We take the protection of your data seriously and want to inform you comprehensively about the type, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions, and content as well as external online presences, such as our social media profiles. (hereinafter collectively referred to as “online offering”). With regard to the terminology used, such as “processing” or “controller”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Silke Türck, schnittchen patterns
Englschalkinger Straße 264
81927 Munich, Germany
Owner: Silke Türck
Types of processed data:
Inventory data (e.g. names, addresses).
Contact data (e.g. email, telephone numbers).
Content data (e.g. text inputs, photographs, videos).
Contract data (e.g. contract subject, term, customer category).
Payment data (e.g. bank account details, payment history).
Usage data (e.g. visited websites, interest in content, access times).
Meta/communication data (e.g. device information, IP addresses)
Processing of special categories of data (Art. 9 para. 1 GDPR):
No special categories of data are processed.
Categories of persons affected by the processing:
– Visitors and users of the online offering.
Hereinafter, we also refer to the affected persons collectively as “users”.
Purpose of processing:
Provision of the online offering, its content, and shop functions
Provision of contractual services, service, and customer care
Answering contact inquiries and communicating with users
Marketing, advertising, and market research
As of January 2023
1 Used terminology
1.1. “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or one or more special features that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2. “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Personal data. The term covers a wide range and practically includes every handling of data.
1.3. The “controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
2. Relevant legal bases
In accordance with Art. 13 GDPR, we inform you of the legal bases of our data processing. If the legal basis is not mentioned in the data protection declaration, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR, the legal basis for processing for the performance of our services and the implementation of contractual measures and responses to inquiries is Art. 6 para. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 para. 1 lit. c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 para. 1 lit. f GDPR. If the processing of personal data is necessary for the vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
3. Changes and updates to the data protection declaration
We ask you to regularly inform yourself about the content of our data protection declaration. We will adapt the data protection declaration as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
4. Security measures
4.1. In accordance with Art. 32 GDPR, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying likelihood and severity of the risk for the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk; These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data as well as the access, input, disclosure, availability and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and the response to data threats. We also consider the protection of personal data in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).
4.2. Security measures include, in particular, the encrypted transmission of data between your browser and our server.
5. Disclosure and transmission of data
5.1. If we disclose data to other persons and companies (processors or third parties) as part of our processing, transmit them to them or otherwise grant them access to the data, this only happens on the basis of a legal permission (e.g. if a transmission of data to third parties, such as payment service providers, is necessary for the fulfillment of the contract in accordance with Art. 6 Para. 1 lit. b GDPR), if you have given your consent, a legal obligation provides for this, or on the basis of our legitimate interests (e.g. when using agents, hosting providers, tax, economic and legal advisors, customer care, accounting, billing, and similar services that allow us to efficiently and effectively fulfill our contractual obligations, administrative tasks, and duties).
5.2. If we commission third parties with the processing of data on the basis of a so-called “order processing agreement”, this is done on the basis of Art. 28 GDPR.
6. Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this happens in the context of using third-party services or disclosure, or transmission of data to third parties, this only happens if it is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means that the processing is e.g. based on special guarantees, such as the officially recognized determination of a level of data protection equivalent to that of the EU (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
7. Rights of data subjects
7.1. You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with Art. 15 GDPR.
7.2. You have the right to demand that the data concerning you that is incomplete be completed or the data concerning you that is incorrect be corrected in accordance with Art. 16 GDPR.
7.3. You have the right to demand that the data concerning you be deleted without delay in accordance with Art. 17 GDPR or, alternatively, to demand a restriction of the processing of the data in accordance with Art. 18 GDPR.
7.4. You have the right, in accordance with Art. 20 GDPR, to receive the data concerning you that you have provided to us and to demand that it be transmitted to other responsible parties.
7.5. You also have the right under Article 77 of the GDPR to lodge a complaint with the supervisory authority.
8. Right to withdraw consent
You have the right to withdraw your consent under Article 7(3) of the GDPR with effect for the future.
9. Right to object
You may object at any time to the future processing of data concerning you in accordance with Article 21 of the GDPR. The objection may in particular be directed against processing for the purposes of direct marketing.
