DATA SECURITY POLICY
Christian Heise e.K.
Statement – The Denim Store
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more specific factors.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broadly defined and includes practically any handling of Data.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data-
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Kinds of processed Data:
- Master data (e.g. name, addresses)
- Contact details (e.g. email address, phone numbers)
- Usage data (e.g. visited websites, interests in contents, times of access)
- Meta/Communication data (e.g. device information, IP addresses)
In addition, we process:
- Contract data (e.g. subject matter of the contract, term, category of customer)
- Payment data (e.g. bank details, payment history)
of our customers, prospective customers and business partners for purposes of the contractual performances, rendering of services and customer care, marketing, advertising and market research-
Categories of Data Subjects
Visitors and Users of the Online Offer (we refer to Data Subjects hereinafter collectively also as “Users” or “You”).
Purpose of Processing
- Providing the Online Offer, its functions and contents
- Answering contact enquiries and communicate with Users
- Security measures
- Reach measuring/marketing
- Fulfilling obligations under the law or imposed by supervisory authorities
We furthermore process Your Data in the context of ordering processes in our online shop to allow You to select and order the chosen products, and to enable payment and delivery.
The Data that is processed includes master data, communication data, contract data and payment data. The processing takes place for the purpose of performing contractual services as part of our online shop operation, invoicing, delivery and customer service. In this connection, we place session cookies to store the content of the shopping cart and permanent cookies to store the login status.
Relevant Legal Basis
The Processing made in the context of executing Your order is based on Article 6 (1) lit. b) (execution of orders) and lit. c) (legally required archiving) GDPR. In this regard, the information marked by us as “required” are needed to conclude and fulfill the contract.
You have the option to create a customer account where You can, for example, view Your orders. In the course of the registration, You will be told which mandatory information is required. The customer accounts are not publicly accessible and cannot be indexed by search engines. If You have terminated Your customer account, Your Data with regard to the customer account will be deleted, unless it is necessary to store the Data for reasons of commercial or tax law in accordance with Article 6 (1) lit. c) GDPR. If you have terminate Your customer account, it is Your responsibility to back up Your Data prior to the end of the contract.
In the course of the registration and repeated login, and when using our online services, we will store the IP address and the time of the respective User action. The Data will be stored based on our justified interests and also based on Your interest in being protected against abuse and other unauthorized use. The Data will generally not be transferred to third parties, unless this is required to successfully pursue our claims or there is a legal obligation to do so according to Article 6 (1) lit. c) GDPR.
The Data will be deleted after the expiration of statutory warranty and similar obligations.
In accordance with Art. 32 GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Cooperation with Processors and Third Parties
If, in the course of the Processing, we disclose Data to other persons and companies (Processors or third parties), transfer Data to them or otherwise grant them access to the Data, this will be done solely on the basis of a legal permission (e.g. when the transfer of Data to a third party, such as a payment services provider, is required according to Art. 6 (1) lit. b) GDPR for the fulfillment of the contract), if You have given your consent, if a legal obligation requires us to do so or if the transfer is based on our legitimate interests (e.g. engaging representatives, webhosting service providers etc.).
We use Shopify to run our online store – you can read moreabout how Shopify uses our personal information here: https://shopify.com/legal/privacy.
We share Your Data with third parties in the context of the delivery of goods or payment and, to the extent legally permitted or required, with legal advisers and authorities.
External Payment Service Providers
Within the scope of the fulfillment of contracts with You, we engage external payment service providers on the basis of Art. 6 (1) lit. b) GDPR. We furthermore engage external payment service providers based on our justified interests according to Art. 6 (1) lit. f) GDPR, in order to offer our Users effective and safe payment options.
The Data processed by the payment service providers includes master data, e.g. the name and address, bank details such as bank account numbers or credit card numbers, passwords, TANs and checksums, as well as information relating to the contract, the sums and the recipient. Such data are required to execute the transactions. Payment Data will only be processed and stored by the payment service providers. This means that we will not receive any information relating to accounts or credit cards but merely information with positive or negative confirmation of the payment. Under certain circumstances, the Data will be transferred to credit bureaus by the payment service providers. This transfer has the purpose of checking identities and credit ratings. In this regard, we refer to the general terms and conditions and the privacy policies of the respective payment service providers.
