Privacy Notice for Sport-Thieme GmbH
(As at: 25/05/2018)
Protecting our customers’ data is extremely important to us. In this document we will inform you about the processing of personal data carried out by Sport-Thieme GmbH in accordance with the General Data Protection Regulation (GDPR), see article 13 of the GDPR. Please read our privacy notice carefully. Should you have any queries or comments regarding this information, you can contact us at any time using the contact information listed in section 2.
The following privacy notice informs you about the type and scope of the processing of personal data carried out by Sport-Thieme GmbH. Personal data are pieces of information that are, or could be, directly or indirectly associated with your person.
The data processing carried out by Sport-Thieme GmbH can be primarily divided into two categories:
In accordance with the stipulations of the GDPR, you have various rights that you can assert against us. These include the right to object to selected data processing, in particular data processing for advertising purposes.
This privacy notice applies to data processing carried out by Sport-Thieme GmbH, represented by Managing Director Maximilian Hohe, Helmstedter Straße 40, 38368 Grasleben (‘the person responsible’), and for the website www.sport-thieme.com. Sport-Thieme GmbH’s company data protection officer can be contacted at the above address, ‘for the attention of’ the Data Protection Department, or via firstname.lastname@example.org
3.1. Accessing our website
When accessing our website, information is automatically sent to the server of our website by the browser being used on your end device and is temporarily saved in a so-called log file. We have no control over this. In the process, the following information is collected without any action on your part and stored until it is deleted automatically:
The legal basis for the processing of the IP address is article 6, paragraph 1 (f) of the GDPR. Our legitimate interest ensues from the purposes for data collection listed hereafter. We would like to point out that your identity cannot be directly inferred from the data collected and that no conclusions are drawn by us.
We use your end device’s IP address as well as the other data listed above for the following purposes:
3.2. Conclusion, execution or termination of a contract
3.2.1. Data processing on conclusion of the contract
Sport-Thieme GmbH’s business objective is the distance selling of products and services as well as the series production of a portion of the products that are offered. In this context, we process the data necessary for the conclusion, execution or termination of a contract with you. These include:
The legal basis for this is article 6, paragraph 1 (b) of the GDPR. This means that you provide us with your data on the basis of the contractual relationship or in preparation of a contractual relationship between you and us. Furthermore, we are obliged to process your email address due to the German Civil Code (Bürgerliches Gesetzbuch – BGB), which stipulates that we send an electronic order confirmation (article 6, paragraph 1 (c) of the GDPR). Provided we do not use your contact details for advertising purposes (see 3.3), we store the data collected for contract processing until the expiration of legal and possible contractual warranty and guarantee rights. After the expiration of this period, we retain information from the contractual relationship required under trade and tax laws for the legally specified time period. During this period (normally ten years after the conclusion of the contract), the data will only be processed again in the case of an audit by the tax authorities. Provided that you are entitled to a warranty in compliance with our general terms and conditions, we would like to point out that some products have a warranty period that might exceed the legal retention period.
Furthermore, the following data processing is necessary for executing the sales contract:
Provided that you have chosen a payment method other than prepayment or sale on account, we pass the necessary payment information to a payment service provider commissioned by us.
For the purpose of processing the sales contract, we pass information regarding your shipping address to a logistics company commissioned by us. We only request your telephone number in the order form when you order products that are delivered by freight. Your telephone number is passed on to the logistics company commissioned by us in the case of freight shipments to ensure that the goods are delivered in consultation with you and according to your wishes. The logistics company will contact you prior to delivery to inform you of the delivery time or to agree details of the delivery with you.
Products may be supplied to you directly from the manufacturer (drop shipping). To fulfil your order, the shipping address is passed on to the manufacturer for the purpose of shipping.
The data are only transferred for this purpose and are deleted after successful delivery.