10. Cookies and right to object to direct marketing
10.1. “Cookies” are small files that are stored on users’ computers. Different information can be stored within cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his or her visit within an online service. Cookies that are deleted after a user leaves an online service and closes his or her browser are referred to as temporary cookies, session cookies, or transient cookies. Such a cookie may, for example, store the contents of a shopping cart in an online store or a login status. Cookies that remain stored even after the browser is closed are referred to as “permanent” or “persistent”. For example, the login status can be stored if users visit it after several days. Likewise, the interests of users can be stored in such a cookie, which can be used for measuring reach or marketing purposes. “Third-party cookies” are cookies from providers other than the controller who operates the online service (otherwise, if they are only its cookies, they are referred to as “first-party cookies”).
11. Data deletion
11.1. The data processed by us will be deleted in accordance with Articles 17 and 18.
11.2. Germany: According to legal requirements, storage is carried out in particular for 6 years in accordance with § 257 (1) HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, booking vouchers, etc.) and for 10 years in accordance with § 147 (1) AO (books, records, management reports, booking vouchers, commercial and business letters, documents relevant for taxation, etc.)
12. Processing of orders in the online shop and customer account
12.1. We process the data of our customers within the framework of the ordering process in our online shop in order to enable them to select and order the selected products and services, as well as to pay for and deliver or execute them.
12.2. The processed data includes inventory data, communication data, contract data, payment data, and the affected persons are our customers, interested parties, and other business partners. The processing is carried out for the purpose of providing contract services within the scope of operating an online shop, billing, delivery, and customer service. Here, we use session cookies for storing the contents of the shopping cart and permanent cookies for storing the login status.
12.3. The processing is carried out on the basis of Art. 6 para. 1 lit. b (Execution of order processing) and c (Legally required archiving) DSGVO. The information marked as necessary is required for the establishment and fulfillment of the contract. We only disclose the data to third parties within the scope of delivery, payment, or within the scope of legal permits and obligations to legal advisors and authorities. The data is only processed in third countries if this is necessary for the fulfillment of the contract (e.g. at the customer’s request for delivery or payment).
12.4. Users can optionally create a user account, where they can view their orders. During registration, the necessary mandatory information will be communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data will be deleted with regard to the user account, unless its retention is necessary for commercial or tax law reasons in accordance with Art. 6 para. 1 lit. c DSGVO. The information in the customer account remains until it is deleted, followed by archiving in the case of legal retention obligations.
Legal obligation. It is the responsibility of users to secure their data before the end of the contract upon termination.
12.5. As part of registration and re-registration as well as use of our online services, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests, as well as the users’ interest in protection against misuse and other unauthorized use. This data is not generally disclosed to third parties, unless it is necessary to pursue our claims or there is a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR.
12.6. Deletion takes place after the expiry of statutory warranty and comparable obligations. The necessity of retaining the data is reviewed every three years. In the case of statutory archiving obligations, deletion takes place after their expiry (end of commercial (6 years) and tax (10 years) retention obligations); information in the customer account remains until it is deleted.
13. Business analysis and market research
13.1. In order to operate our business economically, recognize market trends, customer and user preferences, we analyze the data available to us on business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f GDPR, whereby the persons affected include customers, prospective customers, business partners, visitors and users of the online offer. The analyses serve the purpose of business evaluations, marketing and market research. In doing so, we can take into account the profiles of registered users, e.g. with regard to their purchase transactions. The analyses serve us to increase user-friendliness, optimize our offer and improve our economic efficiency. The analyses serve us alone and are not disclosed externally unless they are anonymous analyses with summarized values.
13.2. If these analyses or profiles are personal, they will be deleted or anonymized upon termination of the users, otherwise two years after the conclusion of the contract. In all other respects, the overall business analyses and general trend determinations are created anonymously as far as possible.
Checking a customer’s creditworthiness is permissible if there is otherwise a risk of non-payment, i.e. if the goods are delivered without payment having been received (i.e. if the customer chooses to purchase on account). On the other hand, there is no risk of non-payment if the customer chooses, for example, the option of advance payment or pays via third-party providers such as PayPal.
It should also be noted that obtaining an automatic credit report constitutes an “automated decision-making in individual cases” within the meaning of Art. 22 GDPR, i.e. a legal decision without human involvement. This is permissible if the customer has consented or if this decision is necessary for the conclusion of the contract. Whether the decision is necessary has not yet been conclusively determined.
However, it is often assumed to be a given, even by the author of this pattern. If you want to exclude any risk, you should obtain consent. Consent is also required if the credit check is already being used to decide whether to display the “pay by invoice” option. Because it could have been possible that the customer would have chosen prepayment or PayPal anyway, and the credit check would not have been necessary.