The general terms and conditions and the privacy policies of the respective payment service providers apply to payment transactions and can be accessed on the respective websites or in the respective transaction apps. We refer to these documents for further information and to the extent that Data Subject rights such as the right to object or the right of access shall be asserted.
Transfer to Third Countries
Where we Process Data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or where Data is being Processed in a third country in the context of using the services of third parties, or disclosing or transmitting Data to third parties, the Processing will only be made if it is necessary to fulfil our (pre-)contractual obligations, if you have given your consent, if there is a legal obligation or if we have legitimate interest to do so. Subject to legal or contractual permissions, we Process Data or arrange for the Processing of the Data in a third country only if the special conditions of Art. 44 seqq. GDPR are fulfilled. This means that the Processing takes place in the third country, e.g. on the basis of special guarantees such as an officially recognized adequacy decision confirming that the data protection level of the third country is equivalent to that of the EU (so-called “adequacy decision”), a “Privacy Shield” certification of the organization to which the Data is transferred or the observation of recognized special contractual obligations (so-called “standard contract clauses”).
Rights of Data Subjects
You have the right to request a confirmation on whether Data relating to You is processed and to obtain information about this Data and further information, as well as a copy of the Data according to Article 15 GDPR.
You have the right according to Article 16 GDPR to request the completion of your Data or the correction of Your inaccurate Data.
In accordance with Article 17 GDPR, You have the right to demand that the relevant Data is deleted immediately or, alternatively in accordance with Article 18 GDPR that the processing of the Data is restricted.
You have the right to receive the Data about You, which You have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit this Data to another Controller in accordance with Article 20 GDPR.
Furthermore, according to Article 77 GDPR, You have the right to lodge a complaint with the competent supervisory authority.
Right of Revocation
You have the right to revoke any consents given with effect for the future according to Article 7 (3) GDPR.
Right to Object
You can object at any time to the future processing of Your Data pursuant to Article 21 GDPR. The right to object can be exercised in particular with regard to the processing for the purposes of direct marketing.
Cookies and Right to Object to Direct Marketing
“Cookies” are small files that contain small amounts of information that are stored on computers or mobile devices of Users when the Users are visiting a website. On subsequent website visits, cookies will be returned to the original website or another website that recognizes the respective cookie. Cookies are primarily used to ensure a proper or efficient functioning of the website and to provide the website operator with information.
Cookies fulfill a number of functions. For example, they allow for an easier navigation between various pages, the saving of Your settings and for being able to generally improve Your User experience. Cookies can tell us, e.g. if You have visited the website previously or if You are a new visitor. They can also help us ensure that ads that You view online have higher relevance to You and Your interests.
There are essentially two kinds of cookies:
- our own cookies that we store directly on Your computer or Your mobile device;
- cookies of third-party providers that are stored by them for us and that can be used by us for various purposes relating to functionality, performance/analysis, advertising/tracking and social networks.
Cookies can remain on Your computer or mobile device for different lengths of time. Some cookies are “session cookies”; these are stored only temporarily for the duration of a session and they expire when You close Your browser. Other cookies are permanent cookies; these will remain on Your computer or mobile device for a defined period and will not be deleted when You close the browser. Permanent cookies can be used by the website to recognize Your computer or mobile device when You reopen Your browser and surf the internet.
- enabling, simplifying and improving Your access to and the functioning of the website;
- tracking data flows and user behavior in connection with the website;
- understanding how many users use our website regularly and which operating systems (e.g. Windows or Mac OS) and internet browsers (e.g. Firefox, Chrome or Internet Explorer) they use for this;
- monitoring and continuously improving the website performance;
- customizing and improving Your online experience according to Your personal preferences.
The kind of cookies that are used in connection with the website can be classified into four categories: “cookies that are required for our fundamental purposes”, “functions cookies”, “performance and analysis cookies” and “advertising and tracking cookies”. Below, we have compiled further information about each category, also providing information about the respective purpose of the cookies set by us or a third party.
Kind of cookie
What the cookie does
Cookies that are required for fundamental purposes
These cookies are required to be able to make the website and the services provided via the website available to You and to enable You to use various website features (e.g. access to secure areas). Without these cookies, services that You have requested, e.g. secure login accounts, cannot be provided.
Functions cookies record the settings that You have made on the website and enable us to customize the website to You. This means that we can offer our services exactly how You want it when You stay on the website or return to it. Functions cookies permit us, for example:
- to display to You that You are logged in; and
- to save Your access settings.
