Information on the handling of personal data
Name and address of Data Processing ControllerMERCHCOWBOY GmbH & Co. KG
Carsten Ehlich, Tobias Richter
Tel: +49 (0)251 - 239 4899-5
Data Protection OfficerMartina Brinkmann
Cortina Consult GmbH
Tel: +49 (0)251 - 29 79 47 40
Rights of Data Subjects
Chapter III of the EU General Data Protection Regulation (GDPR) lays down extensive rights for so-called “data subjects” (i.e. persons whose personal data is processed by us), which we wish to detail in relation to the handling of your personal data as follows:
Right to information
This requirement applies in particular to information relating to the following aspects of the data processing:
- Purposes of the processing
- Categories of data
- Recipients or categories of recipients
- Planned duration of retention (i.e. storage) of the data and/or the criteria for determining the duration
- Information in each case on the right of rectification, erasure, restriction or objection
- Right to lodge a complaint with a supervisory authority
- Source of the data (if not collected from you)
- The existence of automated decision-making, including profiling, as well as meaningful information on the logic involved and also on the significance and envisaged consequences of such processing
- Transfer of the data to a third country or an international organization
Right to rectification (i.e. correction)
We will rectify incorrect data without delay on being informed of the circumstances by you.
Right to erasure (“right to be forgotten”)
If processing of the data is no longer necessary and any of the following preconditions is fulfilled:
- The purpose for which the data was collected no longer applies
- You withdraw your consent and no other legal basis for processing of the data exists
- You object to processing of the data and no other overriding legitimate grounds for the processing exist
- Processing of the data is unlawful
- Erasure is necessary for compliance with a legal obligation
- The data was collected under Article 8 (1) GDPR
In connection with your request for erasure, we will also transmit your request to any third parties to whom your data has been previously transmitted.
Right to restriction on processing
This right exists if any of the following preconditions exist:
- The accuracy of the personal data is contested by you (the restriction on processing may apply for the time needed for us to verify the accuracy of the data)
- Processing of the data is unlawful but erasure of the data is not desired; in this case, a restriction on processing will apply instead of erasure
- The original processing purposes no longer apply, but you nevertheless need the data for the establishment, exercise or defence of legal claims
- You have lodged an objection pursuant to Article 21 (1) GDPR, and a restriction on processing applies for the duration of the review whether our legitimate grounds override yours
Right to data portability
Provided it is technically possible to do so and would not infringe the rights and freedoms of other persons, we will, on your request, transmit your data to another recipient (controller).
Right to object
If we collect, or have collected, personal data from you (in accordance with Article 6 (1) (e) or (f) or Article Art 9 (2) (a) GDPR) and engage in processing of the said data, you have the right at any time (with effect for the future) to object to processing of the data (including profiling). In exceptional cases, the objection may be ineffective, e.g. if we can show that compelling legitimate interests exist for the processing which override your own interests or that processing is necessary for the purpose of establishing, exercising or defending legal claims. Should we process your personal data for the purpose of direct marketing activities, you have the right to object to such processing at any time. The same also applies to profiling if used in connection with such direct marketing. You also have the right to object to processing of your data which is conducted by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, except where such processing is necessary for the fulfilment of a purpose lying in the public interest.
Automated individual decision-making, including profiling
If we collect, or have collected, and process personal data from you, you have the right not to be subject to any decision taken solely on the basis of automated processing — including profiling — which would have legal effects for you or would otherwise similarly significantly affect you. Exceptions to this are if the decision is necessary for the conclusion or performance of a contract between you and ourselves or if you have expressly consented to such processing. In all cases, we take appropriate measures to protect your rights and freedoms and your legitimate interests, which shall include at least the right to obtain human intervention on our part, to express your own point of view and to contest the decision.
Right to revoke consent under data protection law
You have the right to revoke consent to the processing of your personal data at any time.
Right to lodge a complaint with a supervisory authority
You can obtain a list of the supervisory authorities with responsibility in Germany from the website of the Federal Data Protection Officer (“Bundesbeauftragter für Datenschutz”)
General information on data processing on our website
The following information applies to the processing of data on our website in general. Where deviations from or additions to this information apply, they are described in detail in the sections concerned.
Information on data safety and security
We secure our website and other systems through technical and organizational measures against loss, destruction, access, modification or processing of your data by unauthorized persons. Furthermore, we have implemented SSL encryption (SHA256) on our website in order to safeguard your data. However, despite regular monitoring, complete protection against all risks is not possible.
