This data privacy statement sets out the nature, scope and purpose of our processing of your personal data (in the following referred to for short as "data") as part of our online offering and the associated web pages, functions and content, as well as through our external online presence, such as our social media profiles (in the following referred to collectively as our "online offering"). With regard to the terms used, including "processing" and "data controller", please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Mohr Siebeck GmbH & Co. KG
E-mail adress: email@example.com
Authorised representative company director: Dr. Henning Ziebritzki
Link to publisher's details: http://www.mohr.de/impressum
Contact – Data Protection Officer: firstname.lastname@example.org
"Personal data" is any information relating to an identified or identifiable natural person (in the following referred to as "affected persons"). A natural person is classed as identifiable where he or she can be identified directly or indirectly, in particular by means of matching to an identifier such as a name, to an identifying number, to location data, to an online identifier (such as a cookie) or to one or more special features which represent an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of the said natural person.
"Processing" is any action or sequence of actions carried out with or without the aid of automated means in connection with personal data. The term is far-reaching, and covers practically all handling of data.
The "data controller" is the natural person or legal entity, public authority, institution or other body who determines the purposes and means of processing personal data, either alone or in conjunction with others.
Pursuant to Art. 13 GDPR, we hereby advise you of the legal basis for our processing of data. Where the legal basis is not cited in the privacy statement, the following provisions apply:
The legal basis for obtaining consent is Art. 6 (1) lit. a and Art. 7 GDPR; the legal basis for processing of data in order to fulfil our supplies and services and execute measures under contracts, as well as in responding to enquiries, is Art. 6 (1) lit. b GDPR; the legal basis for processing of data in order to fulfil our legal obligations is Art. 6 (1) lit. c GDPR; and the legal basis for processing of data in order to protect and preserve our legitimate interests is Art. 6 (1) lit. f GDPR. Where vital interests of the affected person or of another natural person necessitate processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.
We advise that you regularly review the content of our data privacy statement. We will update the statement as necessary whenever we make changes to our methods of data processing. We will notify you whenever you need to take action as a result of the said changes (such as giving your consent) or when any other specific notification becomes necessary.
Where we disclose data to other persons and organisations (data processors or third parties), transfer data to them or allow them access to the data in any other way in the course of our processing, we shall do so only to the extent allowed by law (such as where transfer of data to third parties, including to payment service providers, is essential to performance of the contract pursuant to Art. 6 (1) lit. b GDPR), where you have given your consent, where we are legally obliged to do so, or on the basis of our legitimate interests (such as when engaging representatives, web hosters, etc.).
Where we engage third parties as data processors on the basis of a data processing agreement, we shall do so on the basis of Art. 28 GDPR.
Where we process data in a third country (that is to say, a country outside the European Union (EU) or the European Economic Area (EEA)), or we do so in the course of utilising services from third parties or in the disclosure or transfer of data to third parties, we shall do so only in order to fulfil our (pre-)contractual obligations, on the basis of your consent, in fulfilment of a legal obligation, or on the basis of our legitimate interests.
Subject to legal or contractual permission, we shall process data, or arrange for processing of data, in a third country only if the special preconditions laid down in Art. 44 ff. GDPR are met. That is to say, for example, processing shall take place on the basis of special guarantees, such as official recognition of a data security level corresponding to that of the EU (e.g. based on the Privacy Shield in the USA) or in compliance with officially recognised special contractual obligations (so-called "standard contract terms").
You have the right to demand confirmation as to whether relevant data is being processed, and to receive information concerning the said data as well as further information and copies of the data in accordance with Art. 15 GDPR.
In accordance with Art. 16 GDPR, you have the right to demand that data relating to you be supplemented if incomplete, or be corrected if inaccurate.
In accordance with Art. 17 GDPR, you have the right to demand that relevant data be immediately deleted, or alternatively pursuant to Art. 18 GDPR that processing of the said data be restricted.
You have the right in accordance with Art. 20 GDPR to demand that data relating to you which you have provided to us be returned to you, and that it be transferred to other data controllers.
You further have the right in accordance with Art. 77 GDPR to submit a complaint to the competent supervisory authority.
You have the right to revoke consent you have granted in accordance with Art. 7 (3) GDPR with effect for the future.
You can object to the future processing of the data relating to you in accordance with Art. 21 GDPR at any time. You can object in particular to the processing of your data for direct marketing purposes.
