Mr. Alec Agalarov
Mr. Deniz Doru
Mr. Jens Heinen
Am Vorgebirgstor 37
Status: Jan. 2023
1. Basic information on data processing and legal bases
1.1. This data protection declaration clarifies the type, scope and purpose of the processing of personal data within our online offer and the websites, functions and contents connected with it (hereinafter jointly referred to as “online offer” or “website”). The data protection declaration applies regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the online offer is executed.
1.2. The terms used, such as “personal data” or their “processing” refer to the definitions in Art. 4 of the Basic Data Protection Regulation (DSGVO).
1.3. The personal data of users processed within the scope of this online offer includes inventory data (e.g. names and addresses of customers), contract data and content data (e.g. entries in the contact form). Furthermore, data that you provide us with is processed, in particular personal data, i.e. name, professional activity (e.g. model), gender, contact email, telephone number, place of work, age, photos, bio/recent projects, agency, body measurements, external appearance, website, videos. We delete this data when you delete your user account. The legal basis for this processing of personal data is Art. 6 para. 1 lit. a. DSGVO.
1.4. The term “user” covers all categories of persons affected by the data processing. These include our business partners, customers, interested parties and other visitors to our online offer. The terms used are to be understood in a gender-neutral way.
1.5. We process personal data of users only in compliance with the relevant data protection regulations. This means that user data will only be processed if a legal permission has been granted, especially if the data processing is necessary for the provision of our contractual services (e.g. processing of orders) and online services, or if it is legally required, or if the consent of the users has been obtained, as well as on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO, in particular in the measurement of reach, the creation of profiles for advertising and marketing purposes as well as the collection of access data and the use of third-party services.
1.6. We point out that the legal basis of the consent is Art. 6 para. 1 lit. a. and Art. 7 DSGVO, the legal basis for processing for the purpose of fulfilling our services and implementing contractual measures is Art. 6 para. 1 lit. b. DSGVO, the legal basis for processing for the fulfilment of our legal obligations Art. 6 para. 1 lit. c. DSGVO, and the legal basis for processing to safeguard our legitimate interests Art. 6 para. 1 lit. f. DSGVO is.
2. Types of data processed/ categories of data subjects
2.1. The personal data of the users processed within the scope of this online offer includeinventory data (e.g. names and addresses of customers)Contact details (e.g. e-mail, telephone numbers)Communication dataContract data (e.g. services used, names of clerks, payment information)Usage data (e.g. the visited websites of our online offer, interest in our our products)Meta/communication data (e.g. device information, IP addresses)Content data (e.g. entries in the contact form)
2.2 The following persons are affected by the data processing:Contract and business partnersUsers of our online offerInterested parties who are interested in our online offer or who contact us for other reasons and customers.
3. Security measures
3.1. In accordance with Art. 32 DSGVO, we take appropriate organisational, contractual and technical security measures in line with the state of the art, taking into account the implementation costs and the nature, scope, circumstances and purposes of data processing as well as the varying degrees of probability and severity of risk to rights and freedoms, in order to ensure an adequate level of protection for your data. We hereby ensure compliance with the provisions of the data protection laws and protect this data against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
3.2. The security measures include in particular the encrypted transmission of data between your browser and our server. You can recognize such encrypted connections by the fact that the URL in the address bar of your browser begins with “https://”. This is a communication protocol with which data can be transmitted in a tap-proof manner within the framework of transport encryption.
We host the content of our website with the following provider:
Data processing on behalf of the controllerWe have concluded a contract for order processing (DPA) for the use of the aforementioned service. This is a data protection legally required contract, which ensures that this processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR https://webflow.com/legal/dpa.
5. Transfer of data to third parties and third party providers
5.1. Data will only be passed on to third parties within the framework of the legal requirements. We will only pass on user data to third parties if this is required, for example, on the basis of Art. 6 Para. 1 lit. b. DSGVO for contractual purposes or on the basis of justified interests in accordance with Art. 6 Para. 1 lit. f. DSGVO in the economic and effective operation of our business.
