Facebook Ireland as joint controllers. We have entered into a joint controller processing agreement with Facebook Ireland, which sets out the distribution of data protection obligations between us and Facebook Ireland. In this agreement, we and Facebook Ireland have agreed, among other things,
- that we are responsible for providing you with all information pursuant to Art. 13, 14 GDPR about the joint processing of personal data;
- that Facebook Ireland is responsible for enabling data subjects' rights under Art. 15 to 20 of the GDPR with respect to personal data stored by Facebook Ireland after the joint processing.
You can access the agreement concluded between us and Facebook Ireland at https://www.facebook.com/legal/controller_addendum.
Facebook Ireland is the sole controller for the subsequent processing of the transmitted event data. For more information about how Facebook Ireland processes personal data, including the legal basis on which Facebook Ireland relies and how you can exercise your rights against Facebook Ireland, please see Facebook Ireland's Data Policy at https://www.facebook.com/about/privacy.
Processing of Event Data for Analytics Purposes
We have also engaged Facebook Ireland to prepare reports on the impact of our advertising campaigns and other online content based on the Event Data collected through the Facebook Pixel (Campaign Reports) and to provide analytics and insights about users and their use of our website, products and services (Analytics). We transfer personal data contained in the Event Data to Facebook Ireland for this purpose. The submitted personal data is processed by Facebook Ireland as our processor to provide us with the campaign reports and analytics.
Personal data will only be processed to provide analytics and campaign reports if you have given your prior consent to do so. The legal basis for this processing of personal data is therefore Art. 6 section 1 letter a GDPR.
A transfer of data to Facebook Inc. in the USA cannot be excluded. The legal basis for this transfer is the standard contractual clauses for the transfer of personal data to processors in third countries. Please note the information in the section "Data transfer to third countries".
6. Integrated services
We use services and content (collectively, "Content") provided on our Website by third parties. For such an integration a processing of your IP address is necessary, so that the contents can be sent to your browser. Your IP address will therefore be transmitted to the respective third party providers. This data processing is carried out in order to safeguard our legitimate interests in the optimisation and economic operation of our website and finds its legal basis in Art. 6 section 1 letter f GDPR. You can object to this data processing at any time by changing the settings of your browser or by using certain browser extensions. One such extension is the uMatrix matrix-based firewall for the Firefox and Google Chrome browsers. Please note that this may result in functional restrictions on the website.
We have incorporated into our website content from the following third-party services:
Services provided by Google Ireland Limited (Ireland/EU):
- “Google Web Fonts" to display fonts.
III. Data processing on our Social Media
We operate company pages on multiple social media platforms via which we offer further opportunities to obtain information about our company and for exchange. We operate company pages on the following social media platforms:
Visiting a company page on social media can result in your personal data being processed. The information in your social media account constitutes personal data. This also encompasses messages and statements made with the account. Additionally, certain information about your visit to a company page is often collected automatically during your visit.
- Data Processing during the Visit of a Social Media Page
- Facebook and Instagram Page
Certain information about you is processed relating to your visit to our Facebook or Instagram page on which we present our company or individual products. Facebook Ireland Ltd (Ireland/EU – ‘Facebook’) is the sole controller of this processing. Further information about the processing of personal data by Facebook is available via https://www.facebook.com/privacy/explanation.
Facebook provides the opportunity to object to certain processing activities; corresponding information and opt-out-methods are available via https://www.facebook.com/settings?tab=ads.
Facebook provides us with anonymised statistics and insights for our Facebook and Instagram page, which enable us to gain knowledge about the ways in which people interact with our page (so called ‘insights’). These insights are created based on certain information about persons who have visited our page. Facebook and we are joint controllers of this processing. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in Art. 6 section 1 letter f GDPR. It is impossible to match the information obtained via insights to individual accounts which interact with our Facebook page. We have concluded an agreement with Facebook on joint controllership in which the data protection duties are allocated between Facebook and us. Details of the processing of personal data for the creation of insights and of the agreement we concluded with Facebook are available via https://www.facebook.com/legal/terms/information_about_page_insights_data. Regarding these processing activities, you may also exercise your rights (see above ‘Your Rights’) against Facebook directly. Further information is available in Facebook’s privacy statement via https://www.facebook.com/privacy/explanation.
Please note that user data is also processed in the USA and other third countries according to Facebook’s data protection guidelines. Facebook only transfers user data to countries for which the European Commission has made an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR.
Generally, Twitter Inc. (USA) is the sole controller of the processing of your personal data relating to your visit to our Twitter account. Further information on the processing of personal data by Twitter Inc. is available via https://twitter.com/de/privacy.
Generally, the Tumblr, Inc. (USA) is the sole controller of the processing of your personal data relating to your visit to our Xing profile. Further information on the processing of personal data by Tumblr, Inc. is available via https://www.tumblr.com/privacy.
Generally, Google Ireland Limited (Ireland/EU) is the sole controller of the processing of your personal data relating to your visit to our YouTube channel. Further information on the processing of personal data by YouTube and Google Ireland Limited is available via https://policies.google.com/privacy.
- Processing of Data you Share with us via our Company Pages
Additionally, we process information which you provide us with via the respective social media platform. Such information can include the username, contact details or a message to us. Generally, we only process this personal data if we have expressly requested you to share this data with us like, for example, in connection with a survey. We are the sole controller of such processing activities.
We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f GDPR.
Additionally, we might process such data shared with us for purposes of evaluation or marketing. Such processing is based on Art. 6 section 1 letter f GDPR and serve our legitimate interest to develop our product range and inform you about our product range. Further data processing can take place if you have consented (Art. 6 section 1 letter a GDPR) or if this serves to fulfil a legal obligation (Art. 6 section 1 letter c GDPR).
Status: June 2021