Cookies are small files which are stored on users' computers. Cookies can contain a range of different data. The primary purpose of a cookie is to record data on a user (and details of the device on which the cookie is stored) during – or also after – his or her visit to an online offering. Session cookies, also known as transient cookies, are cookies which are deleted after a user has left an online offering and closes his or her browser. Cookies of this kind may, for example, record the content of a shopping basket on an online shop or a login status. Permanent, or persistent, cookies remain stored after the browser is closed. This means a user's login status is retained if he or she returns to the site days later. A cookie of this kind may also record a user's interests for reach measurement or marketing purposes. Third-party cookies are installed by vendors other than the data controller who operates the online offering (otherwise, if only the data controller's cookies are installed, these are called first-party cookies).
We may make use of both session cookies and permanent cookies, and provide details on this in our privacy statement.
If users do not want cookies to be stored on their computers, they are requested to disable the relevant option in their browser's settings. Stored cookies can be deleted in the browser settings. Disabling cookies may impair the functionality of the online offering.
The data we process will be deleted, or its processing restricted, in accordance with Art. 17 and 18 GDPR. Unless explicitly specified in this privacy statement, the data held by us will be deleted as soon as it is no longer required for its intended purpose and no statutory retention periods apply which prohibit it from being deleted. If the data is not deleted because it is required for other legally admissible purposes, its processing will be restricted. That is to say, the data will be blocked, and not processed for other purposes. That is the case, for example, in respect of data which must be retained pursuant to commercial or tax law.
German law in particular stipulates retention periods of 10 years according to Article 147, para. 1 of the Fiscal Code (AO), Article 257 para. 1, nos. 1 and 4, para. 4 of the German Commercial Code (HGB) (relating to books, records, management reports, posting vouchers, commercial accounts, documents relevant to taxation, etc.) and six years according to Article 257, para. 1, nos. 2 and 3, para. 4 HGB (commercial correspondence).
Austrian law stipulates retention periods of seven years according to Article 132, paragraph 1 of the Federal Fiscal Code (BAO) (accounting documents, vouchers/invoices, accounts, vouchers, business documents, statements of income and expenses, etc.), of 22 years in relation to real estate, and of 10 years for documents relating to electronic services, telecommunications, radio and television services provided to non-business entities in EU member-states and for which the Mini-One-Stop-Shop (MOSS) is utilised.
We additionally process:
We use hosting to provide the following services: Infrastructure and platform services; computing capacity; storage space and database services; security services; and technical maintenance services for the operation of our online offering.
In this, we and/or our hosting provider process inventory data, contact details, content, contract data, usage data, metadata and communications data of customers, leads, and visitors to our online offering on the basis of our legitimate interest in providing an efficient and secure online offering in accordance with Art. 6 (1) lit. f GDPR in conjunction with Art. 28 GDPR (Processor).
On the basis of our legitimate interests under the terms of Art. 6 (1) lit. f GDPR, we and/or our hosting provider collect data in server log files every time the server hosting the said service is accessed. The access data includes the name of the website/file accessed, the date and time of accessing, the volume of data transferred, notifications of successful access, the user's browser type including its version, the user's operating system, the referrer URL (the page visited immediately prior), the user's IP address, and the requesting provider.
Log file data is stored for a maximum of seven days for security reasons (such as to investigate abuse or fraud) and is then deleted. Data which is required to be retained longer as evidence is exempted from the deletion procedures until the case at hand has been definitively solved.
We process our customers' data in response to their orders submitted to our online shop in order to facilitate their selection and ordering of our products and services, as well as for the purposes of executing the said orders (payment and shipping).
The data we process includes inventory data, communications data, contract data and payment data. The data subjects include our customers, leads, and other business partners. We process the data in order to deliver contracted services in the course of operating our online shop, including associated billing, shipping and customer services. In doing this, we use session cookies to store shopping basket contents and permanent cookies to store user logins.
We process the data on the basis of Art. 6 (1) lit. b (performance of a contract) and c (archiving required by law) of the GDPR. This requires the data stipulated as necessary for the establishment and performance of the contract. We will disclose the data to third parties only in the course of executing shipping and payment procedures, or within the extent of our legal rights and obligations in relation to legal advisors and public authorities. The data will only be processed in third countries where necessary for the performance of the contract (such as at the customer's request in relation to shipping or payment).
Users can optionally set up an account through which they can, in particular, view their orders. The mandatory notifications are presented to users during the registration process. User accounts are not public, and cannot be indexed by search engines. When users cancel their accounts, the data relating to the user account is deleted, unless it must be retained pursuant to commercial or tax law in accordance with Art. 6 (1) lit. c GDPR. Customers' account data is retained until the account is deleted, and is archived beyond that point where a legal obligation to retain it exists. It is the responsibility of users to ensure that their data is saved if they cancel before the end of the contract term.