5.2. If we use subcontractors to provide our services, we will take appropriate legal precautions as well as appropriate technical and organizational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.
6. Provision of contractual services/ registration
6.1. We process inventory data and contract data for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 Para. 1 letter b. DSGVO.
6.2. Users can create a user account. In this account they can create and view their profile. In the context of the registration, the necessary obligatory data are communicated to the users. This includes only the name, professional activity, place of work, gender and a picture. The user accounts are not public and cannot be indexed by search engines. User accounts can only be found within the platform. If users have cancelled their user account, their data with regard to the user account will be deleted, subject to their safekeeping is necessary for reasons of commercial or tax law in accordance with Art. 6 para. 1 lit. c DSGVO. It is the responsibility of the users to back up their data before the end of the contract if they have terminated it. We are entitled to irretrievably delete all user data stored during the term of the contract. All data can be managed and changed in the protected customer area.
6.3. Furthermore, we store all content published by you in order to operate our online offer. The provision with user-generated content is our contractual service and will only be processed with your consent (legal basis Art. 6 para. 1 lit. a. DSGVO).
6.4. Within the scope of registration and renewed applications as well as the use of our online services, the IP address and the time of the respective user action will be saved. The storage is based on our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 Para. 1 lit. c DSGVO.
6.5. We process usage data (e.g. the visited websites of our online offer, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile, in order to show the user e.g. product information based on their previously used services.
When contacting us, the user’s details will be used to process the contact request and its handling in accordance with Art. 6 Para. 1 lit. b. DSGVO are processed
8. Comments and contributions
8.1. If users leave comments or other contributions, their IP addresses will be deleted on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO for seven days.
8.2. This is done for our security in case someone leaves illegal content in comments and contributions. In this case we can be prosecuted ourselves for the comment or contribution and are therefore interested in the identity of the author
9. Collection of access data and log files
9.1. On the basis of our legitimate interests within the meaning of Article 6 paragraph 1 lit. f. DSGVO, we collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited site), IP address and the requesting provider.
9.2. For security reasons (e.g. to clarify misuse or fraud), log file information is stored for a maximum of seven days and then deleted. Data whose further storage is required for evidential purposes is excluded from deletion until the respective incident has been finally clarified.
– A distinction must be made between cookies that are set by the website operator when a user visits a website (also known as “first-party cookies”) and cookies that are set by third-party providers (also known as “third-party cookies”). We only have technical control over the first-mentioned cookies. We further differentiate between the following cookies.
– Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his browser.
– Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The interests of users used for reach measurement or marketing purposes can also be stored in such a cookie.
– Necessary (also: essential or absolutely necessary) cookies: Cookies can be absolutely necessary for the operation of a website (e.g. to store logins or other user entries or for security reasons).
11. Google Analytics
11.2. Google Inc. is certified under the Privacy-Shield-Agreement and thus offers a guarantee to comply with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
11.3. Google will also use this information to evaluate the use of this website by users, to compile reports on the activities within this website and to provide us with further services associated with the use of this website and the internet. Pseudonymous user profiles of the users can be created from the processed data.
11.4. We use Google Analytics only with activated IP anonymization. This means that the IP address of the user is shortened by Google within member states of the European Union or in other states which are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.
11.5. The IP address transmitted by the user’s browser will not be merged with other Google data. Users can prevent the storage of cookies by adjusting their browser software accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.11.6. You can find further information on data use by Google, setting and objection possibilities on the websites of Google: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when you use websites or apps of my partners”), http://www.google.com/policies/technologies/ads (“Data use for advertising purposes”), http://www.google.de/settings/ads (“Manage information that Google uses to show you advertising”).
12. ManyChat for Newsletter and making contact
12.1. With the following information, we will inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.
12.2. We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter referred to as “newsletters”) only with the consent of the recipients or a legal permission. If, in the course of registering for the newsletter, its contents are specifically described, they are decisive for the consent of the users.