Performance and analysis cookies
Cookies of this kind enable us to track how our website, applications and services are used and how effective our marketing campaigns are. They help us customize our offer more specifically to the customers. If You deactivate cookies of this kind, You might not be able to use all features of the website, applications or services anymore and support and information may be restricted.
With cookies of this kind, Data about Your browsing behavior and Your shopping history is collected. This way, we can offer advertising to You that matches Your interests. These cookies ensure that ads do not constantly repeat, that they are displayed correctly and, in some cases, that they are selected so that they are relevant to You. This Data might be shared with third-party providers to be able to offer advertising that is customized to You. If You deactivate cookies of this kind, You might not be able to use all features of the website, applications or services anymore and support and information may be restricted.
If You do not want that cookies are stored on Your computer, please deactivate the corresponding option in the system settings of Your browser. Stored cookies can be deleted in the browser system settings. Deactivating cookies, however, can lead to restrictions in the functions of our Online Offer.
A general objection to the use of the cookies that are set for the purposes of online marketing can be declared with regard to a variety of services, primarily in the case of tracking, via the U.S. webpage http://www.aboutads.info/choices/or the EU webpage http://www.Youronlinechoices.com/. Furthermore, the storing of cookies can be ended by deactivating them in the browser settings. Please note that You might then not be able to use all features of this Online Offer.
Deletion of Data
Administration, Accounting, Office Organization, Contract Management
Business Analyses and Market Research
To operate our business efficiently, and to be able to detect market trends as well as the preferences of contractual partners and Users, we analyze the Data available to us regarding business transactions, contracts, requests, etc. In doing so, we process master data, communication data, contract data, payment data, usage data and metadata on the basis of Art. 6 (1) lit. f) GDPR, the Data Subjects of which include contractual partners, prospective customers, existing customers, visitors and Users of our Online Offer.
The analyses are made for the purpose of business evaluations, marketing and market research. In the process, we can consider the registered Users’ profiles including information such as the services they have used. The analyses help us improve user-friendliness, optimize our offer and make our business efficient. The analyses are used solely by us and they are not disclosed externally, unless these are anonymous analyses with aggregated values.
If these analyses or profiles relate to specific persons, they will be deleted or anonymized upon cancellation of the customer account or otherwise after two years from the conclusion of the contract. Furthermore, the overall business analyses and identification of general trends are created in anonymous form wherever possible.
When contacting us (e.g. using the contact form, email, telephone or via social media), Your information will be processed in accordance with Article 6 (1) lit. b) GDPR in order to handle and complete the contact request. Your Data can be stored in a customer relationship management system (“CRM System”) or a comparable organizational system for the handling of requests.
In the notes below, we inform You about the contents of our newsletter and the process for subscribing, mailing and statistical analysis, as well as Your rights to object. By subscribing to our newsletter, You declare Your consent to the receipt of the newsletter and to the described procedures.
Content of the newsletter: We send email newsletters and other messages containing advertising information (hereinafter “Newsletter”) only with the recipients’ consent or a legal permission. If the contents of the Newsletter are described concretely as part of the Newsletter subscription, these contents are binding for Your consent. In addition, our Newsletters contain information about us and our services.
Double-opt-in and logging: Our newsletter is subscribed in a so-called double-opt-in procedure. This means that You will receive an email upon registration, in which confirmation of Your registration is requested. This confirmation is necessary so that nobody can sign up using someone else’s email address. The subscriptions of the Newsletter are logged so to be able to verify the subscription process according to the legal requirements. This includes that the time of the subscription and confirmation as well as the IP address are stored.
Subscription Data: To sign up for the Newsletter, it is sufficient if You specify Your email address. Optionally, we ask You to please enter a name for the purpose of addressing You personally in the Newsletter.
The Newsletter is emailed and the related performance measurement takes place based on the recipients’ consent according to Article 6 (1) lit. a), Art. 7 GDPR in conjunction with Sec. 7 (2) no. 3 UWG [Act against Unfair Competition] or, if no consent is required, based on our justified interests in direct marketing according to Art. 6 (1) lit. f) GDPR in conjunction with Sec. 7 (3) UWG.
The logging of the subscription process is based on our justified interests according to Art. 6 (1) lit. f) GDPR. Our interest is oriented on the use of a user-friendly and secure newsletter system, which permits us in particular to render proof of consents.
