Data Protection according to GDPR

I. Data Protection

The provider (Twentyone Brands GmbH) expressly points out that data transmission on the Internet (e.g. e-mail communication) has security gaps and cannot be completely protected against access by third parties. Using our contact details as stated in the legal notice for advertising purposes is expressly forbidden, unless the provider has previously given their written consent or a business relationship already exists. The provider and all persons named on this website hereby object to any commercial use and transmission of their data.

II. Personal Data

You can visit our website without providing personal information. If a contractual relationship is established between us, designed or modified in content or you send us a request, we shall collect and use your personal data insofar as is necessary for these purposes (stock data). We collect, process and use personal data as far as is necessary in order to enable you to use the website (usage data). Upon the instruction of the competent authorities, we may in individual cases provide information concerning this data (stock data), insofar as this is necessary for purposes of law enforcement, security, fulfilment of statutory duties of the Federal Office for the Protection of the Constitution or the Military Counter-Intelligence Agency or for the enforcement of intellectual property rights.

III. Name and address of the data controller

The data controller as defined by the General Data Protection Regulation and other national data protection laws of the European Member States and other data protection regulations is:

Twentyone Brands GmbH
Humboldtstrasse 9
65189 Wiesbaden
Germany

T +49 (0)611 1666 190
F +49 (0)611 1666 1999

info@twentyone-brands.com
www.twentyone-brands.com

IV. General information on data processing

1. Scope of personal data processing

In principle we only collect and use the personal data of our users to the extent necessary for the provision of a functional website and our content and services. The collection and use of the personal data of our users only takes place with the consent of the user. An exception applies to cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.

2. Legal basis for personal data processing

Insofar as we obtain the consent of the data subject for personal data processing, Art. 6 Para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for personal data processing. In the processing of personal data necessary for the fulfilment of a contract to which the data subject is party, Art. 6 Para. 1 lit. b of the GDPR applies as legal basis. This also applies for processing required for the execution of pre-contractual measures. If personal data processing is required to fulfil a legal obligation to be met by our company, Art. 6 Para. 1 lit. c of the GDPR applies as legal basis. In the event that vital interests of the data subject or another natural person require personal data processing, Art. 6 Para. 1 lit. d of the GDPR applies as legal basis. If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not prevail over the former interest, Art. 6, Para. 1 lit. f of the GDPR applies as legal basis for processing.

3. Data deletion and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose for the storage expires. Such storage may also take place if provided for by the European or national legislator in EU regulations, laws or other regulations to which the data controller is subject. The data may also be blocked or deleted when a storage period stipulated by the aforementioned regulations expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

V. Website provision and log file creation

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:

(1) Information about the browser type and version used
(2) The user’s operating system
(3) The user’s Internet service provider
(4) The user’s IP address
(5) Date and time of access
(6) Websites from which the user’s system comes to our website
(7) Websites that are accessed by the user’s system via our website

Data will also be stored in log files on our system. This data is not stored together with other personal data relating to the user.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 Para. 1 lit. f of the GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this, the user’s IP address needs to be stored for the duration of the session.

Storage in log files is done to ensure the functionality of the website. We also use the data to optimise the website and ensure the security of our information technology systems. No evaluation of the data for marketing purposes takes place in this context.

Our legitimate interest in the processing of data also lies in these purposes, in accordance with Art. 6 Para. 1 lit. f of the GDPR.

4. Storage duration

Data will be deleted as soon as its storage is no longer necessary to achieve the purpose of its collection. In the case of data collection for website provision, this shall happen after the respective session has ended.

In the case of data storage in log files, this will happen within a maximum of seven days. Additional storage is possible. In this case, the users’ IP addresses will be deleted or encrypted, thus preventing them from being assigned to the respective user.

5. Possibility to object and remove

Data collection for website provision and data storage in log files is essential for the operation of the website. As a result, the user is unable to object.

VI. Use of Google Maps

Our website uses Google Maps API, a map service provided by Google Inc. (hereinafter: Google) to present an interactive map. Through the use of Google Maps, information concerning the use of the website (including the user’s IP address) may be transferred and saved on a Google serve in the USA. Google will pass the information obtained through Google Maps on to third parties providing the law permits or said third party processes this data on behalf of Google. Google will not associate the user’s IP address with any other data stored by Google. Despite this, it is still technically possible for Google to identify individual users based on the data recorded. It is also possible that personal data and the personal profiles of users are used by Google for other purposes, over which we do not and cannot have any control. This, coupled with the fact that data is transmitted to the USA, is problematic for privacy reasons.