Such consent could read as follows:
14. Credit check
14.1. If we provide advance payment (e.g. for purchases on invoice), we reserve the right to obtain an identity and credit check for the assessment of credit risk based on mathematical-statistical methods from specialized service companies (credit reference agencies) in order to protect our legitimate interests.
14.2. In the context of the credit check, we transmit the following personal data of the customer (name, postal address, date of birth, information on the type of contract, bank details) to the following credit reference agencies:
[Please specify the credit reference agencies here, e.g.:] SCHUFA-Gesellschaft (SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden), data protection information: https://www.schufa.de/de/ueber-uns/daten-scoring/.
14.3. We process the information received from the credit reference agencies on the statistical probability of default within the framework of a sound discretionary decision on the establishment, implementation, and termination of the contractual relationship. In the event of a negative result of the credit check, we reserve the right to refuse payment on invoice or any other advance payment.
14.4. The decision whether to provide advance payment is made solely on the basis of an automated individual decision within the meaning of Art. 22 GDPR, which our software makes based on the information provided by the credit reference agency.
14.5 If we obtain express consent from you, the legal basis for the credit check and the transmission of the customer’s data to the credit reference agencies is consent pursuant to Art. 6 para. 1 lit. a, 7 GDPR. If no consent is obtained, our legitimate interests in the protection of our business operations constitute the legal basis for the credit check and data transmission to the credit reference agencies.
“Ensuring the reliability of your payment request is the legal basis according to Art. 6 para. 1 lit. f. GDPR.
15. Contact and Customer Service
15.1. When contacting us (via contact form or email), the user’s information will be processed in accordance with Art. 6 para. 1 lit. b) GDPR for the purpose of processing the contact request and its handling.
15.2. User information may be stored in our Customer-Relationship-Management System (“CRM System”) or comparable request organization.
15.3. We delete requests if they are no longer necessary. We review the necessity every two years; requests from customers who have a customer account are stored permanently and are referred to the information on the customer account for deletion. In addition, statutory archiving obligations apply.
16. Collection of access data and log files
16.1. Based on our legitimate interests pursuant to Art. 6 para. 1 lit. f. GDPR, we collect data on every access to the server on which this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of access, amount of data transferred, message about successful retrieval, type and version of browser, user’s operating system, referrer URL (previously visited page), IP address, and requesting provider.
16.2. Log file information is stored for a maximum of seven days for security reasons (e.g., to investigate misuse or fraud) and then deleted. Data whose further retention is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
17. Online presence in social media
17.1. Based on our legitimate interests pursuant to Art. 6 para. 1 lit. f. GDPR, we maintain online presences within social networks and platforms to communicate with customers, interested parties, and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.
17.3. We use Google Analytics to show only those users within advertising services of Google and its partners who have shown an interest in our online offer or who have certain characteristics (e.g., interests in certain topics or products, which are determined on the basis of the users’ behavior).
18.2. Google is certified under the Privacy Shield Agreement, thereby providing a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on activities within this online offer, and to provide us with further services related to the use of this online offer and internet usage. Pseudonymous user profiles may be created from the processed data.
18.4. We only use Google Analytics with IP anonymization enabled. This means that the IP address of users will be truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.
18.5. The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by adjusting their browser software settings accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
18.6. For more information on how Google uses data, as well as on settings and objection options, please visit Google’s websites: https://www.google.com/intl/en/policies/privacy/partners (“Data use by Google when you use websites or apps of our partners”), https://policies.google.com/technologies/ads (“Data use for advertising purposes”), https://adssettings.google.com/authenticated (“Manage the information that Google uses to show you advertising”).”
19. Facebook Social Plugins
19.1. Based on our legitimate interests (i.e. interest in analyzing, optimizing, and economically operating our online offering within the meaning of Art. 6 (1) lit. f. GDPR), we use social plugins (“plugins”) from the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and can be recognized by one of the Facebook logos (white “f” on a blue tile, the terms “Like”, “Like” or a “thumbs up” sign) or are labeled with the addition “Facebook Social Plugin”. The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
19.2. Facebook is certified under the Privacy Shield Agreement and thereby offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
19.3. When a user calls up a function of this online offering that contains such a plugin, his device establishes a direct connection to the servers of Facebook. The content of the plugin is transmitted by Facebook directly to the user’s device and integrated into the online offering. User profiles can be created from the processed data. Therefore, we have no influence on the scope of the data that Facebook collects using this plugin and inform users accordingly to the best of our knowledge.
19.4. By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online offering. If the user is logged into Facebook, Facebook can assign the visit to his Facebook account. If users interact with the plugins, for example by pressing the Like button or leaving a comment, the corresponding information is transmitted directly from their device to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will learn and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany.