Legal basis of processing
Depending on the nature and purpose of the processing, we process personal data in accordance with the provisions of the General Data Protection Regulation as follows:
- Informed consent - Article 6 (1) (a)
- Performance of a contract - Article 6 (1) (b)
- Performance of steps prior to entering into a contract - Article 6 (1) (b)
- Compliance with legal obligations - Article 6 (1) (c)
- Protection of vital interests - Article 6 (1) (d)
- Protection of our legitimate interest - Article 6 (1) (f)
Our legitimate interest
Our legitimate interest as defined pursuant to Article (1) (f) GDPR is based on the conduct of our business activity for the maintenance of our operational ability and safeguarding the employment of our employees.
General deadlines for the erasure of data
On cessation of the purpose for which the data was originally stored, the retention periods normally amount to at least six or ten years. Under our erasure scheme, data is generally erased (deleted) as soon as it is no longer subject to a retention requirement, a need relating to contract performance, or a legitimate interest.
Erasure or blocking of personal data
We retain your personal data only for the period of time necessary for fulfilment of the stipulated purpose. On cessation of the purpose and on termination of any retention periods as may apply, your data will be erased (deleted) immediately. If erasure should not be possible, your data will be blocked instead.
Collection of general data and information
As soon as you visit our website, certain general data and technical information, without which a visit to the website would not be possible, are collected by our web server (log data). This includes: Types and versions of browsers used. Date and time of access to the website, as well as the visitor’s IP address and internet service provider
Information on special data processing on the website
In addition to the general information indicated above, the following provides details of specific data processing activities on our website.
On our website we offer you the possibility of real-time checking of certain entries for input errors in our web shop's address forms. This is to avoid problems with the delivery of the products ordered by you due to incorrect information (e.g. errors due to auto-completion, forgotten house number, etc.). For the provision of these functions we use the service provider Endereco, Balthasar-Neumann-Straße 4b, 97236 Randersacker, Germany. The service provider processes the data exclusively according to our instructions. The legal basis for the transmission, processing and temporary storage of the data with the service provider is Art. 6 Para. 1 lit. b of the General Data Protection Regulation, as it is absolutely necessary for the fulfilment of the contract or for the implementation of pre-contractual measures that some of the data entered by you in the input mask is checked for accuracy. The service provider processes the following data:
- Address (country, city, postal code, street, house number)
The data is processed separately by the service provider and is not merged. The requests are deleted by the service provider as soon as the status of the entered data has been determined and storage in the web shop has been completed, but at the latest after 30 days.
You have the possibility to complete a contact form on our website. This enables us to obtain feedback from you with the aim of improving our service and making contact with you if desired. In order to process your inquiries and respond to them if and as necessary, we need your email address and optionally your first name and last name. The legal basis for such processing is the protection of our legitimate interest (Article 6 (1) (f)) and/or the performance of steps prior to entering into a contract (Article 6 (1) (b)). We will not transmit your data to third parties, and in this context we also undertake not to rely on any automated decision-making.
A customer account offers you many advantages. For example, it allows the efficient handling of complaints and the purchase of products. In this context, we process your email address, last name (surname), postcode, street, house number, title, first name, place (town/city), and country/state. This is also important for unique identification of the customer account, delivery, payment transactions and authentication, and for enabling independent resetting of passwords. The legal basis for this is the performance of a contract pursuant to Article 6 (1) (b) GDPR. Within the context of processing, the data are transmitted to parcel service, logistics service and payment service providers. The data (in the required fields) must be provided for purposes of the underlying contract. In this context, we undertake not to rely on any automated decision-making. You can request erasure (deletion) of your data at any time by email.
Web tracking technologies - managed with Usercentrics
To ensure management of all cookies as well as website and tracking technologies that are subject to consent or optout in a manner compliant with data protection regulations, we use the consent management platform of Usercentrics GmbH, Rosental 4, 80331 München [Munich], Germany, with which we have integrated the following services:
We use the Cloudfront service. This is a content delivery network operated by Amazon Web Services. This allows us to guarantee fast loading times and increased reliability, among other things. By using the service, your IP address is transmitted to Amazon web servers in the EU. This data processing is based on our legitimate interest according to Art. 6 para. 1 lit. f EU-GDPR.