In the course of registration and login procedures, and when users use our online services, we store the user's IP address and the time the action in question was carried out. The data is stored on the basis of our legitimate interests and in the interests of users to protect against abuse and other unauthorised use. We will fundamentally not pass on this data to third parties, except where it is necessary in pursuit of our claims or where we are legally obliged to do so pursuant to Art. 6 (1) lit. c GDPR.
The data will be deleted at the end of the statutory warranty period and when comparable obligations expire. We will review the necessity to retain the data every three years. Where archiving of data is required by law, we will delete it when the statutory retention period expires (six years under commercial law; 10 years under tax law).
We process data in performing administrative functions and organising our business operations, financial accounting and fulfilment of our legal obligations, such as archiving. In doing so, we process the same data which we process in providing our contractual services. The bases for processing of data are Art. 6 (1) lit. c. GDPR, Art. 6 (1) lit. f. GDPR. The processing relates to customers, interested parties, business partners and website visitors. The purposes of, and our interests in, the processing of data are for administration, financial accounting, office organisation and data archiving – that is to say, functions which serve to sustain our business operations, fulfil our tasks and deliver our products and services. The deletion of data in relation to contractual services and contract-related communications corresponds to the procedures set out in connection with the said processing activities.
In this, we disclose or transfer data to finance authorities, advisors such as accountants or auditors, as well as to other official bodies which collect levies and to payment service providers.
In pursuit of our commercial interests, we also store data relating to suppliers, event organisers and other business partners, in order to contact them subsequently for example. We store this mostly corporate data on a permanent basis as a matter of policy.
In order to run our business efficiently, track market trends and identify customers' and users' wishes, we analyse the data we hold in relation to business transactions, contracts, enquiries, etc. In doing so, we process inventory data, communications data, contract data, payment data, usage data and metadata on the basis of Art. 6 (1) lit. f. GDPR. This processing relates to customers, interested parties, business partners, visitors to and users of the online offering.
The analyses are carried out for the purposes of commercial evaluation, marketing and market research. In doing this, we may consider the profiles of registered users including data such as their purchase transactions. The analyses help us to optimise and enhance the user-friendliness of our offering, as well as to make it more economically efficient. The analyses benefit only ourselves, and are not disclosed to external parties, apart from in the form of anonymised analyses containing summary data.
Where the said analyses or profiles relate to specific persons, they are deleted or anonymised when the users concerned give notice of termination; otherwise two years after signing of contracts. In other respects, macro-economic analyses and general trend analyses are compiled anonymously as far as possible.
We process job applicants' data only for the purpose of, and within the extent of, the application procedure, in accordance with the legal requirements. We process job applicants' data in order to fulfil our (pre-)contractual obligations as part of the application procedure under the terms of Art. 6 (1) lit. b. GDPR and Art. 6 (1) lit. f. GDPR where we are required to process the data in the course of legal proceedings for example (in Germany section 26 of the Federal Data Protection Act [BDSG] additionally applies).
The application procedure essentially requires that applicants disclose data about themselves to us. Where we provide an online application form, the necessary data is indicated as such. Otherwise it is derived from the relevant job descriptions. The data fundamentally includes the applicant's name, postal and contact addresses, and the documentation relating to the application, such as the covering letter, curriculum vitae and references. Applicants may also provide us with additional information on a voluntary basis.
By submitting their applications to us, applicants declare their consent to our processing of their data for the purposes of the application procedure in the manner and scope set out in this data privacy statement.
Where special categories of personal data under the terms of Art. 9 (1) GDPR are voluntarily disclosed in the course of the application procedure, we process the said data additionally in accordance with Art. 9 (2) lit. b GDPR (e.g. health data, such as relating to disabilities, or ethnic origin). Where special categories of personal data under the terms of Art. 9 (1) GDPR are requested from applicants in the course of the application procedure, we process the said data additionally in accordance with Art. 9 (2) lit. a GDPR (e.g. health data, where essential to performance of the work).
Where we provide an online application form on our website, applicants can submit their applications to us by such means. The data is transferred to us by state-of-the-art technical methods. Applicants can also submit their applications to us by e-mail. We do advise, however, that e-mail traffic is fundamentally not encrypted, and that applicants must themselves provide the necessary encryption. We can therefore accept no responsibility for the application's routing between the sender and our server. Consequently, we recommend that applicants use an online form, or utilise the additional option of submitting their applications by post instead of via the online form or by e-mail.
Where an application is successful, we may process the data submitted by applicants further for purposes connected with the resultant employment relationship. Otherwise, where an application is not successful, the applicant's data will be deleted. We will also delete an applicant's data if an application is withdrawn – which applicants are entitled to do at any time.