The user has the option to disable the Google Maps service and prevent data transfer to Google. To do this, JavaScript needs to be disabled in the user’s browser. In this case, the map display cannot be used.

By using this website and not deactivating JavaScript, the user expressly agrees to the processing of their data by Google as described above for the aforementioned purpose.

VII. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in or by the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on their operating system. This cookie contains a characteristic string that enables the browser to be uniquely identified when the browser is reopened.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after changing page.

The following data is stored and transmitted in the cookies:

(1) Language settings
(2) Log-in information

We also use cookies on our website that enable an analysis of users’ browsing habits.

This way, the following data can be transmitted:

(1) Search terms entered
(2) Frequency of page views
(3) Use of website features

The user data collected in this way is anonymised through technical provisions. As a result, it is no longer possible to assign the data to the user. The data is not stored together with any other personal data relating to the user.

When visiting our website, users are informed about the use of cookies for analysis purposes via an info banner. In this context, there is also a note explaining how to prevent the storage of cookies in the browser settings.

2. Explanation and browser settings

Cookies are small text files installed in the computers from which users access our web site. They can store the identification details of users visiting the web and the sites they browse. When the user (you, in this case) visits us again, the cookies are read to identify you and re-establish your preferences and browser configuration. If a user does not authorise the use of the cookies, certain services or functionalities of the web site might not be available.

We want this site to provide a good service and to be easy to use. In this sense, we use Google Analytics cookies. This allows us to:

Statistically analyse the information accessed by users of our site. The data gathered may include the browser activity of the user visiting us, the route followed by users on our site, information on the Internet service provider of the visitor, the number of times users access the site and the behaviour of users on our site (pages visited, forms completed, and the like).

Identify users visiting us through the invitation of an associated web site or sponsored link.

To obtain further information on Google Analytics, see www.google.com/analytics. To control the gathering of data for analytical purposes by Google Analytics, please visit tools.google.com

We also use Google Remarketing cookies (such as NID, PREF, SNID, GAPS, etc.). These cookies send information to Google regarding the pages users visit, for the purpose of providing offers in line with their interests. To obtain further information, please visit www.google.com/policies/technologies/ads.

We also use Google Maps cookies (NID, PREF and KHCOOKIE). Google Maps allows us to include on our web maps showing the location of our establishments. For more information, please visit developers.google.com/maps.
You make revoke your consent to the use of cookies by removing them through the options provided by your browser. If you wish to receive further information on the activities of Internet advertising companies and how to remove your data from the records of such companies, we recommend you visit www.networkadvertising.org.

You can configure your browser so that it informs you beforehand of the possible installation of cookies. You may also choose for them to be automatically removed once the browser, computer or device has closed. You can find information on how to do so on the following sites:
> For Firefox, at support.mozilla.org
> For Chrome, at support.google.com
> For Internet Explorer, at windows.microsoft.com
> For Safari, at support.apple.com
> For Safari for IOS, at support.apple.com
> For Opera, at help.opera.com

3. Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 Para.1 lit. f of the GDPR.

The legal basis for the processing of personal data using cookies for analysis purposes is, with corresponding user consent, Art. 6 Para. 1 lit. a of the GDPR.

4. Purpose of data processing

Technically necessary cookies are used in order to simplify website use for the user. Some features of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognised even after leaving the page.

We require cookies for the following applications:

(1) Adoption of language settings
(2) Remembering search terms

The user data collected by technically necessary cookies is not used to create user profiles.

The use of analysis cookies helps to improve the quality and content of our website. Through analysis cookies, we learn how the website is used and thus enable the continuous optimisation of our service.

Our legitimate interest in the processing of personal data also lies in these purposes, in accordance with Art. 6 Para. 1 lit. f of the GDPR.

5. Duration of storage, option to object and remove

Cookies are stored on the user’s computer and transmitted to our website by it. As the user, you therefore have complete control over the use of cookies. By changing your Internet browser settings, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, some features of the same may not be able to be used to their full extent.

