DATA PROTECTION DECLARATION according to DSGVO/GDPR
For simplicity and assistance, the texts have been approximately translated into other languages with help of machine translation. Only the German terms, texts and Imprint are valid. Errors and omissions excepted.
Declaration by GartenMedien GmbH& Co. KG (GM) on the implementation and application of current data protection regulations:
Current legal situation:
According to the Federal Data Protection Act (→ dejure.org/gesetze/BDSG ) and the accompanying laws, companies are obliged to comply with data protection regulations.
As of 25 May 2018, the European General Data Protection Regulation (→ www.dsgvo-gesetz.de , www.digitales.oesterreich.gv.at/datenschutz-grundverordnung ) is also mandatory. Die GartenMedien GmbH & Co. KG (GM) endeavours to comply with legal requirements and , in addition, by data economy and data protection "by design".
1. What does it mean in general for customers and employees of GartenMedien GmbH & Co. KG (GM)?
GM only uses personal data where there is no other way for the typical business process, such as quotations, order processing, acquisition, and where contact persons or thematic reference persons are an indispensable part of the communication. This can arise from the natural function of persons e.g. management or in the responsibility for a certain area.
These are in particular:
- In the commercial field: Orders/clarifications/order acceptance/invoices/reminders.
- GM internal contact database for for contact/administration/correspondence.
- Supplier contracts.
- Admission permits in garden and grounds.
- Model contracts.
- Clarification and documentation of copyrights and other property rights.
- Commercial software incl. documentation of sales history.
- Customer directories or trade fair contacts or business-related company data.
- Login data.
- Employee data.
- Technology.
1.1 Internal business database(s) for managing customer contacts and acquisition:
GM maintains and manages internal database(s)
- About our visited gardens with contact persons
- Via trade fair and company contacts with contacts and their function in management and in subordinate functions/departements.
1.2 Information, correction, blocking, deletion:
Our customers have the right within the frameworks of the Federal Data Protection Act to obtain information, corection and deletion of the data stored about them by us.
For data protection reasons, we only provide this information to legitimised persons, e.g. by registered letter. The return postage/registration costs incurred for this are to be transferred in advance with the destination address information. However, we cannot guarantee that personal data is available at all. The processing of applications is free of charge, provided they are not manifestly unfounded or excessively exploited by repetition.
Upon request, we will delete personal data - after ensuring the applicant's entitlement - where archiving constraints, contractual or mandatory documentation and/or confidentiality obligations as well as the protection of our legitimate interests do not conflict with this. Blockings are also possible.
1.3 Data sharing:
We do not share or trade data with third parties.
There are exceptions where the provision of personal data ist mandatory for the fullfilment and execution of the customer order or the reporting of employee data to the social insurance fund or the artists' social insurance fund, etc.
For order processing these are, for example, the reservation of a domain name, for the ordering and delivery of goods specification of a delivery address as well as the business telephone number to the parcel service provider. We only pass on the most necessary data here.
1.4 Internal and external employees:
Our employees are instructed to handel personal data confidentially and, as an additional safeguard. do not usually have any right to access personal data.
1.5 Security:
External staff work on seperate physical networks from GM's internal network and therefore do not have access to GM's internal network where personal data is held.
1.6 Login data:
For the secure login of external employees, we only allow access via previously approved login data. As a supplement, logging in via 2FA "2nd factor authentication" - e.g. via additional stick or smartcard - is required over and above a specific security requirement.
1.7 Employee data:
We process and archive the required employee data (internal/external) in the internal required environment. This includes e-mail address, address, login data, etc.
1.8 Additional notes:
In accordance with Article 32 of the DSGVO/GDPR, we are constantly weighing up whether to implement security through effort or with foresight, in line with the state of the art. Thus, the separation into different logical and physical networks is obligatory for us.
1.9 Recommendations:
We prefer to use open systems that do not earn their money by classifying visitors or advertising, such as www.openstreetmap.org, to display maps.
For confidential communication, we recommend setting up encrypted mail traffic, as then no one - not even us - can see. However, only the customer or the mail subscriber can do this on his/her computer(s).
2. Newsletter - Fax circular - Customer acquisition:
GM sends newsletters or faxes to its customer/trade fair/business contacs several times a year, especially before the start to the season or on specific business dares, such as trade fair invitations, or on industry-specific dates, such as before the bedding & balcony or rose season.
This news is sent exclusively to business addresses and there to functionaries, such as the management or the responsible departmental division management. This is usually data that is also provided by the companies in a similar way or even has to be published.
