Data protection (European Union)

Terms and Conditions (T&C) & Service Description
|
Data Processing Agreement (DPA)
|
Data protection (European Union)
|
Imprint
1. Scope of application

As the operator of the eCommerce One software solution, insiba Engineering hereby informs data subjects about the handling of personal data in accordance with Art. 13 and 14 of the General Data Protection Regulation (GDPR). The document has been valid since August 1, 2024. Due to possible future changes to the data processing processes or due to changed legal or official requirements, it may become necessary to adapt this page.

2. Responsible persons

The controller for data processing pursuant to Art. 4 No. 7 GDPR is

  • insiba Engineering, Käthe-Kollwitz-Ring 83, 76676 Graben-Neudorf.

The complete imprint can be viewed under the following link: Imprint

3. Which data is processed for which purpose
3.1. Access to the contents of the website

Each time the content of the website is accessed, data that may allow identification is temporarily stored. The following data is collected:

  • Date and time of access
  • Host name of the accessing computer
  • IP address
  • Website from which the website was accessed
  • Websites that are accessed via the website
  • Visited page on our website
  • Amount of data transferred
  • Message as to whether the retrieval was successful
  • Information about the browser type and version used
  • Operating system

The temporary storage of data is necessary for the course of a visit to our website and online services in order to enable the technical delivery of the website and online services. Further storage in log files takes place in order to ensure the functionality of the website and the security of the information technology systems. Our legitimate interest in data processing also lies in these purposes.

Legal basis: The data is processed on the basis of Art. 6 para. 1 letter f GDPR.

3.2. Contact us

If you contact us (e.g. via contact form, e-mail, telephone, fax), personal data will be collected. Which data is collected in the case of a contact form can be seen from the respective contact form. This data is stored and used exclusively for the purpose of responding to your request or for contacting you and the associated technical administration. We cannot process your request without this mandatory information. All other information is voluntary.

Processing purpose: Answering your request.
Legal basis: Art. 6 para. 1 lit. b GDPR for pre- or contractual matters. Art. 6 para. 1 lit. a GDPR for your voluntary information.
Storage duration: Your data will be deleted after final processing of your request. This is the case if it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary. In the case of pre-contractual and contractual matters, your request will be stored until the end of the contract and processing will then be restricted. If there is no longer a legal reason for storage, the data will be deleted.
Data recipient: Email service providers for emails, hosting providers for contact form requests.

3.3. Newsletter

We send newsletters by e-mail to our customers with information about our company, our products, services, promotions and offers.

Processing purpose: Direct marketing and customer communication.
Legal basis: The mailing is based on our legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR) in regular customer communication and sales promotion by means of direct marketing.
Right to object (opt-out): You can object to the sending of our newsletter at any time with effect for the future by informing us by e-mail (see above under Responsible person), clicking on the unsubscribe link in the corresponding e-mail or deactivating the sending in your customer account.
Storage duration: Your data will be stored until you object. After that, its processing will be restricted and it will be blocked for further newsletter mailings.
Data recipient: ActiveCampaign Inc., 1 N Dearborn Suite 500 Chicago, IL 60602 US

3.4. Cookie Consent Management

In addition to storing cookies, we manage the declarations of consent of our Internet users by means of a cookie consent tool.

We use technically necessary cookies on this website and our online services to ensure that they function correctly and in accordance with the applicable laws. They help to make the website and online services more user-friendly. Some functions of our online services cannot be displayed without the use of cookies.

We also use cookies on our website and our online services that are not technically necessary. These cookies are used, among other things, to analyze the surfing behavior of the user or to offer functions of the website that are not technically necessary.

Processing purpose: Fulfillment of the legal obligation to consent management.
Legal basis: Art. 6 para. 1 sentence 1 lit. c GDPR
Storage duration: Until you withdraw your consent to the storage of cookies, at the latest until the respective cookie expires.

Insofar as mentioned below, we have commissioned the following service provider with consent management:

3.5. Third-party content

We have integrated Google Fonts locally on our server. This means that no data is transferred to Google, despite its use.

We have integrated Fontawesome locally on our server. This means that, despite use, no data is transferred to Fonticons, Inc.