VIII. E-mail contact

1. Description and scope of data processing

An e-mail contact is available on our website and can be used for electronic contact. In this case, the user’s personal data transmitted with the e-mail will be stored. Such data will not be disclosed to third parties. The data is exclusively used for processing the conversation.

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is, with corresponding user consent, Art. 6 Para. 1 lit. a of the GDPR.

The legal basis for the processing of data transmitted through sending an e-mail is Art. 6 Para. 1 lit. f of the GDPR. If the e-mail contact aims to conclude a contract, the additional legal basis for processing is Art. 6 Para. 1 lit. b of the GDPR.

3. Purpose of data processing

We only process personal data for the purpose of contact management. In the case of contact via e-mail, this also includes the essential, legitimate interest in data processing.

Any other personal data processed during the sending process serves to prevent misuse of the contact form and ensure the security of our information technology system.

4. Storage duration

Data will be deleted as soon as its storage is no longer necessary to achieve the purpose of its collection. For personal data sent via e-mail, this happens after the respective conversation with the user has ended. The conversation is considered to have ended when it can be inferred from the circumstances that the corresponding matters have been resolved.

Additional personal data collected during the sending process will be deleted within a maximum of seven days.

5. Possibility to object and remove

The user has the option to revoke their consent to the processing of their personal data at any time. If the user contacts us via e-mail, they may object to the storage of their personal data at any time. In this case, the conversation cannot be continued.

Objection to data storage must be made in writing to our business address.

All personal data stored in the course of contact will be deleted.

IX. Rights of the data subject

If your personal data is processed, you are the data subject as defined by the GDPR and you have the following rights in relation to the data controller:

1. Right to information

You may ask the data controller to confirm whether personal data relating to you is processed by us.

If such processing exists, you may request details of the following information from the data controller:

(1) the purposes for which the personal data is processed;
(2) the categories of personal data being processed;
(3) the recipients or recipient categories to whom the personal data relating to you have been or will be disclosed;
(4) the planned storage duration for the personal data relating to you or, if no specific details are available, criteria for the definition of the storage duration;
(5) the existence of a right to rectification or deletion of personal data relating to you, a right to restrict processing by the data controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) all available information concerning the origin of the data if the personal data was not collected from the data subject;
(8) the existence of an automated decision-making process including profiling in accordance with Art. 22 Paras. 1 and 4 of the GDPR and – at least in these cases – meaningful information concerning the logic involved and the intended effect of such processing about the data subject.

You are entitled to request information on whether the personal data relating to you is transmitted to a third-party country or international organisation. In this respect, you may request information concerning the appropriate guarantees in accordance with Art. 46 of the GDPR in connection with the transfer.

2. Right to rectification

You have a right to rectification and/or completion if the processed personal data relating to you is incorrect or incomplete. The data controller must rectify said data immediately.

3. Right to restrict processing

You may request the restriction of processing of your personal data under the following conditions:

(1) if you contest the accuracy of the personal data relating to you for a period of time that enables the data controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse deletion of the personal data and instead request the restriction of use of your personal data;
(3) the data controller no longer requires the personal data for the purpose of the processing, but you need it to assert, exercise or defend legal claims or
(4) if you objected to processing in accordance with Art. 21 Para. 1 of the GDPR and it is not yet certain whether the legitimate reasons of the data controller prevail over your reasons.

If the processing of the personal data relating to you was restricted, this data may only be processed – excluding its storage – with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest within the European Union or a Member State.

If the processing restriction was limited in accordance with the aforementioned conditions, you will be informed by the data controller before the restriction is lifted.

