Data privacy

This privacy statement sets out the nature, scope and purpose of the personal data processing (hereinafter referred to as “data”) carried out in connection with our website and associated websites, functions and content as well as by external websites, such as our social media profile (hereinafter referred to as “website”). For an explanation of the terms used, such as “processing” or “controller”, we would refer you to the definitions contained in Art. 4 of the General Data Protection Regulation (GDPR).


Data controller
Company/name: Wallner Classic GmbH
Road no: Kreillerstrasse 129
Postcode, City, Country: 81825, Munich, Germany
Commercial register no: HRB 222856
Managing director: Rouven Genz
Phone: +49 (0) 89 432 8 33
Email: info@wallnerclassic.de


Types of data processed
- Basic data (e.g., names, addresses).
-Contact data (e.g., email, phone numbers).
- Content data (e.g. typed text, photos, videos).
- Contract data (e.g. scope of the contract, duration, customer category).
- Payment data (e.g. bank details, payment history).
- User data (e.g. websites visited, content interests, visit times).
- Meta/communication data (e.g. device details, IP addresses).

Processing of special data categories (Art. 9 Para 1 GDPR)
We do not process any special categories of data.

Categories of person affected by the processing of data
Visitors to and users of our website. Hereinafter, we refer to the persons affected as “users”.

We use your personal data for the following purposes
– Provision of our website, content and shop functionality.
- Provision of contractual services, customer support and service.- To answer queries and messages from users.
- Marketing, advertising and market research.
- Security measures.

Date: September / 2018


1. 1. Terms used

1.1. “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). A natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as a cookie) or to one or more identifiable characteristics specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.2. “Processing’ is any operation or set of operations performed on personal data, whether or not it is carried out by automated means. It is a wide-ranging term that covers virtually any dealings with data.

1.3. A “controller” is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

2. The legal bases for processing

According to Art. 13 of the GDPR, we must inform you of the legal basis of our data processing. If the legal basis is not mentioned in our data privacy statement, the following applies: The legal basis for obtaining consent is Art. 6 Para. 1 lit. a and Art. 7 of the GDPR, the legal basis for processing in order to provide our services, to operate our business and to respond to inquiries is Art. 6 Para. 1 lit. b GDPR, the legal basis for processing in order to fulfil our legal obligations is Art. 6 Para. 1 lit. c of the GDPR, and the legal basis for processing in order to safeguard our legitimate interests is Art. 6 Para. 1 lit. f of the GDPR.

In the event that the vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6 Para. 1 lit. d GDPR serves as the legal basis.

3. Alterations and updates to our data privacy policy

Please check the content of our data privacy statement regularly. We will alter our data privacy as soon it becomes necessary due to changes we make to the way in which we process your data. We will inform you as soon as the changes require your agreement (e.g. consent) or other individual notification.

4. Security measures

4.1. As required by Art. 32 of the GDPR, we implement appropriate technical and organisational measures to ensure an appropriate level of security, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons.

These measures include in particular securing the confidentiality, integrity and availability of data by controlling physical access to the data and controlling the input, distribution, availability and separation of data.

We have also set up procedures to ensure that data subjects are able to exercise their rights and that we can delete data and respond to threats to the data. Furthermore, we take data privacy into account at an early stage in the development or selection of hardware, software and processes, and we comply with the principles of data privacy by design and data privacy-friendly default settings (Art. 25 GDPR).

4.2. Our security measures include in particular the encrypted transmission of data between your browser and our server.

5. Disclosure and transmission of data

5.1. Insofar as we disclose, transfer or otherwise grant access to your data to other persons and companies (processors or third parties), this will only take place if based on a legally binding agreement (e.g. if the data is transferred to third parties such as payment service providers, pursuant to Art. 6 Para. 1 lit. b GDPR), or you have given consent, or we are under a legal obligation to do so, or on the basis of our legitimate interests (e.g. when using agents, hosting providers, tax, business and legal advisors, or customer care, accounting, settlement and similar services that enable us to efficiently and effectively fulfil our contractual obligations, administrative tasks and duties).

5.2. If we ask third parties to process your data on the basis of a “contract processing agreement”, this will be done in compliance with Art. 28 of the GDPR.

6. Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or if this is done on our behalf by third-party services or when we disclose or transfer data to third parties, this will only occur if the transfer has your consent or if it is necessary to fulfil our (pre-)contractual obligations, to comply with a legal obligation or on the basis of our legitimate interests.

Subject to legal or contractual permissions, we will process or allow data to be processed in a third country only if the particular requirements of Art. 44 ff. of the GDPR are met. This means that processing will typically take place on the basis of special guarantees, that is, only to destinations recognised by the EU Commission as having an adequate level of protection (or the “Privacy Shield” in the USA) or destinations that comply with officially recognised special contractual obligations (“standard contractual clauses”).

7. Rights of data subjects

7.1. You have the right to request confirmation as to whether or not your personal data is being processed and to request access to this data and to receive further information and a copy of the data in accordance with Art. 15 of the GDPR.