Cancellation/Revocation – You can cancel the receipt of our Newsletter at any time, i.e. revoke Your consent. You can find a link to cancel the Newsletter at the bottom of each Newsletter. We can store the deregistered email addresses, subject to deviating legal requirements, for up to three years on the basis of our justified interests before we delete them, in order to be able to prove that a consent was formerly given. The processing of this Data is limited to the purpose of a potential defense against legal claims. It is possible to request specific deletion at any time if the former existence of a consent is confirmed at the same time.
Newsletter – MailChimp
The mailing service provider can use the Data of the recipients in pseudonymized form, i.e. without attribution to You, for the purpose of optimizing or improving its own services, e.g. for the technical optimization of the mailing and the presentation of the newsletter or for statistical purposes. The mailing service provider, however, does not use the Data of our Newsletter recipients to write to them by itself or to pass on the Data to third parties.
Newsletter – Performance Measurement
The Newsletters contain a so-called “web beacon”, i.e. a file with the size of one pixel that is retrieved by our server or, if we use a mailing service provider, from the latter’s server when the Newsletter is opened. In the course of the retrieval, initially technical information such as information regarding Your browser and system, as well as Your IP address and the time of the retrieval is gathered.
This information is used for the technical improvement of the services by means of the technical data or the target groups and their reading behavior based on the locations of the access (which can be identified by means of the IP address) or the times of the access. The statistic survey also includes determining whether the Newsletters are opened, when they are opened and which links are clicked. This information can indeed be attributed to the particular Newsletter recipients for technical reasons. However, it is neither our intention nor that of the mailing service provider’s if any is used to monitor particular Users. The analyses instead help us to identify the reading habits of our Users and to personalize our contents to them or to send our different contents according to our Users’ interests.
Google Tag Manager
Google is certified, among other, according to the Privacy Shield Agreement and thereby offers a guarantee that the European data protection laws are observed (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to analyze the use of our online offer by the Users, to compile reports about the activities within this Online Offer, and to perform further services for us that are related to this Online Offer and the internet use. In the process, pseudonymized User profiles of the Users can be created from the processed Data.
We use Google Analytics only with activated IP anonymization. This means, the Users’ IP addresses will be truncated by Google within the Member States of the European Union or in other signatory states of the Treaty on the European Economic Area. The complete IP address will only be transmitted in exceptional cases to a server of Google in the USA and it will be truncated there.
The IP address transmitted from the User’s browser will not be combined with other Data of Google. The Users can prevent the storing of cookies by a corresponding setting of their browser software; the Users can moreover prevent the gathering of the Data generated by the cookie that is to be forwarded to Google and relates to their use of the online offer, as well as the processing of this Data by Google by downloading and installing the browser plug-in available at to the link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.
The Users’ personal Data will be deleted or anonymized after 14 months.
Finding a Target Audience with Google Analytics
We use Google Analytics to display the ads placed within the web services of Google and its partners only to such Users, who have actually shown an interest in our Online Offer or have certain attributes (e.g. interest in certain topics or products that are determined based on the visited webpages) and which we transmit to Google (so-called “remarketing” or “Google Analytics Audiences”). By means of the remarketing audiences, we would also like to ensure that our ads match the Users’ potential interests.
Google AdWords and Conversion Measurement
Based on our legitimate interests (i.e. interest in analysis, optimization and efficient operation of our Online Offer in the definition of Article 6 (1) lit. f) GDPR), we furthermore use the online marketing procedure “AdWords” of Google to place ads in the Google advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to Users who are believed to be interested in the ads. This permits us to display ads for and within our Online Offer in a more targeted way and to only present ads that potentially match their interests to the Users. If, for example, ads are displayed to a User in which he/she has shown an interest at other online offers, this is called “remarketing”. For this purpose, a code of Google is executed by Google directly when our webpages or other webpages are retrieved on which the Google advertising network is active and so-called (re)marketing tags (invisible graphics or codes, also referred to as “web beacons”) are embedded in the webpage. These are used to store an individual cookie, i.e. a small file, on the user’s device (instead of cookies, also comparable technologies can be used). It is noted in this file which webpages the User has visited, which contents are interesting to him/her and which offers have been clicked by the User, and further technical information about the browser and operating system, referring websites, time of the visit and additional information on the use of the Online Offer.