4. Right of deletion

a) Deletion obligations

You may request the data controller to immediately delete the personal data relating to you. The data controller is obliged to delete this data with immediate effect if one of the following applies:

(1) The personal data relating to you is no longer required for the purpose for which it was collected or otherwise processed.
(2) You revoke your consent to processing as per Art. 6 Para. 1 lit. a or Art. 9 Para. 2 lit. a of the GDPR and there is no other legal basis for processing.
(3) You object to processing in accordance with Art. 21 Para. 1 of the GDPR and there is no prevailing, legitimate reasons for the processing, or you object to processing in accordance with Art. 21 Para. 2 of the GDPR.
(4) The personal data relating to you has been unlawfully processed.
(5) The deletion of personal data relating to you is required to fulfil a legal obligation in accordance with European Union legislation or the law of the Member State to which the data controller is subject.
(6) The personal data concerning you was collected in relation to information society services offered in accordance with Art. 8 Para. 1 of the GDPR.

b) Information to third parties

If the data controller has made the personal data relating to you public and is obliged to delete it in accordance with Art. 17 Para. 1 of the GDPR, they shall, under consideration of the available technology and implementation costs, take appropriate measures including technical means to inform other data controllers who process the personal data that you as the data subject have requested the deletion of all links to the personal data or copies or replications thereof.

c) Exceptions

The right to deletion does not exist if processing is necessary

(1) to exercise the right of freedom of expression and information;
(2) to fulfil a legal obligation required by the law of the European Union or Member State to which the data controller is subject, or to carry out a duty of public interest or public authority assigned to the data controller;
(3) for reasons of public interest in the field of public health in accordance with Art. 9 Para. 2 lit. h and i and Art. 9 Para. 3 of the GDPR;
(4) for archival purposes of public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 Para. 1 of the GDPR, to the extent that the law stipulates in Para. a) is likely to render impossible or seriously affect the attainment of the objectives of this processing, or
(5) to assert, exercise or defend of legal claims.

5. Right to information

If you have exercised the right to rectify, delete or restrict processing by the data controller, they are obliged to notify all recipients to whom your personal data has been disclosed of this data rectification or deletion or processing restriction, unless this proves to be impossible or involves disproportionate effort.

You have the right to request information about said recipients from the data controller.

6. Right to data portability

You have the right to receive the personal data relating to you, which you provided to the responsible person, in a structured, common and machine-readable format. You also have the right to transfer this data to another person without hindrance by the data controller to whom you provided your personal data, insofar as

(1) the processing was consented to in accordance with Art. 6 Para. 1 lit. a of the GDPR or Art. 9 Para. 2 lit. a of the GDPR or is based on a contract as per Art. 6 Para. 1 lit. b of the GDPR and
(2) the processing is carried out using an automated procedure.

In exercising this right, you are also entitled to have your personal data transmitted directly from one data controller to another data controller insofar as this is technically feasible. Freedom and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data that is required for the fulfilment of a task in the public interest or in the execution of a public authority assigned to the data controller.

7. Right to object

For reasons that arise from your particular situation, you have the right to object at any time to the processing of your personal data pursuant to Art. 6 Para. 1 lit. e or f of the GDPR; this also applies to profiling based on these provisions.

The data controller shall no longer process your personal data unless they can prove compelling, legitimate reasons for the processing that prevail over your interests, rights and freedoms or the processing is required for the purpose of enforcing, exercising or defending legal claims.

If the personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you object to processing for purposes of direct advertising, the personal data relating to you will no longer be used for these purposes.

Within the context of the use of information society services, you have the option – regardless of Directive 2002/58/EC – to exercise your right to object through automated procedures that use technical specifications.

8. Right to revoke the data protection consent declaration

You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of processing carried out on the basis of the consent before revocation.

9. Automated decision on an individual basis including profiling

You have the right not to be subjected to a decision based solely on automated processing – including profiling – that will have legal effect or affect you in a similar manner. This does not apply if the decision

(1) is required for the conclusion or fulfilment of a contract between you and the data controller,
(2) is permitted on the basis of European Union or Member State legislation to which the data controller is subjected and said legislation contains adequate measures to safeguard your rights and freedoms and legitimate interests, or
(3) has your express consent.

Notwithstanding the above, these decisions must not be based on special categories of personal data as specified in Art. 9 Para. 1 of the GDPR unless Art. 9 Para. 2 lit. a or g applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases referred to in (1) and (3), the data controller shall take appropriate measures to uphold the rights and freedoms and your legitimate interests, which includes at least the right to obtain the intervention of a person on the part of the data controller to explain their own position and appeal against the decision.

10. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial redress, you have the right to complain to a supervisory authority, in particular in the Member State of residence, employment or the location of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

The supervisory body to which the complaint is submitted will inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 of the GDPR.