The data will be deleted, subject to legitimate revocation on the part of the applicant, after a period of six months, said period enabling us to deal with any follow-up questions relating to the application and to document our compliance with equality laws. Bills relating to reimbursement of travel expenses will be archived in accordance with tax law requirements.
When users contact us (such as using our contact form, by e-mail, telephone, or via social media), their details are processed in order to deal with their enquiries and requests in accordance with Art. 6 (1) lit. b) GDPR. User-related data may be stored in a Customer Relationship Management (CRM) system or comparable enquiry handling infrastructure.
We delete submitted enquiries when they are no longer required. We review the need to retain such enquiries every two years. They are also subject to the statutory archiving requirements.
The following sets out the content of our newsletter, the procedures for signing up to it, how it is distributed, statistical evaluation methods, as well as your rights to revoke your consent for us to send it to you. By subscribing to our newsletter, you declare your consent to receiving it as well as to the procedures described herein. Newsletter content: We distribute newsletters, e-mails and other electronic communications containing promotional material (in the following collectively referred to as "newsletters") only with the consent of the recipients or where we are allowed to do so by law. Where the content of the newsletter is specified in concrete terms during the subscription process, the content is decisive in determining the user's consent. Our newsletters also present information about our products and services and about our company.
Double opt-in and logging: We apply the so-called double opt-in method for subscriptions to our newsletter. This means that, after subscribing, you will receive an e-mail requesting you to confirm your subscription. This confirmation is necessary so that no one can sign up using someone else's e-mail address. Subscriptions to the newsletter are logged so as to document the process in accordance with legal requirements. The data logged in this process includes the time of subscribing and of confirming, as well as the user's IP address. Any changes to the data held on you by the newsletter distributor are also logged.
Subscription data: All you have to do to subscribe to the newsletter is enter your e-mail address. You can optionally also enter a name, which we urge you to do so that we can personalise the newsletter more closely.
Germany: The newsletter is distributed, and its success measured, on the basis of recipients' consent in accordance with Art. 6 (1) lit. a, Art. 7 GDPR in conjunction with Art. 7, para. 2 no. 3 of the German Act Against Unfair Competition (UWG) and based on the permission granted pursuant to Art. 7, para. 3 UWG.
The subscription process is logged on the basis of our legitimate interests pursuant to Art. 6 (1) lit. f GDPR. Our interest lies in operating a user-friendly and secure newsletter system, in keeping with our commercial interests and in accordance with users' expectations, which also enables us to document recipients' consent.
Cancellation/revocation - You can cancel our newsletter – i.e. revoke your consent to receive it – at any time. You will find an Unsubscribe link at the end of each newsletter. On the basis of our legitimate interests, in order to document previously granted consent, we may store cancelled e-mail addresses for up to three years before deleting them. The processing of the said data will be restricted to the purposes of defending against potential claims. Individual requests to delete are possible at any time, provided the previous existence of a consent is likewise confirmed.
The newsletter contains a so-called "web beacon", a pixel-sized file which is accessed by our server, or our contract distributor's server where appropriate, when the newsletter is opened. When it does so, it collects technical data including details of your browser and operating system, as well as your IP address and the time you opened it.
This data is used for the technical improvement of the services we offer based on the technical data or the target groups and their reading habits, such as when and where they opened the newsletter (their location being identifiable by their IP address). The statistical evaluation also includes determining whether and when the newsletter is opened and what links in it are clicked. While this information can technically be linked to the individual newsletter recipients, it is not our intention, or that of our distributors where appropriate, to monitor individual users. Rather, we use the evaluation to identify our users' reading habits and adapt our content accordingly, or to distribute differing content in line with our users' interests.
We maintain an online presence in social networks and on platforms in order to communicate with customers, interested parties and users who utilise such media and to inform them of our products and services. When users access the networks and platforms in question, they are subject to the terms and conditions and data processing standards of the relevant operators.
Unless specified otherwise in our privacy statement, we will process users' data when they communicate with us through social networks and platforms, such as when they post on our online sites or send us messages.
In pursuit of our legitimate interests (that is to say, our interest in analysing, optimising and cost-effectively operating our online offering under the terms of Art. 6 (1) lit. f. GDPR), the following data is processed for the purposes of reach analysis by Matomo: your browser program and version; your operating system; your country of origin; the dates and times you submit a request to the server; the number of visits you make to the site; your dwell time on the site; and the external links you click. Users' IP addresses are anonymised before being stored.
Users can object to the anonymised collection of their data by the Matomo program at any time, with effect for the future, by clicking the link below. In this case a so-called opt-out cookie will be stored in your browser, meaning that Matomo will no longer collect any session data from you. When users delete cookies from their systems, the opt-out cookie is also deleted, so they have to re-enable it.
The user data logs are deleted after a maximum of six months.