Data privacy statement

Data privacy statement

This data privacy statement contains information about the type, scope, and purpose of processing personal data (referred to simply as “data” in the following) within the scope of our online offering and the associated websites, functions, and content, as well as external online presences such as our social media profiles (jointly referred to as “online offering” in the following). In regards to the terms that are used, such as “processing” or “controller”, please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

KristallTurm® GmbH & Co. KG
An der Bretonenbrücke 8 • D-83661 Lenggries, Germany

Managing Directors
Heinz Tretter, Christine Berry

E-mail
service@kristallturm.de

Phone • Fax
08042 / 912 53 0 • 08042 / 912 53 99

Commercial register
Munich District Court, HRA 94889

VAT no.
104/166/53904

VAT ID no.
DE 270410915

Type of data processed:

– Basic data (e.g. names, addresses).
– Contact data (e.g. e-mail, telephone numbers).
– Content data (e.g. text input, photographs, videos).
– Usage data (e.g. websites visited, interest in content, access times).
– Metadata/communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the online offering (in the following, we also refer to data subjects collectively as “users”).

Purpose of processing

– Providing the online offering, its functions, and content.
– Responding to contact inquiries and communicating with users.
– Security measures.
– Coverage measurement/marketing.

Terminology

“Personal data” means any information relating to an identified or identifiable natural person (“data subject” in the following); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. This term is far-reaching and encompasses practically any handling of data.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Relevant legal basis

We inform you of the legal basis for our processing of data pursuant to Art. 13 GDPR. Insofar as the legal basis is not identified in the data privacy statement, the following applies: The legal basis for obtaining consent is Art. 6 (1), point a and Art. 7 GDPR, the legal basis for processing in the course of providing our services and for contractual performance is Art. 6 (1), point b GDPR, the legal basis for processing to meet our legal obligations is Art. 6 (1), point c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1), point f GDPR. In case the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1), point d GDPR serves as the legal basis.

 

Cooperation with processors and third parties

Insofar as we disclose data to other persons and companies (processors or third parties) in the course of our processing, transmit data to them or otherwise grant access to the data, this is done only when legally permissible (e.g. when transmitting the data to third parties, such as payment service providers, is required for contractual performance pursuant to Art. 6 (1), point b GDPR), if you have given your consent, we have a legal obligation to do so, or based on our legitimate interests (e.g. when employing agents, web hosting providers, etc.).

Insofar as we engage third parties to process data based on a “processing contract”, this is done on the basis of Art. 28 GDPR.

Transmission to other countries

Insofar as we process data in another country (i.e. outside the European Union (EU) or European Economic Area (EEA)) or this occurs within the scope of using the services of third parties or the disclosure or transmission of data to third parties, this is done only for the purpose of meeting our (pre-)contractual obligations, based on your consent, based on a legal obligations, or based on our legitimate interests. Subject to legal or contractual permissibility, we only process or have data processed in another country if the special requirements of Art. 44 ff. GDPR are met. This means that processing takes place, for example, on the basis of special guarantees such as the officially recognized determination of a data protection level equivalent to the EU (e.g. by the “Privacy Shield” for the USA) or subject to compliance with officially recognized special contractual obligations (known as “standard contract clauses”).

Rights of the data subject

You have the right to request confirmation whether the data in question are processed and to be provided with information about these data and further information as well as a copy of the data pursuant to Art. 15 GDPR.

Pursuant to Art. 16 GDPR, you have the right to have incomplete personal data completed or to obtain rectification of inaccurate personal data concerning you.

Pursuant to Art. 17 GDPR, you have the right to obtain the erasure of personal data concerning you without undue delay, or alternatively pursuant to Art. 18 GDPR, the right to obtain a restriction of data processing.

You have the right to receive the personal data concerning you, which you have provided to us, and the right to transmit those data to another controller pursuant to Art. 20 GDPR.

Furthermore, pursuant to Art. 77 GDPR, you have the right to lodge a complaint with the applicable supervisory authority.

Right of withdrawal

Pursuant to Art. 7 (3) GDPR, you have the right to withdraw consent with future effect.

Right to object

You have the right to object at any time to the future processing of data concerning you pursuant to Art. 21 GDPR. In particular, you can object to processing for the purpose of direct marketing.