12.3. The registration for our newsletter is done via a contact form or a QR-code. This takes place via an opt-in procedure through Manychat.
12.4. We use ManyChat, a service for our chat and email marketing, on our website. The service provider is the American company ManyChat Inc., 535 Mission St, San Francisco, CA 94105, USA. ManyChat also processes data from you, among other things, in the USA. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
As a basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially in the USA) or for data transfers to such countries, ManyChat uses so-called standard contract clauses (= Art. 46 para. 2 and 3 GDPR). Standard contract clauses (Standard Contractual Clauses - SCC) are template contracts provided by the European Commission and are intended to ensure that your data also comply with European data protection standards when they are transferred to and stored in third countries (such as the USA). With these clauses, ManyChat undertakes to comply with the European data protection level when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the European Commission. You can find the decision and the corresponding standard contract clauses, among other things, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en
12.5. Furthermore, according to its own information, the mail-order service provider may use this data in pseudonymous form, i.e. without allocation to a user, to optimise or improve its own services, e.g. to technically optimise the dispatch and presentation of newsletters or for statistical purposes to determine the countries from which the recipients come. However, the dispatch service provider does not use the data of our newsletter recipients to write to them itself or pass them on to third parties.
12.6. To subscribe to the newsletter, it is sufficient to provide your Name, e-mail address and your Phone number. we ask you to enter a name for the purpose of personal contact in the newsletter.12.8. The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file which is retrieved from the server of the dispatch service provider when the newsletter is opened. Within the scope of this retrieval, technical information such as information on the browser and your system, as well as your IP address and time of retrieval are initially collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined by means of the IP address) or the access times. Statistical surveys also include determining whether newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our nor the dispatch service provider’s intention to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
12.7. The use of the mail-order service provider, the performance of statistical surveys and analyses and the logging of the registration procedure are based on our legitimate interests in accordance with Art. 6 Para. 1 lit. f DSGVO. We are interested in the use of a user-friendly and secure newsletter system that serves our business interests and meets the expectations of the users.
12.8. You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. Your consent to the dispatch of the newsletter by the dispatch service provider and the statistical analyses will then expire at the same time. A separate revocation of the dispatch by the dispatch service provider or the statistical analysis is unfortunately not possible. You will find a link to cancel the newsletter at the end of each newsletter. If users have only registered for the newsletter and cancelled this registration, their personal data will be deleted
We have integrated SurveySparrow on this website. The provider is SurveySparrow Inc., 2345 Yale St. FL 1, Palo Alto, CA 94306, USA (hereinafter SurveySparrow). SurveySparrow enables us to create online forms and embed them on our website. The data entered by you in our SurveySparrow forms is stored on SurveySparrow servers until you ask us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after processing your request is completed). Mandatory legal provisions, in particular retention periods, remain unaffected.
The use of SurveySparrow is based on Art. 6 para. 1 lit. f and lit. b GDPR. The website operator has a legitimate interest in functioning online forms (lit. f) and requires the data to process your request as part of initiating a contractual relationship (lit. b). If the corresponding consent has been obtained, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.
Data processing agreementWe have concluded a data processing agreement (DPA) with the provider mentioned above. This is a legally required agreement that ensures that the provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR. The agreement is based on standard contractual clauses of the EU and can be viewed at the following link: https://surveysparrow.com/legal/dpa/
Pipedream 36 Palm Avenue, San Francisco, CA 94118, USA. We use Pipedream to be able to adapt our workflow and API’s optimally and quickly and thus offer the best service for our customers. Pipedream is considered both a Controller and a Processor as defined by the GDPR. As a Processor, Pipedream implements policies and practices that secure the personal data we send to the platform, and includes a Data Protection Addendum https://pipedream.com/dpa as part of their standard Terms of Service https://pipedream.com/terms. Data policy https://pipedream.com/docs/privacy-and-security/
The Pipedream Data Protection Addendum includes the Standard Contractual Clauses (SCCs) (opens new window). These clarify how Pipedream handles your data, and they update our GDPR policies to cover the latest standards set by the European Commission.
