Data Protection Declaration in accordance with the General Data Protection Regulation (”GDPR“)
I. Name and address of data controller and processor
The data controller within the meaning of the GDPR and other member states’ national data protection legislations and other data protection regulations is:
Mail Order Finance GmbH
Mail Order Finance UK
C/O Stokoe Roger
The data processor within the meaning of the GDPR and other member states’ national data protection legislations and other data protection regulations is:
K-Mail Order GmbH & Co. KG
Data Protection Officer
II. Contact regarding Data Protection
If you have any questions regarding our data Protection Declaration please contact us by email at email@example.com
III. Fundamental information regarding the processing of your personal data
1. What is “processing personal data“?
Personal data as defined by GDPR is any information relating to an identified or identifiable natural person, who can be directly or indirectly identified, for example by your name, address, date of birth and so on.
In addition, this definition includes identification numbers if the identification number can unequivocally be allocated to a person, for example your telephone number, your customer number with us, your email address, your bank account and credit card details, or the internet address of your computer.
If this information has been anonymised and can no longer be allocated to a specific person (“anonymising”), it is no longer personal data.
“Processing personal data” includes everything that can be done with this personal data, i.e. collection, recording, storage, adaptation or alteration, consultation, transferring, alignment, combination or erasure.
2. We only process your data in accordance with one of the legal grounds under article 6 GDPR
Processing personal data is only allowed if there is a lawful basis to do so, for example if you have given your consent, if you want to purchase items from us or if we have a legitimate interest to process the data.
We process your personal data to process an order placed by you on our internet sites (i.e. if you conclude a sales contract with us).
This data includes for example information about which items you have placed in the online shopping basket (even if only placed there temporarily) or information regarding which items you ordered at what time.
Provided you agree and have given us your consent, we will also collect and process further information about you, for example regarding how you visit and use our internet sites or if you order a copy of our newsletter. With this additional information we can improve the quality of our internet sites and improve our services to you.
We require your consent (unless we have obtained your consent previously) for any information that goes beyond the actual processing of your order, for example for:
- Sending you a newsletter
- Calling you for service and advertising purposes (“Outbound Telephony”)
An exception to obtaining your consent applies to cases where it is not possible to obtain your prior consent but the processing of your data is permitted by law.
Besides obtaining your consent, we may also process your personal data if the processing is necessary for the purposes of a legitimate interest pursued by our group of companies (pursuant to section 15 Aktiengesetz/Corporation Law) or the interests of a “third party” (article 6(1) (f) GDPR).
This legitimate interest of our group of companies exists, for example, for:
- Email advertising to our existing customers
- Providing your address for advertising purposes to third parties, or rather within our group of companies (pursuant to section 15 Aktiengesetz/Corporation Law)
- Print advertising
If we want to assert our legitimate interest to process your data, GDPR requires that we consider first whether your personal rights and freedoms override our legitimate interest.
3. We save your personal data for no longer than necessary
Your personal data will be deleted once it is no longer required and none of the above mentioned legal grounds to keep the data apply. However, a duty of retention may apply because of certain legal requirements which we must comply with.
We can keep your data for longer, for example to improve our services to you, provided you have given us your consent or if we have a legitimate interest to do so.
If we are unable to delete your personal data for technical reasons, your data will in any event be excluded from further processing (it will be “blocked”).
4. Data security: Data transfer with SSL
We understand that data protection for online shopping is important to you. This is why your personal data (address, customer number, purchase dates…) will be encrypted before it is transferred from our forms by using the so-called SSL technology (Secure Socket Layer SSL 3.0, RC4 with 128-bit encryption (high), RSA 1024 bits - depending on the browser used). This protects the data against unauthorised access. You can recognise a secured connection if the internet address begins with https://... instead of http://.... Your browser will also show a closed padlock.
Further information regarding our SSL certificate can be found by double clicking on the displayed padlock.
IV. Why do we process your personal data?
Example 1: Processing your personal data for technical reasons
When you visit our website, our systems automatically record some data from your device for technical reasons.
It includes the following information:
- Information about the type and version of your internet browser;
- Operating system of your device;
- Your internet service provider;
- Your internet address (“IP- address”);
- Date and time of your access;
- Internet sites which led you to our website; and
- Internet sites which you access from our website.
We collect and process this technical data in so-called ”Logfiles“. The purpose of processing the information is twofold: on the one hand, it enables you to view our internet site correctly and ensures that we can investigate potential technical problems and on the other hand, it enables the technical optimisation of our website and the security of our computer systems and networks.