19.6. If a user is a Facebook member and does not want Facebook to collect data about him through this online offering and link it to his member data stored on Facebook, he must log out of Facebook before using our online offering and delete his cookies. Further settings and objections to the use of data for advertising purposes can be made within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/.
American site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are platform-independent, meaning they apply to all devices, such as desktop computers or mobile devices.
20. Communication via mail, email, fax or telephone
20.1 For business transactions and marketing purposes, we use remote communication methods such as mail, telephone or email. In doing so, we process inventory data, address and contact data as well as contract data of customers, participants, interested parties and communication partners.
20.2 The processing is based on Art. 6 para. 1 lit. a, Art. 7 GDPR, Art. 6 para. 1 lit. f GDPR in conjunction with legal requirements for advertising communications. Contact is only made with the consent of the contact partners or within the framework of legal permissions and the processed data is deleted as soon as it is no longer required and otherwise with objection/revocation or cessation of the authorization basis or legal archiving obligations.
With the following information, we inform you about the contents of our newsletter as well as the registration, shipping, and statistical evaluation process and your rights of objection. By subscribing to our newsletter, you agree to receive it and the described procedures.
21.2. Content of the newsletter: We send newsletters, emails, and other electronic notifications with advertising information (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. If the content of the newsletter is specifically described as part of the registration for the newsletter, it is decisive for the consent of the users. Otherwise, our newsletters contain information about our products, offers, promotions, and our company.
21.3. Double opt-in and logging: The registration for our newsletter takes place in a so-called double opt-in procedure. After registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that nobody can register with someone else’s email address. The registrations for the newsletter are logged in order to be able to demonstrate the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to the data stored by the shipping service provider are also logged.
On the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f DSGVO and an order processing agreement pursuant to Art. 28 para. 3 p. 1 DSGVO.
21.5 Insofar as we use a dispatch service provider, the dispatch service provider may, according to its own information, use this data in pseudonymous form, i.e. without assignment to a user, to optimize or improve its own services, e.g. to technically optimize the dispatch and presentation of the newsletter or for statistical purposes to determine from which countries the recipients come. However, the dispatch service provider does not use the data of our newsletter recipients to write to them itself or to pass them on to third parties.
21.6 Registration data: To register for the newsletter, it is sufficient to provide your email address. Optionally, we ask you to enter a name in order to be addressed personally in the newsletter.
21.7 Performance measurement – The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened, or if we use a shipping service provider, from their server. In the course of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval are collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistical surveys also include the determination of whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor, if used, that of the dispatch service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
21.8 Germany: The newsletter is sent and its success is measured on the basis of the recipients’ consent pursuant to Art. 6 Para. 1 lit. a, Art. 7 DSGVO in conjunction with § 7 Para. 2 No. 3 UWG or on the basis of legal permission pursuant to § 7 Para. 3 UWG.
21.9 Austria: The newsletter will be sent and its success measured on the basis of the recipients’ consent pursuant to Art. 6 Para. 1 lit. a, Art. 7 DSGVO in conjunction with Art. 107 Para. 2 TKG or on the basis of the statutory permission pursuant to Art. 107 Para. 2 and 3 TKG.
21.10. The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f DSGVO and serves as proof of consent to receive the newsletter.
21.11. Newsletter recipients can cancel the receipt of our newsletter at any time, i.e. revoke their consents. A link to the cancellation of the
Translated with www.DeepL.com/Translator (free version)
Newsletter can be found at the end of each newsletter. At the same time, their consent to the performance measurement expires. A separate revocation of the performance measurement is unfortunately not possible, in this case the entire newsletter subscription must be canceled. With the unsubscription from newsletter, the personal data will be deleted, unless their retention is legally required or justified, in which case their processing will be limited only to these exceptional purposes. In particular, we may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them for newsletter sending purposes, in order to be able to prove consent formerly given. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.
22. Integration of services and contents of third parties
22.1 We use within our online offer on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as “content”). This always requires that the third-party providers of this content are aware of the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is thus required for the display of this content. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.
22.2 The following presentation provides an overview of third-party providers and their content, along with links to their data protection statements, which contain further information on the processing of data and, in part already mentioned here, options for objection (so-called opt-out).
– If our customers use the payment services of third parties (e.g. PayPal or Sofortüberweisung), the terms and conditions and privacy notices of the respective third-party providers apply, which are available within the respective websites, or transaction applications.