Cookies and the right to object to direct marketing

Cookies are small text files stored on a user’s computer. Various information can be stored in the cookies. The primary purpose of a cookie is to store the information about a user (or the device on which the cookie is stored) during or also after a visit to an online offering. Cookies that are deleted after a user leaves an online offering and closes the browser are called temporary, session, or transient cookies. The contents of a shopping cart in an online shop or a login status for example can be stored in such a cookie. A permanent or persistent cookie continues to be stored even after the browser is closed. It can be used for example to store the login status in case the user returns after several days. Such a cookie can also be used to store the user’s interests, used to measure coverage or for marketing purposes. Third-party cookies are offered by providers other than the controller operating the online offering (otherwise one speaks of “first-party cookies” regarding the cookies of the controller).

We may use temporary and permanent cookies, and provide corresponding information in our data privacy statement.

If a user does not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the browser’s system settings. Excluding cookies may limit the functionality of this online offering.

A general objection to using cookies for the purpose of online marketing can be submitted with numerous services, especially in case of tracking, via the US page http://www.aboutads.info/choicesor the EU page http://www.youronlinechoices.com. Furthermore, the storage of cookies can be deactivated in the browser settings. Please note that it may not be possible to use all functions of this online offering in that case.

Erasure of data

The data processed by us are erased or their processing is restricted pursuant to Art. 17 and 18 GDPR. Unless expressly specified in this data privacy statement, the data stored by us are erased as soon as they are no longer needed for their intended purpose and erasure is not prevented by statutory retention obligations. Insofar as the data are not erased because they are required for other and legally permissible purposes, their processing is restricted. That means the data are blocked and not processed for other purposes. This applies for example in case of data that have to be retained for commercial or tax law reasons.

According to legal requirements in Germany, a 6-year retention period applies pursuant to Section 257, Paragraph 1 of the German Commercial Code (HGB) (account books, inventories, opening balance sheets, annual financial statements, business letters, accounting records, etc.) and a 10-year retention period pursuant to Section 147, Paragraph 1 of the Tax Code (AO) (ledgers, records, management reports, accounting records, business letters and correspondence, documents relevant for taxation, etc.).

According to legal requirements in Austria, a 7-year retention period applies pursuant to Section 132, Paragraph 1 of the Federal Fiscal Code (BAO) (accounting records, vouchers/invoices, accounts, receipts, business documents, breakdown of income and expenses, etc.), a 22-year retention period in the context of land, and a 10-year retention period for documents related to services provided electronically and for telecommunication, radio, and television services provided to non-entrepreneurs in EU member states and for which the mini one-stop shop (MOSS) scheme applies.

Processing for business purposes

We also process
– contract data (e.g. object of the contract, term, customer category), and
–payment data (e.g. bank details, payment history)
of our customers, prospects, and business partners for the purpose of providing contractual services, customer support and service, marketing, promotion, and market research.

Hosting

We utilize hosting services in order to provide the following services: Infrastructure and platform services, computing capacity, storage space, database services, security services, and technical maintenance services we use for the purpose of operating this online offering.

In doing so, we or our hosting provider process basic data, contact data, content data, contract data, usage data, metadata, and communication data of customers, prospects, and visitors to this online offering based on our legitimate interest in the efficient and secure delivery of this online offering pursuant to Art. 6 (1), point f GDPR in conjunction with Art. 28 GDPR (conclusion of a processing contract).

Collection of access data and log files

We or our hosting provider collect data about each access to the server on which this service is located (server log files) on the basis of our legitimate interests pursuant to Art. 6 (1), point f GDPR. The access data include the name of the requested website, file, date and time of access, transmitted data volume, report on the success of access, the browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

Logfile information is stored for a maximum of 7 days and then erased for security reasons (e.g. to identify abuse or fraud). Data that must be retained as evidence are exempt from erasure until the respective incident has been finally resolved.

Provision of contractual services

We process basic data (e.g. names and addresses as well as user contact data), and contract data (e.g. services used, names of contact persons, payment information) for the purpose of meeting our contractual obligations and providing services pursuant to Art. 6 (1), point b. GDPR. The information marked as mandatory in online forms is required for the conclusion of a contract.

Within the scope of using our online services, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests, and that of the users in protection against misuse and other unauthorized use. Data are generally not disseminated to third parties, except where required to assert our claims or when legally required pursuant to Art. 6 (1), point c GDPR.

We process usage data (e.g. the websites of our online offering that are visited, interest in our products) and content data (e.g. input in the contact form or user profile) for promotional purposes in a user profile, for example to provide the user with product information based on the services used by them in the past.

The data are erased after the end of statutory warranty or comparable obligations. The need to retain the data is reviewed every three years. In case of statutory archiving obligations, erasure takes place after they end. Information in any customer account remains until the account is deleted.