We have integrated MDBootstrap locally on our server. This means that, despite its use, no data is transferred to StartupFlow Dawid Adach, Michał Szymański s.c..

We have integrated jQuery locally on our server. This means that no data is transferred to JS Foundation despite its use.

3.6. Opening / registering an account (customer account)

By opening a personal customer account for future orders, the following provisions apply:

Processing purpose: User contract for the personal customer account.
Legal basis: Art. 6 para. 1 lit. b GDPR. For the data voluntarily provided by you, your consent pursuant to Art. 6 para. 1 lit. a GDPR applies.
Obligation to make available: The mandatory information can be found in the registration form. We cannot open an account (customer account) without this data.
Storage duration: Your data in the customer account will be stored for as long as the user contract with us exists. Voluntary information will be stored until you withdraw your consent. Thereafter, its processing will be restricted and stored for up to three years in order to be able to provide legally compliant proof of consent previously given. This is done on the basis of our legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR) in the verifiability of data protection compliance.

3.7. Ordering services

By ordering our services, the following provisions apply:

Processing purpose: Execution of your order.
Legal basis: Art. 6 para. 1 lit. b GDPR. For the data voluntarily provided by you, your consent pursuant to Art. 6 para. 1 lit. a GDPR applies. For other processing, Art. 6 para. 1 lit. f GDPR applies.
Legitimate interests: Debt collection and enforcement; measures for business management and further development of our services.
Data recipient: Web host of our platform (see Hosting). Payment service provider. Lawyer, debt collection agency, management consultant.

3.8. Payment processing

The following provisions apply with regard to payment for our services:

Processing purpose: Execution of your order. Processing of payment for our services.
Legal basis: Art. 6 para. 1 lit. b GDPR.
Obligation to make available: Depending on the selected payment method, you must provide us or the payment service provider with the required payment data.
Data recipient: The payment service providers used are listed below:

  • PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
    PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - purchase on account or payment by installments via PayPal. For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 para. 1 lit. f GDPR on the basis of PayPal's legitimate interest in determining your solvency. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data.
  • Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Irland
    With regard to data transfers to Stripe, Inc., Stripe Payments Europe refers to the decision of 10.07.2023 for the EU-US data protection framework pursuant to Art. 45 GDPR.
3.9. Legal obligation

The following provisions apply to the provision of our services within the scope of legal obligations:

Processing purpose: Fulfillment of legal obligations (e.g. information, notification, disclosure and retention obligations, payment of taxes and duties).
Legal basis: The respective legal regulation in conjunction with Art. 6 para. 1 lit. c GDPR applies.
Data recipient: Authorities, state institutions, lawyers, tax consultants, data protection officers if applicable.

4. Hosting

Our website and online services are hosted externally. The personal data collected on this online platform is stored on the hoster's servers. This includes the automatically collected and stored log files as well as all other data provided by visitors and users of our online services.

External hosting is carried out for the purpose of secure, fast and reliable provision of our online offer and in this context serves to fulfill the contract with our potential and existing customers.

Our hoster only processes data that is required to fulfill its performance obligation and acts as our processor, i.e. it is subject to our instructions. We have concluded a corresponding contract for order processing with our hoster.

We use the following hosters:

  • Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg.

Legal basis: Art. 6 para. 1 lit. a, b and f GDPR, as well as § 25 para. 1 TDDDG, insofar as consent includes the storage of cookies or access to information in the terminal device of the website visitor or user within the meaning of the TDDDG.
Data recipients and storage location of your data: Amazon Web Services (AWS), EU-Central, Deutschland, Standort Frankfurt

5. Video content (YouTube)

Our website, in particular help pages and tutorials, use the embedding function of YouTube, which belongs to Google Ireland Ltd (Google). When you visit a website with an embedded YouTube video, a connection to YouTube servers is established. YouTube is informed which pages you visit. If you are logged into your YouTube account, YouTube can assign your surfing behavior to you personally. You can prevent this by logging out of your YouTube account beforehand. When a YouTube video is started, Google uses cookies that collect information about user behavior. Further information on the purpose and scope of data collection and processing by YouTube can be found in Google's privacy policy.