We also receive an individual “conversion cookie”. The information gathered by means of the cookie helps Google create conversion statistics for us. We will only find out the anonymous total number of Users, however, who have clicked on our ad and have been redirected to a page that has a conversion tracking tag. However, we do not obtain any information by which the User can be personally identified.
The Data of Users is processed in pseudonymized form within the Google advertising network. This means that Google does not store and process, e.g. the names and email address of the User but that it processes the relevant Data as specific to the cookie within pseudonymized user profiles. I.e. in Google’s perspective, the ads are not managed and displayed for a concretely identifiable person but for the cookie owner, regardless of who this cookie owner is. This does not apply if a User has given explicit permission to Google to process the Data without pseudonymization. The information gathered about the Users will be transmitted to Google and stored on Google’s servers in the USA.
Online Profiles in Social Media
We maintain online profiles on social networks and platforms to communicate with customers, prospective customers and Users, who are active there, and to inform them there about our services. For accessing the respective networks and platforms, the general terms and conditions and the Data processing policies of their respective operators apply.
Integration of Third-Party Services and Contents
Within our Online Offer, based on our legitimate interests (i.e. interest in analysis, optimization and efficient operation of our Online Offer in the definition of the Article 6 (1) lit. f) GDPR), we use content and service offers of third-party providers to integrate their contents and services such as videos or fonts (hereinafter referred to collectively as “Contents”).
This always presupposes that the third-party providers of these Contents recognize the IP addresses of the Users, as they would not be able to send the Contents to their browsers without the IP addresses. The IP address is therefore required to display these contents. We work towards using only such contents of providers that respectively use the IP address merely to deliver the contents. Third-party providers can also use so-called pixel tags (invisible graphics that are also referred to as “web beacons”) for statistical or marketing purposes. By means of these “pixel tags”, information can be analyzed such as the visitor traffic on this website. The pseudonymized information can furthermore be stored in cookies of the Users’ devices and contain, among other, technical Data about the browser and operating system, referring websites, time of the visit and other information about the use of our Online Offer, and also be combined with information from other sources.
Use of Facebook Social Plug-ins
Based on our legitimate interests (i.e. interest in analysis, optimization and efficient operation of our Online Offer in the definition of Article 6 (1) lit. f) GDPR), we use social plug-ins (“Plug-ins”) of the social networking facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plug-ins can be interactive elements or contents (e.g. videos, graphics or text contributions) and they can be recognized by the Facebook logo (white “f” on a blue tile, the words “like”, or a “thumbs up” icon) or they are labelled with the addition “Facebook Social Plug-in”. The list and the look of the Facebook Social Plug-ins can be viewed here: https://developers.facebook.com/docs/plugins/?locale=en_US.
Facebook is certified according to the Privacy Shield Agreement and thereby offers a guarantee that the European Data protection laws are observed (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
When a User calls up a function of this Online Offer that contains such a Plug-in, the User’s device will establish a direct connection to the servers of Facebook. The content of the Plug-in is transferred from Facebook directly to the User's device and integrated in this Online Offer. In the process, user profiles can be created of the Users from the processed Data. We therefore have no influence on the volume of Data that is gathered by Facebook using this Plug-in and we therefore inform the Users according to our state of knowledge.
Through integration of the Plug-ins, Facebook receives the information that a User has called up the corresponding page of our Online Offer. If the User is logged in to Facebook, Facebook can attribute the visit to his/her Facebook account. If Users interact with the Plug-ins, for example, click on the “Like” button or enter a comment, the corresponding information will be transmitted from Your device directly to Facebook where it will be stored. If a User is not a member of Facebook, there is nonetheless the possibility that Facebook will identify and save his/her IP address. According to Facebook, only an anonymized IP address is stored in Germany.
If a User is a member of Facebook and does not want that Facebook collects Data about him/her through this Online Offer and links it to his/her member data stored by Facebook, he/she must log out of Facebook and delete his/her cookies before using our Online Offer. More settings can be adjusted and objections can be raised against the use of Data for marketing purposes in the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the U.S. webpage http://www.aboutads.info/choices/ or the EU webpage http://www.Youronlinechoices.com/. The settings are made independent of the platform, i.e. they are adopted for all devices, such as desktop computers or mobile devices.
This website is not targeting children and we do not knowingly gather any information of children without parental consent, unless this is permissible under the law. Anyone up to and including age 16 is considered a child.