Administration, financial accounting, office organization, contact management

We process data in the course of administrative tasks and the organization of our business, financial accounting, and to meet legal obligations such as archiving. In doing so, we process the same data as in the course of providing our contractual services. The basis of processing is Art. 6 (1), point c. GDPR and Art. 6 (1), point f. GDPR. Customers, prospects, business partners, and website visitors are affected by said processing. The purpose of and our interest in processing lies in administration, financial accounting, office organization, and data archiving, in other words activities that serve to maintain our business activities, complete our tasks, and provide our services. The erasure of the data in regards to contractual performance and contractual communication corresponds to the information provided for these processing activities.

In this context, we disclose or transmit data to the fiscal authorities, consultants such as tax consultants or auditors, billing offices, and payment service providers.

We also store data about suppliers, organizers, and other business partners based on our business management interests, for example for the purpose of subsequently contacting them. These largely company-specific data are generally stored permanently.

Business management analyses and market research

In order to operate our business economically and to identify market trends and customer and user preferences, we analyze the data available to us regarding business processes, contracts, inquiries, etc. In doing so we process basic data, communication data, contract data, payment data, usage data, and metadata based on Art. 6 (1), point f. GDPR; the data subjects include customers, prospects, business partners, visitors, and users of the online offering.

The analyses are conducted for the purpose of business management evaluations, marketing, and market research. In doing so, we are able to take the profiles of registered users with information such as their purchasing processes into account. We use the analyses for the purpose of improving usability, optimizing our offering, and to improve operating efficiency. The analyses are used solely for our own purposes and are not disclosed externally, except for anonymous analyses with summarized values.

Insofar as these analyses or profiles are person-specific, they are deleted or anonymized upon termination by the user, otherwise two years after the conclusion of a contract. That being said, overall business management analyses and general trend analyses are prepared anonymously as far as possible.

Contact

In case of contact (e.g. using a contact form, e-mail, telephone, or social media), the user’s information is processed for the purpose of responding to the contact request and its handling pursuant to Art. 6 (1), point b) GDPR. User information may be stored in a customer relationship management (CRM) system or comparable inquiry organization system.

We erase the inquiries insofar as they are no longer required. We review their necessity every two years. Statutory archiving obligations apply in addition.

Akismet anti-spam filter

Our online offering uses the “Akismet” service provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. It is used based on our legitimate interests pursuant to Art. 6 (1), point f) GDPR. This service is used to differentiate between comments from real people and spam comments. All comment data are sent to a server in the USA for this purpose, where they are analyzed and stored for four days for comparison purposes. If a comment has been classified as spam, the data are stored beyond this period. The information includes the name that was entered, the IP address, comment contents, referrer, information on the browser and computer system used, and the time of the entry.

Automattic is certified under the Privacy Shield agreement, which guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active).

Further information on the collection and use of data by Akismet is found in the Automattic data privacy statement: https://automattic.com/privacy/.

Users are welcome to use pseudonyms, or to omit entering their name or e-mail address. You can prevent the transmission of data entirely by refraining from using our comment system. That would be unfortunate, but we see no equally effective alternative.

Newsletter

The information that follows tells you about the content of our newsletter as well as the process for registering, sending, and statistical evaluation, and your right to object. By subscribing to our newsletter, you consent to receive it and agree to the process described.
Content of the newsletter: We send a newsletter, e-mails, and other electronic notifications with promotional information (“newsletter” in the following) only with the consent of the recipient or if permitted by law. Insofar as the concrete content of the newsletter is described in the course of registration, this is relevant for the user’s consent. Otherwise our newsletter contains information about our services and company.
Double opt-in and logging: A double opt-in procedure is used to register for our newsletter. This means that you receive an e-mail after registering, asking you to confirm your registration. This confirmation is necessary to prevent registration with someone else’s e-mail address. Newsletter registrations are logged in order to document the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation, and the IP address. Changes to the your data saved by the service provider that sends out the newsletter are logged as well.

Registration data: You only have to enter your e-mail address to register for the newsletter. We also ask you to provide a name, which is optional, so we can address you personally in the newsletter.

Germany: The newsletter is sent and the measurement of success related to it is conducted based on the consent of the recipient pursuant to Art. 6 (1), point a, Art. 7 GDPR in conjunction with Section 7, Paragraph 2, No. 3 of the Act Against Unfair Practices (UWG), and based on legal permission pursuant to Section 7, Paragraph 3 UWG.