3.2.2. Credit rating
If we make advance outlays or deliveries e.g. with a sale on account, we have put our own scoring process in place in order to safeguard our legitimate interests in protecting us against credit risk, article 6, paragraph 1 (f) of the GDPR. Scoring is defined as making a prognosis about future events based on collected information and experiences from the past. Using information provided by you or, if necessary, data we already have saved, you are allocated to statistical groups of people who have previously entered similar information. The underlying process used is a well-founded, mathematical and statistical method of making a prognosis about the probability of risks which has been tried and tested for a long time. In addition, we use concrete creditworthiness information that we have collected about you in the course of our previous business relations, e.g. your payment history.
If our own credit-rating system does not yield the result that we are sufficiently protected against credit risk, we obtain a credit check via consumer credit agencies. The legal basis for this is also article 6, paragraph 1 (f) of the GDPR in order to safeguard our legitimate interest in protecting us against credit risk. To do this, we work with the following credit agencies, who provide us with the data required therefor.
126.96.36.199. Creditreform Boniversum GmbH, Hellersbergstr. 11, 41460 Neuss
For the purpose of carrying out a credit check, we pass on your name and contact details to Creditreform. By order of Creditreform Boniversum, we provide you with information in accordance with article 14 of the GDPR, which you can read here: https://www.creditreform-duesseldorf.de/EU-DSGVO/.
188.8.131.52. CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 Munich
Within the scope of this contractual relationship, we pass on collected personal data concerning the application, implementation and termination of this business relationship to CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 Munich.
CRIFBÜRGEL processes the data received and also uses them for the purposes of scoring in order to provide its contractual partners in the European Economic Area and in Switzerland as well as in other countries if necessary (provided that there is an adequacy decision about them from the European Commission) with information about the assessment of creditworthiness of natural persons, etc. You can find out more about CRIFBÜRGEL’s work at www.crifbuergel.de/de/datenschutz.
The credit check may lead to not all payment methods offered being available. You have the right to a manual review, presenting your own viewpoint, as well as to challenge the decision in this case.
In the event of late payment and provided that the other statutory requirements are met, we pass on the required data to a company commissioned with asserting the claim. Both article 6, paragraph 1 (b) and article 6, paragraph 1 (f) of the GDPR are the legal basis for this. Assertion of a contractual claim is to be considered as a legitimate interest in keeping with the latter stipulation.
The following statements relate to the processing of personal data for advertising purposes. The GDPR describes data processing of this kind based on article 6, paragraph 1 (f), as conceivable in principle and as a legitimate interest. The duration of the retention period for data used for advertising purposes does not follow any strict guidelines and is based on the question of whether storage is required to deliver advertising. At Sport-Thieme GmbH, we also abide by the principle of ceasing to use your data for advertising purposes no later than five years after your last contact. Please see section 3.3.3. for the process should you object.
3.3.1. Sport-Thieme GmbH and third-party advertising purposes
If you have concluded a contract with us, we will keep a record of you as an existing customer. In this case, we use your postal address beyond the existence of distinct consent to send you information about new products and services. We occasionally pass on your postal address to contractual partners, carefully chosen by us, from mail-order and telecommunications fields so that they can also inform you about their products. We use your email address beyond the existence of distinct consent to provide you with information about our own, similar products. Following the purchase, you will also receive an automatic email, in which we ask you to rate us and our products. In doing so, you are helping us to adapt and to further develop our products and our product range.
3.3.2. Advertising that reflects your interests
To ensure that you only receive promotional information that might be of interest to you, we categorise your customer profile and add additional information to it. To do this, statistical information and information about you is used (e.g. basic information from your customer profile). Our aim is to only send you advertising that is or might be of interest to you and to not bother you with advertising that is not useful to you.
3.3.3. Right to object
You can object to your data being processed for advertising purposes at any time, separately for the respective communication channels and with effect for the future, without incurring costs other than the transmission costs at the basic prices. To do this, simply send an email to email@example.com or write to the contact details stated in section 2.
If you object, the contact address in question is blocked from further data processing for advertising purposes. Please note that, in exceptional cases, advertising material could temporarily continue to be sent even after you have lodged your objection. The technical reason for this is the required lead time of advertisements and it does not mean that we are not implementing your objection. Thank you very much for your understanding.