16. Use of single sign-on procedures Facebook Connect
16.1. We use on our website “Facebook Connect”, a service of Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter referred to as “Facebook”). Facebook Connect facilitates registration for services on the Internet. Instead of using a registration mask on our website, you can enter your login data for Facebook and then use our services. By using “Facebook Connect”, your web browser automatically establishes a direct connection with the Facebook server. For registration you will be redirected to the Facebook page. There you can log in with your usage data. Through this, your user account on Facebook is linked to our service.
16.2. We have no influence on the scope and use of data collected by Facebook through the use of Facebook Connect. To the best of our knowledge, Facebook receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you have a user account with Facebook and are registered, Facebook can assign the visit to your user account. Even if you are not registered with Facebook or have not logged in, it is possible that Facebook will find out and store your IP address and, if necessary, other identifying features.
16.3. We use Facebook Connect to facilitate and shorten the registration and login process. This is also our legitimate interest in the processing of the above data by the third-party provider. The legal basis is Art. 6 para. 1 lit. f. DSGVO. You can prevent processing of the above information by Facebook by using our registration mask and not using Facebook Connect.
16.4. In addition, Facebook has subjected itself to the privacy shield agreement concluded between the European Union and the USA and has certified itself. Facebook thereby undertakes to comply with the standards and regulations of European data protection law. Further information can be found in the entry linked below: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active16.5. Third Party Information: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For more information about the Third Party Provider’s privacy practices, please visit the following Facebook website: https://www.facebook.com/about/privacy
17. PDF Creation
17.1. For the creation of PDF files we use the service provider Nifty Software e.U. (Placid) Trautmannsdorf 178, A-8343 Bad Gleichenberg, Austria. Nifty Software e.U. processes personal data exclusively within the scope of the instructions given by us. You can view the data protection regulations of the company here: https://placid.app/privacy17.2. Nifty Software e.U. is a company based in Austria and therefore bound by the GDPR regulation.
18. Rights of the data subject
If personal data are processed by you, you are the data subject within the meaning of the DSGVO and you are entitled to the following rights in relation to the person responsible:
18.1. Right to information
You can request confirmation from the data controller as to whether personal data concerning you is being processed by us. If such processing has taken place, you may request information from the data controller on the following: (1) the purposes for which the personal data are processed; (2) the categories of personal data which are processed; (3) the recipients or (3) the recipients or categories of recipients to whom the personal data relating to you have been or will be disclosed; (4) the envisaged duration of the storage of the personal data relating to you or, if it is not possible to give specific details, criteria for determining the duration of storage (5) the existence of a right of rectification or erasure of personal data relating to you, a right to have the processing limited by the controller or a right to object to such processing; (6) the existence of a right of appeal to a supervisory authority; (7) any available information on the origin of the data when the personal data are not collected from the data subject; (8) the existence of automated decision making, including profiling, in accordance with Art. 22 (1) and (4) DPA and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing on the data subject. You have the right to request information as to whether the personal data concerning you are being transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 FADP in connection with the transfer.
18.2. Right of rectification
You have a right of rectification and/or integration vis-à-vis the controller if the personal data processed concerning you is incorrect or incomplete. The data controller must make the correction without delay.