The registration process is logged on the basis of our legitimate interests pursuant to Art. 6 (1), point f GDPR. We aim to operate a user-friendly and secure newsletter system that serves our business interests, meets the expectations of users, and permits us to provide proof of consent.

Cancellation/revocation – you can cancel your subscription to our newsletter and revoke your consent at any time. A link to cancel the newsletter is found at the end of each newsletter. We may store the unsubscribed e-mail addresses for up to three years based on our legitimate interests before we erase them, allowing us to provide proof that consent had been given. The processing of these data is restricted to a defense against possible claims. An individual request for erasure may be submitted at any time, provided that the original consent is confirmed.

Newsletter – sending service provider

The newsletter is sent through the service provider “MailChimp”, a newsletter sending platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view the data protection provisions of the sending service provider here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement, which guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The sending service provider is engaged based on our legitimate interests pursuant to Art. 6 (1), point f GDPR and a processing contract pursuant to Art. 28 (3), sentence 1 GDPR.

The sending service provider may use the data of the recipients in pseudonymized form, i.e. with no assignment to a user, in order to optimize or improve its own services, e.g. for the technical optimization of sending and the presentation of the newsletter, or for statistical purposes. However, the sending service provider does not use the data of our newsletter recipients in order to contact them directly, and does not disseminate the data to third parties.

Newsletter – measurement of success

The newsletter contains what is called a “web beacon”, which is a pixel-sized file that, when the newsletter is opened, is retrieved by our server or by the server of a sending service provider where applicable. Technical information, such as information about the browser and system, as well as your IP address and the time of access are collected within the scope of this retrieval.

This information is used for the technical improvement of services based on the technical data, or the target group and its reading behavior based on their access locations (which can be determined according to the IP address) or access times. Statistical data collection also includes determining whether the newsletter was opened, when it is opened, and which links are clicked. This information can be assigned to the individual newsletter recipients for technical reasons. However, our intent and that of the sending service provider, where applicable, is not to observe individual users. Rather we use the evaluations to identify the reading habits of our users and to adapt our content accordingly, or to send various content corresponding to the interests of our users.

Google Analytics

Based on our legitimate interests (i.e. the interest in analysis, optimization, and the economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we use Google Analytics, a web analysis service provided by Google LLC (“Google”). Google uses cookies. Information on the use of the online offering by the users generated by the cookie is generally transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield agreement, which guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active)).

Google uses this information on our behalf in order to evaluate the use of our online offering by users, compile reports about the activities within this online offering, and to provide additional services to us related to the use of this online offering and the Internet. Pseudonymized usage profiles of the users can be prepared from the processed data.

We use Google Analytics only with activated IP anonymization. This means that the user’s IP address is first truncated by Google within member states of the European Union or in other member states of the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.

The IP address transmitted to Google Analytics by your browser is not combined with other data by Google. Users can prevent the storage of cookies through corresponding settings in their browser software. Furthermore, users can prevent the capture of data generated by the cookie and relating to their use of the online offering and the processing of said data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Further information about the use of data by Google, settings, and ways to object is found in the Google data privacy statement (https://policies.google.com/technologies/ads) and in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

The personal data of users are erased or anonymized after 14 months.

Integration of third-party services and content

Within our online offering and based on our legitimate interests (i.e. the interest in the analysis, optimization, and economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we use third-party content or service offerings in order to integrate their content and services such as videos or fonts (uniformly referred to as “content” in the following).

This always requires the third-party providers of said content to obtain the user’s IP address, since they cannot send the content to the user’s browser without the IP address. The IP address is therefore required in order to display said content. We strive to only use content where the respective provider uses the IP address solely for the delivery of the content. Third-party providers may also use what are called pixel tags (invisible graphics, also called web beacons) for statistical or marketing purposes. Pixel tags make it possible to evaluate information such as visitor traffic on the pages of this website. The pseudonymized information may also be stored in cookies on the user’s device, and can contain technical information about the browser and operating system, referrer URL, time of the visit, and additional information about the use of our online offering, among other things, and can be linked to such information from other sources.

YouTube

We integrate videos on the “YouTube” platform of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google Fonts

We integrate the fonts (“Google Fonts”) of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google ReCaptcha

We integrate the function to identify bots, for example when using online forms (“ReCaptcha”), of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google Maps

We integrate the maps of the “Google Maps” service of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, IP addresses and location data of users, but not without their consent (usually given through the mobile phone settings). The data may be processed in the USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.