3.3.4. Newsletter distribution
You can sign up for our newsletter on our website. To make sure that there are no mistakes in the email address you have provided us with, we use a double opt-in system: Upon submitting your email address in the sign-up field, we will send you a confirmation link. Only once you have clicked on this confirmation link will your email address be added to our distribution list. The newsletter we send to you provides us with information including confirmation of receipt and whether it has been read or not, as well as which links you have clicked on in the newsletter. Your user behaviour with regards to the newsletters you receive from us and our website is analysed and assigned to your email address / user profile stored within our database. By creating a personalised user profile, we wish to tailor our advertising to your interests and optimise the offerings on our website for you. The processing of your electronic contact data and its analysis as described occurs solely on the basis that you have given your consent (article 6, paragraph 1 (a) of the GDPR) at this point. You can withdraw your consent at any time with effect for the future. To do this, simply send a short note via email to firstname.lastname@example.org or click on the ‘Unsubscribe’ button, located at the bottom of every newsletter.
3.4. Online presence and website optimisation
3.4.1. Cookies – General information
We use so-called cookies on our website. If as these cookies are personal data, they are used based on article 6, paragraph 1 (f) of the GDPR. Our interest to optimise our website is to be considered as justified in accordance with the aforementioned provision. Cookies are small files which your browser generates automatically, and which are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not harm your end device in any way, they do not contain viruses, Trojans or other malicious software. Information is stored in the cookie, which stems from the connection with the specific end device used in each case. However, this does not mean that we immediately get to know your identity. On the one hand, cookies are used to make the use of our offering more convenient for you. We use so-called session cookies, for example, to recognise that you have already visited individual pages on our website or that you have already logged in to your customer account. These are automatically deleted when you have left our site. In addition, also for user friendliness, we use temporary cookies that are stored on your end device for a specific period of time. If you visit our site again to use our services, the system automatically recognises that you have already visited us and remembers the inputs and settings you have entered, so you do not have to re-enter them.
If you have a customer account with Sport-Thieme GmbH and you are logged in or you activate the ‘Stay logged in’ function, the information stored in cookies will be saved to your customer account.
3.4.2. Google Analytics
Based on article 6, paragraph 1 (f) of the GDPR we use Google Analytics, a web analysis service provided by Google Inc. (‘Google’), for the purpose of the needs-oriented design and continuous optimisation of our pages. In this context, pseudonymised usage profiles are created and cookies are used. The information generated by the cookie about your use of this website, such as
will be transmitted to a Google server in the USA and saved there. The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and Internet usage for the purpose of market research and tailor-made website design. This information is also transmitted to third parties, if necessary, provided this is stipulated by law or third parties have been commissioned to process these data. On no account will your IP address be linked to any other data provided by Google. The IP addresses are anonymised, so that an association is not possible (so-called IP masking).
You can disable the installation of cookies by setting your browser software accordingly; however, please note that in this case you might not be able to make full use of this website’s features. In addition, you can also prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) as well as Google’s processing of such data by downloading and installing this browser add-on. As an alternative to the browser add-on, in particular for browsers on mobile end devices, you can also prevent the collection of data by Google Analytics by clicking this link. An opt-out cookie will be generated which prevents future collection of your data when you visit this website. The opt-out cookie is only valid for this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must generate the opt-out cookie again. More information about privacy regarding Google Analytics is available on the Google Analytics website.
3.4.3. Google Tag Manager
This website uses the Google Tag Manager. Google Tag Manager is a solution that allows marketers to manage website tags through an interface. The Tag Manager tool itself (which implements the tags) is a cookie-free domain and does not collect personal data. The tool triggers other tags, which may collect data. Google Tag Manager does not access these data. Deactivation at a domain or cookie level remains in effect for all tracking tags that were implemented with Google Tag Manager.
3.4.4. Web analysis with GA audiences
3.4.5. Adobe Typekit web fonts
We use Adobe Typekit for the visual design of this website. This is a legitimate interest within the meaning of article 6, paragraph 1 (f) of the GDPR. Typekit is a service provided by Adobe Systems Software Ireland Ltd. This gives us access to the Adobe font library. To enable a uniform display of the fonts we use, the browser you are using loads the required so-called web fonts into your browser cache. To this end, the browser you are using connects to the Adobe Typekit servers (location: USA). Thus, Adobe Typekit is informed that our website has been accessed from your IP-address.
