Privacy Statement

This privacy statement informs you about the form, extent and use of personal data (hereinafter referred to as  “data”) within our online service and the linked websites, functions and contents as well as external online entities, such as social media profiles (hereinafter referred to as “online service”). With regard to the terminology used, for example, “use” or “responsible”, we refer to the definitions given in Art. 4 of the General Data Protection Regulation (DSGVO).

​

Responsible Entity

Carte blanche Media GmbH, August-Bebel-Str. 26-53, 14482 Potsdam, Germany

​

Nature of the Processed Data

• Inventory Data (e.g., names, addresses)

• Contact Data (e.g., email, telephone numbers)

• Content Data (e.g., text input, photographs, videos)

• Usage Data (e.g. ,sites visited, interest in contents, access times)

• Metadata, Communication Data (e.g. device information, IP addresses)

​

Categories of Data Subjects

Visitors and users of the online services (hereinafter referred to as “users”)

​

Purpose of Processing

• To make the online services available: their functions and contents

• Responses to contact requests and communication with users

• Security Measures

• Range Measurement/Marketing

​

Terminology Used

“Personal Data” means any information relating to an identified or identifiable natural person (data subject), who can be identified directly or indirectly, using online identifiers such as their name, identification number, site data, online identifiers (e.g. cookies) specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

The processing of personal data is any action carried out with or without the assistance of automated processes or any operation which is performed upon personal data. The term has a broad meaning and encompasses essentially every use of data.

“Pseudonymization” means processing personal data in such a manner that the personal data can no longer be attributed to specific persons without access to additional information, provided that said information is kept separately and protected by technical and organizational measures which ensure that the personal data cannot be attributed to an identified or identifiable natural person.

“Profiliing” means every type of automated processing of personal data that consists of using the personal data to evaluate certain personal aspects of natural persons, in particular: to analyze or predict aspects of a natural person’s work capacity, economic situation, health, personal preferences, interests, reliability, behavior, whereabouts or change of location.

The “person responsible” means any natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

“Processor” means any natural or legal person, public authority, agency or other body which processes personal data on behalf of the person responsible.

​

Relevant Legal Basis

In accordance with the statutory regulations of Art. 13 of the DSGVO/GDPR, we inform you of the legal basis of our data processing. Except as otherwise described in this privacy statement, the following applies: The legal basis for the acquisition of consent is Art. 6, 1 lit a and Art. 7 DSGVO/GDPR, the legal basis for processing data until our services have been completed and the contractual measures as well as responses to enquiries have been carried out is Art. 6 1 lit b DSGVO/GDPR, the legal basis for processing the fulfillment of our legal obligations is Art. 6 1 lit c DSGVO/GDPR, and the legal basis for processing the protection of our legitimate interests is Art. 6 1 lit f DSGVO/GDPR. In the event that processing personal data is necessary for the vital interests of the data subject or another natural person Art. 6 1 lit d DSGVO/GDPR should serve as the legal basis.

​

Security Measures

In accordance with the measures of Art. 32 DSGVO/GDPR and taking account of technical progress, the implementation costs and the type, extent, circumstances and purpose of processing as well as the varying probability of occurrence and the severity of the risk for the rights and freedom of natural persons, we take appropriate technical and organizational measures to effectively provide an adequate level of protection.

Those measures include, in particular, safeguarding confidentiality, integrity and availability of data by controlling physical access to data as well as controlling the specific access to, the input of, the transfer of, the secure availability of and the separation of data. Furthermore, we have implemented processes which guarantee the rights of the persons affected, the deletion of data and the reactions to the risk of endangered data. In addition, we already take into account the protection of personal data in developing and/or selecting hardware, software and processes, according to the principle of privacy through technology design and through privacy by default settings (Art. 25 DSGVO/GDPR).

 

Cooperation with Data Processors and Third Parties

In cases where we disclose data to other persons and firms (processors or third parties), or transfer data to them or grant them access to data, this is only done on the basis of legal permission in regard to the fulfillment of our contractual obligations, or on the basis of your permission (e.g. when data are transferred to a third party, as is required with payment service providers in accordance with Art. 6, 1 lit b DSGVO/GDPR for the fulfillment of a contract), or when you have approved, or a legal obligation requires it, or on the basis of our legitimate interest (e.g. by deploying authorized persons, webhosts, etc.).

In cases where we commission third parties to process data on the basis of a so-called “personal service contract”, it is done in accordance with Art. 28 DSGVO/GDPR.

​

Transfer to Third Countries

In cases where we have data processed in a third country (i.e. outside the EU or the EEA), or we utilize services of third parties or disclose or transfer data to third persons, for example, this is done only when it serves to fulfill our (pre-)contractual obligations, on the basis of your permission, due to legal or contractual permission, or on the basis of our legitimate interests. Subject to legal or contractual permission, we only process the data – or have them processed in a third country when the specific prerequisites of Art. 44 et seq. DSGVO/GDPR have been met, i.e., processing is carried out, e.g. on the basis of special guaranties, such as the officially recognized assessment of a data protection level (e.g. for the USA by means of “Privacy Shield” or by complying with officially recognized specific contractual obligations (so-called “standard contractual clauses).

 

Rights of Persons Concerned

• You have the right to obtain confirmation whether specific data have been processed and to request information about the data and further information and a copy of the data in accordance with Art. 15 DSGVO/GDPR. 

• You have the right in accordance with Art. 16 DSGVO/GDPR to request that specific data should be completed, or corrected when incomplete or incorrect.

• You have the right pursuant to Art. 17 DSGVO/GDPR to request that specific data should be immediately deleted or that pursuant to Art. 18 DSGVO/GDPR the processing of specific data should be limited.