18.3. Right to limit processing
You have the right to request that the processing of personal data concerning you be limited under the following conditions: (1) if you dispute the accuracy of the personal data concerning you for a period of time which enables the controller to verify the accuracy of the personal data; (2) if the processing is unlawful and you object to the deletion of the personal data and instead request the restriction of the use of the personal data; (3) if the controller no longer needs the personal data for the purposes of the processing but you need them for the purpose of asserting, exercising or defending legal claims; or (4) if you object to the processing pursuant to Art. 21 (1) DSGVO and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons. If the processing of personal data relating to you has been restricted, such data may be processed – apart from storage – only with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or of a Member State. If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
18.4. Right to erasure
a) Obligation to erase You may request the controller to erase personal data concerning you without delay and the controller shall be obliged to erase such data without delay if one of the following reasons applies: (1) the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed (2) you revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a FADP, and there is no other legal basis for the processing. (3) You lodge an objection to the processing pursuant to Art. 21(1) DPA and there are no overriding legitimate reasons for the processing, or you lodge an objection to the processing pursuant to Art. 21(2) DPA. (4) The personal data concerning you have been processed unlawfully. (5) The deletion of personal data relating to you is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject. (6) The personal data concerning you have been collected in relation to information society services offered in accordance with Article 8(1) of the DPA. b) Information to third parties If the controller has made public the personal data concerning you and is obliged to delete them in accordance with Art. 17 para. 1 FADP, he shall take reasonable measures, including technical measures, taking into account the available technology and implementation costs, to inform data controllers who process the personal data that you, as a data subject, have requested them to delete all links to this personal data or copies or replications of this personal data. c) Exceptions The right of erasure shall not apply insofar as the processing is necessary (1) for the exercise of the right to freedom of expression and information; (2) to comply with a legal obligation to which the processing is subject under Union or national law to which the controller is subject or in the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest relating to public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 DPA; (4) for archiving, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Art. 89 para. 1 DPA, insofar as the law referred to in a) is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or (5) for the assertion, exercise or defence of legal claims.
18.5. Right to information
If you have asserted the right to rectification, erasure or limitation of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort. You have the right vis-à-vis the controller to be informed of these recipients.
18.6. Right to data transferability
You have the right to obtain the personal data concerning you which you have supplied to the controller in a structured, common and machine-readable format. In addition, you have the right to transfer these data to another controller without hindrance by the controller to whom the personal data have been made available, provided that (1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a DSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to Art. 6 para. 1 lit. b DSGVO and (2) the processing is carried out using automated procedures. In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from one responsible party to another, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this. The right to data transferability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
18.7. Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out pursuant to Article 6 paragraph 1 letter e or f of the DPA; this also applies to profiling based on these provisions. The controller will no longer process the personal data concerning you, unless he can demonstrate compelling reasons for processing which are justified on grounds of protection and which outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims. If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing, including profiling, insofar as it is linked to such direct marketing. If you object to processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for those purposes. You have the possibility to exercise your right of objection in relation to the use of information society services, without prejudice to Directive 2002/58/EC, by using automated procedures involving technical specifications.
18.8. Right to revoke your data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. Revocation of the consent does not affect the legality of the processing carried out on the basis of the consent until revocation.
18.9. Automated decision in individual cases including profiling
You have the right not to be subjected to a decision based exclusively on automated processing – including profiling – which has legal effect on you or significantly affects you in a similar way. This shall not apply where the decision is (1) necessary for the conclusion or performance of a contract between you and the controller, (2) authorised by Union or national law to which the controller is subject and that law contains adequate measures to safeguard your rights and freedoms and legitimate interests or (3) with your explicit consent. However, such decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 DPA, unless Art. 9 para. 2 lit. a or g applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests. With regard to the cases referred to in (1) and (3), the data controller shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, which shall include at least the right to obtain the intervention of a person from the data controller, to express his or her point of view and to challenge the decision.
18.10. Right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to appeal to a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place where the alleged infringement is committed, if you consider that the processing of personal data relating to you is in breach of the DPA. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 DSGVO.
19. Deletion of data
19.1 The data stored with us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory storage obligations. If the users’ data are not deleted because they are required for other and legally permissible purposes, their processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax law reasons.
19.2 In accordance with legal requirements, data is stored for 6 years in accordance with § 257 para. 1 HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.)
20. Right of objection
Users can object to the future processing of their personal data in accordance with the legal requirements at any time. The objection may in particular be made against processing for the purposes of direct advertising.
21. Amendments to the data protection declaration