If your browser does not support web fonts a standard font is displayed.
Further information about Adobe Typekit is available at https://typekit.com/ and in the Adobe Typekit privacy statement at https://www.adobe.com/de/privacy/policies/typekit.html
3.4.7. Re-targeting using Criteo
Using technology from Criteo (Criteo GmbH, Unterer Anger 3, 80331 Munich), information about the surfing behaviour of the website visitors is collected in an entirely anonymous form for marketing purposes on our websites and online offers. Cookies are stored for this purpose. Here, the basis for using the Criteo service is our legitimate interest according to article 6, paragraph 1 (f) of the GDPR.
Thus, Criteo can analyse the surfing behaviour and subsequently display targeted product recommendations as a suitable advertising banner when other websites are visited. On no account can the anonymised data be used to personally identify the website visitor. The data collected by Criteo are only used to improve the advertising. There is a small ‘i’ (for information) in the bottom right-hand corner of each banner which opens when the mouse is hovered over it and, when clicked on, leads to a page that explains the system and offers the option to opt out. Clicking on ‘Opt out’ generates an ‘Opt out’ cookie which prevents these banners from being shown in the future. Data are not used in any other way or shared with third parties.
Criteo can use its own different tracking tools such as Yahoo Analytics, ADTECH and Live Intent. More information is available from Criteo at https://www.criteo.com/privacy/, where you can object to your surfing behaviour being analysed anonymously.
3.4.8. Google AdWords
We use Google AdWords to draw attention to our attractive offers with the help of advertising materials (so-called Google AdWords) on external websites. We can determine how successful the individual advertising measures are in relation to the advertising campaign’s data. With this, we aim to show you advertisements that are of interest to you, to make our website more interesting for you and to achieve a fair calculation of advertising costs.
These advertising materials are delivered by Google via so-called ‘ad servers’. To this end, we use ad server cookies which measure certain performance assessment parameters such as display of the ads and user clicks. If you access our website through a Google ad, Google AdWords will store a cookie on your PC. These cookies normally expire after 30 days and they are not intended to identify you personally. Normally, the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant to post-view conversions) and opt-out information (sign that the user does not wish to be addressed anymore) are stored as analysis values with this cookie.
These cookies enable Google to recognise your web browser. If a user visits certain pages of an AdWords customer’s website and the cookie stored on their computer has not yet expired, Google and the customer can see that the user clicked on the ad and was redirected to that page. Each AdWords customer is allocated a different cookie. Therefore, cookies cannot be tracked through the AdWords customers’ websites. We ourselves do not collect and process any personal data in the aforementioned advertising measures. Google only provides us with statistical evaluations. Based on these evaluations we can see which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising material, in particular we cannot identify the users based on this information.
Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the extent and the further use of the data, which are collected by Google using this tool and therefore we inform you according to our current knowledge: by including AdWords Conversion, Google receives the information that you have accessed the relevant part of our Internet presence or have clicked on one of our ads. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or not logged in, it is possible that the provider will find out and store your IP address.
3.4.9. Google Remarketing
Our website uses Bing Ads technology to collect and store data that are then used to create usage profiles using pseudonyms. This is a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. This service enables us to track user activity on our website if they have accessed our website through Bing Ads advertisements. If you access our website via one of these adverts, a cookie will be stored on your computer. A Bing UET tag is integrated into our website. This is a code which is used, in conjunction with the cookie, to store some non-personal data about the use of the website. These include the time spent on the website, which areas of the website were accessed, and through which advert the user accessed the website. Information on your identity is not collected.
The collected information is transmitted to a Microsoft server in the USA and stored there generally for a maximum of 180 days. You can prevent the collection of the data generated by the cookie and related to your use of the website as well as the processing of such data by disabling the creation of cookies. This may limit the functionality of the website.