• You have the right to request that you obtain specific data which you have provided us with pursuant to Art. 20 DSGVO/GDPR and to demand that the data be transferred to other responsible parties.

• Furthermore, you have the right in accordance with Art. 77 DSGVO/GDPR to submit a complaint to the responsible regulatory agency.

​

Right of Revocation

You have the right to cancel a consent with effect for the future in accordance with Art. 7 Section 3 DSGVO/GDPR.

​

Right of Objection

You are entitled to object to the future processing of specific data in accordance with Art. 21 DSGVO/GDPR at any time. The objection can be lodged, in particular, against processing for purposes of direct marketing.

​

Cookies and the Right of Objection in Regard to Direct Marketing

“Cookies” are small files that are normally stored on the hard drive of a user’s computer. Within the cookies various data can be stored. A cookie primarily serves the purpose of storing data about a user (or about the device on which the cookie is stored) while the user is visiting an online offer. Temporary cookies or “session cookies” or “transient cookies” are cookies which are deleted after a user leaves an online offer and closes the browser. The contents of a shopping cart in an online shop or a login status can be stored in those cookies, for example. “Permanent” or “persistent” cookies remain stored even after the browser has been closed. So, for example, the login status can still be stored when the user visits this site days later. In the same way, the user’s interests can also be stored in a cookie which is used for range measurement or marketing purposes. “Third-party cookies” are offered by providers other than those responsible for the online offer (on the other hand, when we only talk about those responsible for the online offer we speak of “first-party cookies”.

We can use temporary and permanent cookies and clarify their use in our privacy statement. 

If the user does not want cookies to be stored on their computer, they can deactivate the relevant option in the system settings for their browser. Stored cookies can be deleted at any time in the browser’s system settings. The exclusion of cookies can lead to functional limitations of the online offer. 

A universal objection against the use of cookies for purposes of online marketing can be explained by a number of service providers, especially in the case of tracking, e.g. through the US website http://.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, cookies can be deactivated in the browser’s system settings. But, please, keep in mind that potentially not all the functions of an online offer can be used.

​

Deletion of Data

The data we process are deleted in accordance with Art. 17 and 18 DSGVO/GDPR or limited in their processing. Unless otherwise explicitly specified, the data we store are deleted when no longer needed for their original purpose and there are no statutory storage obligations that restrict their deletion. If the data are not deleted, because they are needed for other legally admissible purposes, their processing will be limited. That means: the data will be blocked and not processed for other purposes. That applies, for example, to data which must be stored for commercial or tax purposes.

According to legal specifications in Germany, statutory storage obligation is required especially for 10 years in pursuant to Art. 147 Section, 1 AO, 257, Paragraph 1 No. 1 and 4, Paragraph 4 HGB (books, memos, status reports, vouchers, account books, documents relevant for taxation, etc.) and for 5 years pursuant to Art. 257, 1 No. 2 and 3, Paragraph 4 HGB (account books). 

According to legal specifications in Austria, statutory storage obligation is required especially for 7 years pursuant to Art. 132, 1 BAO (bookkeeping documents, invoices, accounts, receipts, business documents, list of revenue and expenses, etc.), for 22 years in connection with property and for 10 years in connection with electronically rendered services, telecommunications, radio and television services that were rendered for non-entrepreneurial services in EU member countries and utilized for the Mini One Shop Shop (MOSS).

​

Company-related Processing

In addition we process

• Contract data /e.g., contractual object, term, customer category)

• Payment details (e.g., bank details, payment history) of our customers, prospective customers and business partners for the purpose of rendering contractual services, service and customer care, marketing, advertising and market research.

​

Hosting and Email Dispatch

The hosting services we make use of serve the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, email dispatch and security as well as technical maintenance services which we utilize to operate this online offer.

In doing so, we or our hosting companies process the inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, prospective customers and visitors of our online offer on the basis of our legitimate interests in maintaining an efficient and secure online offer pursuant to Art. 6, Section 1 lit f DSGVO in connection with Ar. 28 DSGVO (conclusion of contract for processing).

We or our hosting companies collect data on the basis of out legitimate interests in accordance with Art. 6, Section 1 lit f DSGVO every time the server is accessed which offers the specific service (so-called server log files). Included in the access data are the name of the accessed website, the file, the date and time of access, the transferred volume of data, the browser type plus version, the user’s operating system, the referrer URL (the site visited beforehand), the IP address and the enquiring provider.

Log file information is stored for security reasons (e.g., to investigate cases of abuse and fraud) for a duration of 7 days and then deleted. Data which are necessary for the completion of any investigation are exempted from this regulation.

​

Inclusion of Services and the Contents of Third Parties

Within our online offer, we utilize content and service offers of third parties to include their contents and services, e.g., videos or fonts (subsequently referred to as ´”contents”) on the basis of our legitimate interests (interest in analysis, optimization and economic operation of our online offer in accordance with Art. 6, Section 1 lit f. FSGVO).

This always assumes that the third parties of these contents recognize the IP address of users, since they couldn’t send the contents to the browser without the IP address. So the IP address is necessary to present the contents. We make every effort to use contents of providers who only use the IP address of users for delivering the contents. Furthermore, third-party providers can also use so-called pixel tags (invisible graphics, also called “web beacons”) for statistical and marketing purposes. By using pixel tags, information, such as website visitor traffic, can be evaluated. The pseudonymized information can also be stored in cookies on the browsers of users, including, for example, technical information about the browser and the operating system, referring websites and visiting times, as well as further information about the use of our online offer and contents connected to information from other sources.

​

Youtube

We incorporate videos from the platform “YouTube” from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Privacy Statement: https://www.google.com/policies/privacy/, 

Opt-Out: https://adssettings.google.com/authenticated.

​