7.2. In accordance with Art. 16 GDPR, you have the right to request the completion of your data and the rectification of incorrect personal data.

7.3. In accordance with Art. 17 of the GDPR, you have the right to request erasure of your personal data without undue delay or alternatively to request that the processing of your data be restricted in accordance with Art. 18 of the GDPR.

7.4. You have the right to request that you receive the personal data that you have supplied to us in accordance with Art. 20 of the GDPR and you have the right to ask us to transmit that information to another controller.

7.5. In accordance with Art. 77 of the GDPR, you also have the right to file a complaint with the supervisory authority responsible.

8. Right to cancel

You have the right to withdraw your consent with future effect in accordance with Art. 7 Para. 3 of the GDPR.

9. Right to object

In accordance with Art. 21 of the GDPR, you may object at any time to your personal data being processed in the future. You may specifically object to your data being processed for the purposes of direct marketing.

10. Cookies and the right to object to direct advertising

10.1. “Cookies” are small files that are stored on users’ computers. Different information can be stored inside the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after the user’s visit to a website. Temporary cookies (“session cookies” or “transient cookies”) are deleted when the user leaves the website and closes his browser. A cookie can store the contents of a shopping basket in an online shop, for example, or a login status. “Permanent” or “persistent” cookies are kept even after the browser is closed. This enables a login status to be stored and used if the user revisits a website several days later. The cookie can also store information about the user’s interests which can be used for measuring media coverage of for marketing purposes. “Third-party cookies” are cookies from providers other than the website operator (when the cookies are from the website itself, they are referred to as “first party cookies”).

10.2. We use both temporary and permanent cookies and explain this in our data privacy statement.
If users prefer not to store cookies on their computer, they can choose this option in their browser’s system settings. You can adjust your browser’s settings to prevent cookies from being automatically accepted. However, blocking cookies can lead to a loss of functionality on our website.

10.3. You can refuse to accept the use of cookies for online marketing purposes from a large number of services, especially from tracking services, by visiting the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. You can also prevent cookies from being saved by deactivating them in your browser settings. Please note, however, that you will not be able to access all the functions of our website if you do so.

11. Erasing data

11.1. The data we process will be deleted or its processing restricted in accordance with Art. 17 and 18 of the GDPR. Unless expressly stated in our data privacy statement, the data we store will be deleted as soon as it is no longer required for its originally intended purpose and we are not under any legal obligation to retain it.
If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted.

This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that has to be stored for commercial or tax reasons.

11.2. Germany. In accordance with statutory regulations, documents are stored for six years in accordance with § 257 Para. 1 HGB/German Fiscal Code (ledgers, inventories, opening balance sheets, annual accounts, commercial documents, bookkeeping vouchers, etc.) and for ten years in accordance with § 147 Para. 1 AO (books, records, management reports, bookkeeping vouchers, commercial and business letters, documents relating to taxation, etc.).

12. Order processing in the online shop and customer account

12.1. We process our customers’ data in order to handle their orders in our online shop, to enable them to select and order products and services, and to deal with payment, notification and fulfillment.

12.2. The data we process includes basic data, communication data, contract data, payment data and data on our customers, potential customers and other business partners. Processing is carried out to enable our online shop to offer, invoice and deliver contractual services to customers and to support those customers. We use session cookies to store the content of our customers’ shopping baskets and permanent cookies to store their login status.

12.3. Processing is carried out in compliance with Art. 6 Para. 1 lit. b (order processing) and c (archiving required by law) of the GDPR. The information identified as obligatory is required to establish and fulfil the contract. We disclose data to third parties only when necessary for the purpose of delivery and payment or to comply with our legal obligations towards legal advisors and authorities. The data will only be processed in third countries if this is necessary to fulfil the contract (e.g. at the customer’s request upon delivery or payment).

12.4. Users are given the option of creating a user account, which they can use to check their orders. The necessary information is communicated to users during the account registration process. User accounts are not made public and cannot be indexed by search engines. When users terminate their accounts, the data related to their user account is deleted, subject to retention for commercial or tax reasons pursuant to Art. 6 Para. 1 lit. c the GDPR.
Data remains in the customer account until it is deleted and, if a legal obligation exists, archived.
It is the responsibility of the user to back up their data before terminating their account.

12.5. We store the user’s IP address and the time of the user event during registration and subsequent logins or whenever they visit our website. This storage of personal data is based on our legitimate interests and also serves to protect the user against misuse and any other unauthorised use. The data will not be passed on to third parties unless it is necessary to pursue a claim or if there is a legal obligation pursuant to Art. 6 Para. 1 lit. c of the GDPR.

12.6. Data is deleted once our legal and other obligations have expired. We review the need to retain the data every three years; in the case of legal archiving obligations, deletion is carried out once these have expired (six years for commercial purposes and ten years for tax purposes); customer data remains in the customer’s account until it is deleted.