The data is deleted as soon as it is no longer needed for the purpose for which it was collected. Typically this technical information will be deleted or made unrecognisable after seven days.
Example 2: Recording your user habits
In order for us to provide the best possible service to our customers, for example through internet websites which are tailored to your wishes, we record your activities on our internet websites.
Our internet sites use so-called “Cookies“. Cookies are small text files which are stored locally on your computer system when you access our internet sites. Each of these text files has a character string which allows us to identify your computer system (in other words, your browser) when you revisit our websites next time.
We use these Cookies to analyse how you use our internet sites so that we can constantly optimise our offer to you. For example, we know which sites you like to view, which items you searched for and, if applicable, which articles have already been placed in the online shopping basket.
An overview of the Cookies we use can be found in the attached file:
We have already requested your consent to use these Cookies when you access our website. The processing of Cookies is also based on article 6 GDPR, as mentioned above.
If you no longer agree with the use of these Cookies on your computer, you can delete the Cookies in your browser at any time and also prevent future storage of Cookies. In this case, our websites may not work as well as they usually do because of the missing information.
Web analysis with Google Analytics
This website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses so-called “Cookies“, text files which are stored locally on your computer, allowing them to analyse your usage of the website. The information generated through the Cookie is usually transmitted and stored to a Google server in the United States. However, if IP anonymisation is activated on the website, your IP address will be shortened by Google in member states of the EU or other parties to the agreement on the European Economic Area before it is sent to the United States. The full IP address will only be sent to a Google server and shortened in the US in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports regarding website activity and to provide other services related to website activity and internet usage. The IP address provided by Google Analytics will not be merged with other Google data.
You can prevent the storage of “Cookies” by setting your browser software accordingly. However, please note that you then may not be able to use all of the features of this website to its fullest. You can also prevent the collection of the data generated by Cookies and prevent the recording of your data related to your use of the website (including your IP address) by Google by downloading and installing the browser plugin available under the following link:http://tools.google.com/dlpage/gaoptout?hl=de
This website uses the Google Analytics demographic reports which use interest-based advertising data from Google and also visitor data provided by third parties (such as age, gender and interests). This data cannot be attributed to a particular person and can be disabled at any time in the settings. We also use Google Analytics to analyse data from AdWords and the Double-Click-Cookie for statistical purposes. If you do not want this, you can disable this in your settings by using the following link:https://adssettings.google.com/authenticated?hl=de
You can find more information about the terms and conditions and data protection by accessing the following links:
Please note that on this website, Google Analytics has been extended to ensure an anonymous collection of IP addresses (so-called IP masking) by using the code “gaq.push(['_gat._anonymizeIp']);".
Example 3: Distribution of our digital newsletters
On our website, you are able to subscribe to our free digital newsletter. We use your email address entered upon subscription (which demonstrates your consent) to distribute the newsletter to you.
We also register the date and time of your registration and your IP-address. This technical data intends to prevent misuse of the online form and to ensure security of our computer systems and networks.
By subscribing to our newsletter you also agree that we may use your usage data to create pseudonymised usage profiles for market research, advertising or customisation of newsletters.
The newsletter is sent with your consent.
If you no longer wish to receive our newsletter, you can cancel the subscription any time without notice. Please call us or send us an email and we will delete your email address from our newsletter recipient list or add it to a Blocked List.
Example 4: You order a product
If you order a product from us, we record the necessary data in order to conclude the order (which includes, for example, your name and your address).
In addition, we also collect dates of birth of new customers, telephone numbers and, if necessary, an email address to enable us to contact you for any queries regarding your order and/or in case of an internet order to send you an order confirmation. The postal address is used to send catalogues and current offers to you.
If you have purchased goods or services from our website and have left your email address, this can also be used by us to send advertising emails. These emails are for existing customers in which same or similar items are offered to you.
Example 5: You register as an online customer with us
On our internet site you have the possibility to register as an online customer. The activation of your online account is based on your customer number and your personal data which you shared with us when placing an order. As an online customer, you can check the delivery status of your orders, cancel an item or check receipt of your payment.
The technical data which is collected once you send the registration form is intended to prevent misuse and to ensure the security of our computer systems and networks.
If you no longer wish to use your account, it can be deactivated. Please send us an email. The final deletion of your account will occur once any open purchases and payment transactions have been completed and the statutory retention periods have expired.
Example 6: You contact us
You can access a “contact us” form on our website which you can use to contact the business electronically. You can also send us an email or use our online chat.
In order to process your data when you use the “contact us” form, your consent is assumed when the form is submitted.
The technical data which is recorded when the form is submitted is intended to prevent misuse and to ensure the security of our computer systems and networks.