If these functionaries no longer wish to receive our news (newsletter, fax), they can unsubscribe at any time. We currently use the services of a qualified service provider called "Cleverreach" to send e-mails, but we deactivate all additional functions except for recognising whether an e-mail has arrived. For this purpose, we pass on the data such as company, department, name, e-mail address. By subscribing to the newsletter, you accept Cleverreach's privacy policy (→ www.cleverreach.com/de/datenschutz/ ) and its data security (→ www.cleverreach.com/de/datensicherheit/ ).
Such software functionalities are building blocks of mailing software and can also draw on software functions such as those provided by Google. If the newsletter recipient does not want this, they should deactivate Javascript and external images.
3. Storage duration and location
GM stores data - with few exceptions - internally and not externally or in the cloud. This does not apply to websites of customers or to the own or external servers which are necessary for the maintenance of the websites. An AV contract exists with the provider.
In the case of commercial data, as well as the traceability of business transactions, we are subject to statutory retention obligations.
For data in the cloud, we manage access and security data and assign rights to employees or third parties, such as translation agencies. We do not process personal data in the cloud.
Tax-relevant data is processed via our tax consulting service. There is also an AV contract there. This is also subject to the statutory retention obligations.
The personal data for our newsletter for tradespeople and commerce is managed internally and exported to the database of our news/mailing service provider (Cleverreach see 2. Newsletter) for automated mailing and processed there for our mailing tasks. An AV contract exists with Cleverreach since 2018/05.25.
In order to protect our legitimate interests, legally relevant files are stored for as long as they can be effective and/or serve our legal enforcement or documentation purposes. All other data is continuously deleted if it is no longer required.
4 Contact persons on the subject of data protection
GartenMedien GmbH & Co. KG
Datenschutz / Peter Lorenz
Hinter der Breite 3/1
72149 Neustetten
datenschutz@gartenmedien.de
In case of complaints, please contact the data protection officer of your respective (district/state/)country.
5 Closing words:
You find a mistake in the implementation? We are grateful for sensible corrections and suggestions.
Updated 20.05.2018
The following data protection provisions also apply in relation to ourselves as the domain holder for our own presence(s). There, we are customer and client in personal union.
Privacy policy declaration of the web service provider, GartenMedien GmbH & Co. KG (GM), for the implementation and application of current data protection regulations within the framework of commissioned processing according to Art. 28 DSGVO:
This GM Privacy Policy only applies to the external processing of data within the framework of the external web presence(s) of our customers. Internal processing at customers (e.g. of mails) is not the subject and scope of our commissioned processing here.
Customised software (web presence/s) created/managed by GM.
Current legal situation:
According to the Federal Data Protection Act (→ dejure.org/gesetze/BDSG ) and the accompanying laws, companies are obliged to comply with data protection regulations.
From 25 May 2018, the European General Data Protection Regulation (→ www.dsgvo-gesetz.de , www.digitales.oesterreich.gv.at/datenschutz-grundverordnung ) is also mandatory. GartenMedien GmbH & Co. KG (GM) endeavours to comply with legal requirements and, in addition, by data economy and data protection "by design".
This is done for customised software on 2 levels: On the one hand, ensruing that processing within the respective software complies with the Federal Data Protection Act/GDPR (as of 2018, generally only web presences) and ensuring the conformity of the subordinate software by selecting the provider (within the EU, written assurance of conformity and further processing analogues to the European data protection laws).
1. Information, correction, blocking, deletion, disclosure of personal data by GM:
GM simply forwards personal data to the owner of the presence and has nothing to do with its further processing and archiving. Mails are forwarded to the respective recipients with the exception of control by an activated spam filter (see 3.3 Mail handling). Please direct all enquiries in this regard to the owner of the domain. The latter will pass on applications to us if necessary.
2. Exceptions:
Exceptions exist where GM needs to disclose communication ot temporary data, such as log files, to comply with implements legal requirements or judgements.
3. Data protection for websites created/managed by GM on behalf of the customer:
General:
In the presences created on behalf of customers, GM avoids the use of additional services within the web that enable further profiling of the respective visitor beyond pure, impersonal browsing of the presence and thus act contrary to data protection (such as advertising libraries from Google (→ www.google.de ) and Facebook (→ www.facebook.de )). The search engine function, which searches and weights presences impersonally, is used as a matter of course.