13. Business analyses and market research

13.1. In order to run our business efficiently, to identify market trends and customer and user requirements, we analyse the data available to us from business transactions, contracts, inquiries, etc. In compliance with Art. 6 Para. 1 lit. f. of the GDPR, we process basic data, communication data, contract data, payment data, usage data, metadata from persons including customers, potential customers, business partners, visitors and users of our website. We analyse this data for the purpose of business assessments, marketing and market research. We can compare the profiles of our registered users with information on, for example, their purchase transactions. These analyses help us to increase the user-friendliness of our website, to optimise its performance and profitability. The analyses are carried out solely for our company and are not disclosed externally without anonymising the analyses and consolidating the figures.

13.2. If a user whose data has been included in these analyses or profiles terminates their account, these will be deleted or anonymised; otherwise, this will happen two years from the conclusion of the contract. In all other respects, all business and trend analyses will be anonymised wherever possible.

14. Communications and customer service

14.1. When a user contacts us (via our contact form or by email), we process their details in order to deal with and respond to their request in compliance with Art. 6 Para. 1 lit. b) of the GDPR.

14.2. The user’s details may be stored in our customer relationship management system (CRM system) or with a comparable sales organisation.

14.3. We delete the inquiries when they are no longer needed. We review our data on inquiries every two years and delete what we don’t need; inquiries from customers who have a customer account are stored permanently and are only deleted when the customer account is deleted. In addition, the statutory obligations on archiving apply.

15. Collection of access data and log files

15.1. Based on our legitimate interests as defined in Art. 6 Para. 1 lit. f. of the GDPR, we collect data on each visitor to the server hosting our website (known as “server log files”). The access data includes the name of the website visited, the date and time of the visit, the volume of data transmitted, notification of successful access, browser type and version, the user’s operating system, the referrer URL (the previously visited page), the IP address and the provider making the request.

15.2. Log file information is stored for a maximum period of seven days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data that has to be retained as evidence is not deleted until the particular incident has been resolved.

16. Online presence in social media

16.1. On the basis of our legitimate interest as defined by Art. 6 Para. 1 lit. f. of the GDPR, we maintain an online presence on social networks and platforms in order to communicate with customers, potential customers and users of these networks and to inform them of our services. The terms and conditions and data processing guidelines of the operators of these networks and platforms apply when visiting these networks.

16.2 Unless otherwise stated in our data privacy statement, we process the data of users who communicate with us on these social networks and platforms, e.g. who post on our online platforms or send us messages.

17. Communication via mail, email, fax or telephone

17.1 We use communication services such as post, telephone and email for transaction processing and marketing purposes. We process basic data, address and contact data as well as the contractual data of customers, participants, potential customers and communication partners.

17.2 Processing takes place based on Art. 6 Para. 1 lit. a, Art. 7 GDPR, Art. 6 Para. 1 lit. f of the GDPR and on the statutory regulations governing advertising communications. We only establish contact with the consent of the contact partners or when we are legally entitled to do so, and the data we process is deleted as soon as it is not needed, or if there is an objection/ cancellation, or if the justification for processing or legal archiving the data ceases to apply.

18. Inclusion of third-party services and content

18.1. When operating our website, and acting on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and profitable operation of our website as defined by Art. 6 Para. 1 lit. f. of the GDPR), we include content and services such as videos or fonts (hereinafter referred to as “content”) from third parties in order to integrate their content and services. This always requires the third-party providers of this content to know the IP address of the user, as they would be unable to send the content to their browser without an IP address. The IP address is therefore a requirement for viewing this content. We make every effort to only offer content from providers who use IP addresses solely for the purpose of delivering their content. Third-party providers may also use “pixel tags” (invisible graphics, also called “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymised information may be stored in cookies on the user’s device and may contain other data such as technical details of the browser and operating system, referring web pages, visit times and other information about the use of our website, and this may also be linked to comparable information from other sources.

18.2. Below is a list of third-party providers and their content, along with links to their data privacy statements, which contain further information on how they process data and, as we have already mentioned, how you can object (“opt-out”).

– If our customers use third-party payment services (such as PayPal or Sofortüberweisung), the terms and conditions and the privacy policies of these third parties, which are available on their websites or transaction apps, apply.

19. Newsletter

If you wish to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data will not be collected or will only be collected on a voluntary basis. We use these data exclusively for the dispatch of the requested information and do not pass these on to third parties.
The data entered in the newsletter registration form will be processed exclusively on the basis of your consent (Art. 6 para. 1 lit. a DSGVO). You can revoke your consent to the storage of data, e-mail address and their use to send the newsletter at any time, for example via the "Unsubscribe" link in the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation.
The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter or the newsletter service provider and deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remain unaffected by this. After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest in the sense of Art. 6 Para. 1 lit. f DSGVO). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

Newsletter

Our newsletter informs you about topics of the maintenance of classic cars, innovations on our side and in our enterprise and our new offers. Further information on data privacy on our website can be found under data privacy.