Furthermore, Microsoft may be able to track your usage behaviour across several of your electronic devices through so-called cross-device tracking and is thereby able to display personalised advertising on Microsoft websites and in apps. You can disable this behaviour at http://choice.microsoft.com/en-us/opt-out.
3.4.10. Option to object /opt out
In addition to the disabling methods described above, you can generally stop the outlined targeting technologies through relevant cookie settings in your browser (see also 3.4.1). Furthermore, you have the option to disable preference-based advertising using the Preference Manager, which is available here.
3.5. Establishing contact, contact forms, evaluation functions and ‘queries about the product’
The following processing is carried out at least on the basis that you have given your consent in keeping with article 6, paragraph 1 (a) of the GDPR by actively contacting us or leaving a product review. Depending on the content of your request, your data can also be processed based on article 6, paragraph 1 (b) (processing to fulfil a contract, e.g. your order or to carry out pre-contractual activities at your request, e.g. requesting an offer) or article 6, paragraph 1 (c) (processing to fulfil a legal obligation from us, e.g. as part of a warranty claim).
You can send general queries to us using the contact form provided on our website. You must provide your name, an email address and a telephone number to enable us to contact you. You can choose to provide further information.
We collect these data so that we know who a request is coming from and so that we are able to respond to this as effectively as possible using the method that you have specified.
When you review a product in our online shop we ask you to provide a name and an email address. Names and email addresses are not published. In this case, another legal reason is our legitimate interest in being able to react, for example, in the event of prohibited or illegal assessments, in keeping with article 6, paragraph 1 (f) of the GDPR.
You can edit or delete your published opinion at any time. To do so, please write to us at email@example.com.
If you use the ‘Product query’ function, you are also required to submit a name and email address so that we can respond to you directly if necessary. Should your question be published, your name and your email address are not displayed.
If you contact us by telephone, we ask you to provide data necessary for processing your request as part of the content of your request.
With the exception of the processing described in sections 3.4.2., 3.4.6., 3.4.8. and 3.4.9., we do not give your data to recipients based outside of the European Union or European Economic Area. The processing mentioned in sections 3.4.2., 3.4.6., 3.4.8. and 3.4.9. cause data to be transmitted to the servers of suppliers of tracking or targeting technologies commissioned by us. These servers are located in the USA. The data are transmitted in accordance with the guidelines of the so-called Privacy Shield and on the basis of the so-called standard contractual clauses of the EU Commission.
In addition to the right to withdraw the consent you have given us, you also have the following rights if the respective legal requirements are met:
The right to be informed about your personal data that we keep as per article 15 of the GDPR; in particular, you can request information about the purposes of the processing, the category of personal data, the categories of recipient to whom your data has been or will be disclosed, the envisaged period for which your data will be stored or the source of your data if these were not directly collected from you,
5.2. The right to object
Provided that the conditions of article 21, paragraph 1 of the GDPR are met, data processing can be objected to on grounds resulting from the particular situation of the person concerned.
The aforementioned general right to object applies to all purposes for the processing of personal data described in this privacy notice which are processed based on article 6, paragraph 1 (f) of the GDPR. Unlike with the special right to object to data processing for advertising purposes (see 3.3.3. above), as per the GDPR we are only obliged to implement any such general objection if you provide us with reasons of an overriding interest (e.g. risk to life or health). Furthermore, you have the option to contact the supervisory authority responsible for Sport-Thieme GmbH, the state representative of Lower Saxony for data protection: Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstraße 5, 30159 Hannover, Germany, Tel. +49 511 120 4500, Fax +49 511 120 4599, email: firstname.lastname@example.org.
All of the data submitted by you personally, including your payment details, are transmitted using the standard and secure SSL (Secure Socket Layer) protocol. SSL is a secure and reliable protocol, which is also used for secure data transfer in online banking, for example. Amongst other things, you can identify a secure SSL connection if the ‘http’ in the browser address ends in an ‘s’ (i.e. https://....) or if your browser displays a lock symbol.
Apart from that, we apply suitable technical and procedural security measures to safeguard your personal data we are storing from manipulation, partial or total loss or unauthorised third-party access.