3.1 Cookies:
These are small files that can be stored on the browser user's computer by browsers such as Chrome, Mozilla Firefox, Safari, Internet Explorer when visiting Internet pages. These have an expiry date and features to identify the browser. This makes it possible to track repeat visits to pages or families of pages that use the same software in the background.
GM sometimes uses so-called session cookies, which makes it easier to log in to our services on the web by allowing you to log in again within a short period of time without a password. No internet profiles can be built up with these cookies due to their short lifespan.
GM does not use these cookies to identify you beyond one session, but only to facilitate menu navigation or login. These cookies can also not be used by third parties for classification or profiling. Furthermore, these are deleted after closing the browser. According to our assessment, there is nothing to prevent this according to Art 6 1 (f) DSGVO/GDPR.
3.2 IP addresses:
These IP addresses, which contain several numbers and are separated by a dot, can usually uniquely identify a computer. This can be permanently assigned for a web server or only temporarily by the connection setup, e.g. by a DSL connection for a visitor. Often - but not always - the combinations can be used to determine the visitor's country, possibly the area, the location or - in the case of fixed IP addresses - the visitor's company.
GM archives IP addresses only temporarily for troubleshooting and/or determining or tracing attacks from the network. Host providers of GM scramble the IP addresses in the log files for data protection reasons.
3.3 Mail handling:
Sending/forwarding of mails by GM:
GM normally forwards mails to the customer without any archiving to the target addressee (sending) or to the customer's target mailbox (receiving) at his provider (e.g. T-Online).
3.4 Contact masks:
Data that can be entered in the contact form of the respective website is first checked for correctness (syntax, completeness when filling in the necessary fields) and then checked again in a further step before it is sent.
As a rule, it is necessary to enter an e-mail address of the contact person in the forms, who then receives the e-mail to the entered address again for approval in an optimised procedure. Only after confirmation by calling up a one-time link in the mail programme (opt-in) is it then finally forwarded to the customer by GM. The processing of contact data is carried out in accordance with Art 6 DSGVO/GDPR b) for the fulfilment of our tasks.
3.5 Log files of the accesses and evaluation:
GM logs in during development phases for error detection and function testing in log files during updates.
After commissioning and during operation, log files only serve to trace the proper functioning in the larger context. Only in the event of an error or malfunction are the log files used to investigate the cause. The logging ob web accesses (IP/DNS) to page is done automatically so that attacks can be traced and rudimentary evaluations can be carried out. GM logs web accesses for 14 days, after which the log files are automatically deleted.
In the log files, the last IP digits are "scrambled" so that data protection is guaranteed. These evaluations do not provide: Who (as a specific person) did what, but: Which pages of the presence were called up the most, which country accounted for which share of the calls, from which providers (e.g. Telekom, Vodafone,...) the visitors came. GM does not evaluate any personal data in this way.
3.6 Databases:
Comments from the user(s) are usually forwarded directly to the owner of the presence via mail. Only for commissioning or troubleshooting, parts of it may be temporarily archived at GM.
3.7 Provider services:
We buy our hosting of the web presences from providers in the EU (currently in D). There is an AV (order processor contract) from this according to DSGVO/GDPR Art. 28. In order to fulfil its and our tasks according to DSGVO/GDPR Art. 6 1 (f) "legitimate interest", the provider requires, among other things, data of the domain holder, the administrator (admin-c) and possibly other responsible persons and provides infrastructure for this as part of its tasks for our required services. Here, the actual processing of data takes place within the framework of web services, secured mail or access services. In order to maintain the quality of service, the GC has the right and the obligation to carry out functional tests with technical measures such as log files, backup measures, etc. and to provide these to us in order to fulfil our tasks according to DSGVO/GDPR Art. 6 1 (f) "legitimate interest". Via menu and secure access, we have the possibility to parameterise and limit services and have, for example, set the storage period of log files such as mail and web to compliant values such as 14 days or less.
3.8 The first point of contact
for data protection issues is the respective domain holder as the person responsible for the presence. Normally, the domain owner will contact GartenMedien as a processor (AV). If you have any further questions, please contact the data protection officer for web services:
GartenMedien GmbH & Co. KG
Data protection / Peter Lorenz
Hinter der Breite 3/1
72149 Neustetten
datenschutz@gartenmedien.de
In case of complaints, please contact the data protection officer of your respective (district/state/)country.
4 Closing words:
You find a mistake in the implementation? We are grateful for sensible corrections and suggestions.
Updated 2018/05/22