As an alternative, you can contact us through the email address made available to you. In this case (and your consent is given by doing so), the personal data transmitted by your email will be stored. This data is also used exclusively to deal with your contacting us.
Your personal data collected from you contacting us will be deleted as soon as it is no longer required to deal with your enquiry. If you have a customer account with us, we will store the data for the purpose of your “customer history” on your customer account.
Any additional technical data collected during the contacting process will be deleted after 7 days.
Example 7: We provide your data to third parties
For your order placement, shipping, processing and maintaining customer data, we pass personal data on to specialised service providers such as call centres, delivery service providers and EDP service providers or for advertising purposes to other trading companies.
We use your personal data within our group of companies and disclose your data to carefully chosen third parties in accordance with the rules under GDPR for advertising. You can object any time to the use of your data for advertising purposes by notifying us in writing by post or by email at the above mentioned contact details.
Example 8: Credit assessment
In order to safeguard our legitimate interests, we may transfer personal data required to complete credit checks to certain scoring companies.
We check your credit rating based on a scientifically recognised mathematical- statistical procedure which includes, inter alia, your address. We use this information obtained for further decisions regarding the contractual relationship with you. Your legitimate interests will be taken into account in accordance with the law. We obtain our credit information from the following companies: CRIF Bürgel GmbH, Radlkoferstr. 2, 81373 Munich.
V. Your rights
If we process your personal data you have certain rights provided you have sufficiently identified yourself as a “data subject“ as defined by the GDPR.
1. Right to be informed
You can request confirmation from our business whether we process your personal data.
If your data is being processed, in accordance with GDPR, you can enquire about a variety of information such as
(1) the purposes of the processing of your personal data;
(2) the categories of personal data which is being processed;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) the envisaged periods for which the personal data will be stored or, if it is not possible to identify a specific period, the criteria used to determine that period;
(5) the existence of the right to rectification or erasure of your personal data, the right to restriction of processing by our business or the right to object the such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) all available information about the source of your personal data, where your personal data has not been collected from you;
(8) the existence of automated decision-making, including profiling, referred to in article 22(1) and 22(4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
You have the right to ask for information about whether your personal data are transferred to a third country or to an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to article 46 GDPR relating to the transfer.
2. Right to rectification
You have the right to have inaccurate personal data rectified and/or incomplete personal data completed. We will make the rectification and/or completion without delay.
3. Right to restriction of processing
In certain circumstances, you have the right to request the restriction of processing of your personal data.
(1) If you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data;
(2) If the processing is unlawful processed and you oppose the erasure of your personal data and request a restriction of their use instead;
(3) If we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
(4) If you have objected to processing pending the verification whether the legitimate grounds of our group of companies and associated subsidiaries override your legitimate interests.
Where processing of your personal data has been restricted, we shall only process such personal data, with the exception of storage, with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
If processing your personal data has been restricted in accordance with the above mentioned conditions, we will inform you before the restriction is lifted.
4. Right to erasure
In certain circumstance, you have the right to obtain from us the erasure of personal data without undue delay and we shall then have the obligation to erase your personal data without undue delay.
(1) If the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) If you withdraw your consent (see below); or where there is no other legal ground for the processing
(3) If you object to the processing (see below) and there are no overriding legitimate grounds for the processing;
(4) If we have processed the personal data unlawfully;
(5) The personal data has to be erased for compliance with a legal obligation in Union or Member State law.
Where we have made your personal data public and we are obliged to erase your personal data, we, taking account of available technology and the cost of implementation, shall take reasonable steps, to inform other businesses which are processing your personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data (“right to be forgotten”).
You cannot exercise your right to erasure to the extent that processing is necessary:
(1) (1) For exercising the right of freedom of expression and information;
(2) For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with article 9(2)(h), 9(2)(i) and 9(3) GDPR; or
(4) for the establishment, exercise or defence of legal claims.
5. Our Obligation to notify third parties
If you have exercised one of your rights to rectification, erasure or restriction against us, we are obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You also have the right to be informed by us about those recipients.
6. Right to data portability
You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format. You also have the right to request that we transmit this data directly to another organisation, provided this is technically feasible. Rights and freedoms of others cannot be adversely affected.
7. Right to object
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, without you incurring further costs apart from connection costs; this also includes profiling based on these provisions and mailing to existing customers.
We shall then no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where you object to processing for direct marketing purposes, we shall no longer process your personal data for such purposes.
8. Right to withdraw consent
You shall have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated individual decision-making, including profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you
This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and us,
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
In the cases referred to in points (1) and (3) above, the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Download PDF file