Processing purpose: Provision of a comprehensive and professional online offering, including videos for training and advertising purposes. User-friendly playback without loss of context when switching to YouTube. Speed of video playback.
Legal basis: For the use of YouTube, you may give us your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, which you can revoke at any time with effect for the future by deselecting External media or YouTube in the cookie settings on our site. The evaluation by Google is carried out in accordance with Art. 6 para. 1 lit.f GDPR on the basis of Google's legitimate interests in the display of personalized advertising, market research and/or demand-oriented design of its website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.
Data recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland. Mutterunternehmen: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Third country transfer: Insofar as non-anonymized data is transferred to Google LLC, the data processing takes place in the USA.
Adequacy decision of the Commission: With regard to data transfers to Google LLC, we refer to the decision of 10.07.2023 for the EU-US data protection framework in accordance with Art. 45 GDPR. The list of companies participating in the EU-US data protection framework is available at https://www.dataprivacyframework.gov/

6. Duration of data storage

Unless otherwise stipulated above, the following criteria apply for determining the storage period:

  • In the case of consent pursuant to Art. 6 para. 1 lit. a GDPR, the data will be stored until the data subject withdraws their consent.
  • For pre-contractual and contractual purposes in accordance with Art. 6 para. 1 lit. b GDPR, the data is stored beyond the end of the contract until the expiry of relevant limitation periods (e.g. 3 years in accordance with Section 195 BGB) from the concluded contract.
  • In the case of our overriding legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, the data will be stored until the data subject exercises their right to object pursuant to Art. 21 para. 1 GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the establishment, exercise or defense of legal claims.
  • In the case of direct marketing in accordance with Art. 6 para. 1 lit. f GDPR, the data will be stored until the data subject exercises their right to object in accordance with Art. 21 para. 2, 3 GDPR.
  • If we are subject to obligations to retain, the relevant documents will be retained until the expiry of the relevant statutory provisions (e.g. 10 or 6 years in accordance with Section 147 AO and Section 257 HGB).
  • we store interest data for as long as it can be assumed that there is still interest in working with us. If we assume that there is no longer any interest, we delete this data.
  • we store business partner data for as long as it can be assumed that there is still an interest in working with us. If we assume that there is no longer any interest, we will delete this data at the earliest 3 years after the end of the last business relationship, provided there are no statutory retention obligations.
  • we store supplier data until the supplier objects and delete it at the earliest 3 years after the end of the last business relationship, provided there are no statutory retention obligations.
7. Data source of personal data

We process personal data that we have received from you as our customer or the recipients of personal data.

8. Obligation to provide data

As part of the performance of our contractual or statutory obligations, you as the data subject (customer) may be required to provide our company with personal data that is necessary for the establishment, performance and termination of the contractual relationship and the fulfillment of the associated contractual and statutory obligations. Without this data, we will refuse to conclude the contract or will no longer be able to continue and terminate an existing contract.

9. Your data protection rights
9.1. Confirmation of data processing

You have the right to request confirmation from us as to whether your personal data is being processed. The requirements for this can be found in Art. 15 GDPR.

9.2. Information

You have the right to request information about your personal data processed by us. The requirements for this can be found in Art. 15 GDPR.

9.3. Correction

You have the right to request the rectification of inaccurate personal data concerning you without undue delay. The requirements for this can be found in Art. 16 GDPR.

9.4. Deletion

You have the right to demand the immediate erasure of personal data concerning you. The requirements for this can be found in Art. 17 GDPR.

9.5. Restriction of processing

You have the right to request the restriction of the processing of your personal data. The requirements for this can be found in Art. 18 GDPR.

9.6. Data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to have this data transmitted by us to another controller. The requirements for this can be found in Art. 20 GDPR.

9.7. Revocation of consent

You have the right to withdraw your consent at any time if the processing is based on Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR. The data processing remains lawful until revocation. The revocation only applies to the future. The requirements for this can be found in Art. 7 (3) GDPR.

9.8. Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR. The requirements for this can be found in Art. 77 GDPR. You can contact the supervisory authority responsible for the controller or the supervisory authority in your country or federal state. You can find a list of all supervisory authorities here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html