Citycare24.de data protection notice (obligations to provide information in accordance with Article 13 GDPR)
Table of contents
2. Name and contact details of the controller
3. Collection of personal data for informational use
5. Use of functions on our website
6. Use of our online shop
7.1 Electronic Direct Mailing
7.3 Push notifications
8. Sharing data with third parties
8.1 Use of Google Analytics
8.2 Incorporation of the Trusted Shops Trustbadge
8.3 Involvement of third-party services
8.4 Involvement of Idealo logo
9. Recipients or categories of recipients
10. Storage period
11. Your rights
11.1 Right of access
11.2 Right to rectification
11.3 Right to erasure (“Right to be forgotten”)
11.4 Right to restriction of processing
11.5 Right to information
11.6 Right to data portability
11.7 Right to object
11.8 Right to withdraw declaration of consent under data protection law
11.9 Automated individual decision-making, including profiling
11.10 Right to lodge a complaint
12. Legal basis for processing
In our view, data protection should transparent, easy to understand and above all, fair to all parties. In this data protection notice, we would therefore like to inform you of what personal data we collect from you and use, whether this may be transferred to third-parties (and if so which), how long we will store the data for and what rights you have, should you not be in agreement with our responsible approach. Should you have any remaining questions after reading this detailed data protection notice, please don’t hesitate to get in contact with us using the contact details provided.
So that we proceed based on the same assumptions, we would like to start by clarifying some definitions. This will ensure that all participants understand what we mean by the following notice and how we will proceed from it.
Personal data: This shall mean any information that relates to an identified or identifiable natural person (referred to hereafter as the ‘data subject’). A natural person shall be regarded as identifiable if they can be identified directly or indirectly, particularly through assignment to an identifier such as a name, to a code, to location data, to an online identifier or to one or more special features which are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
Processing: Processing shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Restriction of processing: The restriction of processing shall mean the marking of stored personal data with the aim of restricting its future processing.
Profiling: This shall mean any form of automated processing of personal data consisting of the use of personal data to evaluate or predict certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation: This shall mean the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller: This shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Recipient: This shall mean a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of this data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third party: Third party shall mean a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.
Consent: Consent shall mean any declaration of intent freely submitted by the data subject in an informed way and without ambiguity for a specific instance, submitted in the form of a declaration or other clear act of confirmation, with which the data subject makes clear that they are in agreement with the processing of their personal data.
The controller for the data processing is
You can reach us by post, by email at email@example.com or by telephone
042 98 / 9067 370.
If you use our website for information purposes only, i.e. if you do not register with us or you send us information in a different way, we collect only the personal data that your browser sends to our server. If you would like to view our website, we collect the following data required for technical purposes to display our website to you and to guarantee stability and security (the legal basis for this is Article 6(1)(1)(f) GDPR):
(1) In addition of the previously mentioned data, cookies will be stored on your computer when you use our website. Cookies are small text files which are stored on your hard drive by the browser you use and which transmit certain information to the body setting the cookie (in this case us). Cookies cannot run programs or transfer viruses to your computer. They help to make internet services altogether more user-friendly and effective (the legal basis for this Article 6 (1)(1)(f) GDPR).
a) This website uses the following type of cookies, the scope and function of which are explained below:
b) Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID which allows different requests from your browser to be assigned to the general session. This enables your computer to be recognised you if you return to the website. Session cookies are automatically deleted when you log off or close the browser.
c) Permanent cookies are automatically deleted after a given time, which can be different for each cookie. You can delete cookies at any time through the security settings of your Internet browser.
d) You can configure your browser settings as you wish and reject, for example, the acceptance of third-party cookies or all cookies. We wish to point out that in doing so you may possibly not be able to use all of the website’s functions.
(2) This stored information is separated from any other data that may be given to us. In particular, data from cookies is not connected to your other data.
(3) You can revoke your consent for this data processing at any time with future effect.
(1) In addition to the purely informational use of our website, we offer various services which could be of interest to you. To make use of these, you must usually provide additional personal data, which we use to realise the particular service. Where it is possible to provide additional information voluntarily, this is indicated accordingly.
(2) When getting in contact with us via email or the contact form, we will store your email address and, if provided, name and telephone number, in order to answer your queries. (The legal basis for this is Sentence 1 of Article 6(1)(b) GDPR.)
(1) If you want to order something in our online shop, in order to conclude the contract, you must provide your personal data so that we can process your order. Mandatory details required to process contracts are marked specifically, other details are optional. We use the data provided by you to process your order. To do this, we can send your payment details to our house bank and/or other payment service providers. The legal basis for this is Sentence 1 of Article 6(1)(b) GDPR.
You can also opt to create a customer account through which we can save your data for future purchases. When creating an account under “Mein Konto” [My Account], the storage of your data can be revoked. You can delete at any time all additional data in the customer area, including your user account.
We may also process the data you provide in order to inform you of other interesting products from our portfolio or to send you emails with technical information.
(2) Under commercial and tax law, we are obliged to store your address, payment and order details for a period of ten years. However, after two years we restrict processing, meaning your data will only be used to comply with legal obligations.
(3) In order to prevent unauthorised access by third parties to your personal data, in particular financial data, the ordering process is encrypted with TLS technology.
(1) In addition to processing your data to process orders in our online shop, we also use your data for advertising purposes as described in more detail below. You can object to the processing of your data for advertising purposes at any time. All you need to do is send an informal message to firstname.lastname@example.org or the contact details mentioned in Section 2.
(2) Newsletter2Go is used as software for sending direct mail via email and newsletters. Your data will be transmitted to Sendinblue GmbH. Sendinblue GmbH is prohibited from selling your data and using it for purposes other than sending e-mails on behalf of Citycare24 GmbH. Sendinblue GmbH is a German, certified provider, which was selected in accordance with the requirements of the General Data Protection Regulation and the Federal Data Protection Act. More information can be found here: https://de.sendinblue.com/informationen-newsletter-empfaenger/
(1) When completing the order in our online shop, we use the email address you provided for direct advertising for our own similar offers. You will receive these product recommendations regardless of whether you have subscribed to our newsletter. In this way, we will inform you about goods and services from our product range that may be relevant to you based on the orders you have placed in our online shop.
(2) If you do not want to receive these product recommendations, you can object to at any time without incurring any costs other than the transmission costs according to the basic tariffs. An informal message to email@example.com or the contact details mentioned in section 2 is sufficient. Alternatively, you can also use the unsubscribe link included in every email. Legal bases for the data processing described are Art. 6 Abs. 1 Buchstabe f Datenschutz-Grundverordnung (Interessenabwägung, basierend auf dem Interesse der Citycare24 GmbH, bestehenden Kunden Werbung zu unterbreiten) as well as § 7 Abs. 3 Gesetz gegen den unlauteren Wettbewerb (Verarbeitung Ihrer E-Mail-Adresse für Direktwerbung).
(1)If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter.
(2) We use the so-called double opt-in procedure to ensure that the newsletter is sent out in an agreed manner. In the course of this, the potential recipient can be included in a distribution list. The user then receives a confirmation email to confirm the registration in a legally secure manner. The address is only actively included in the distribution list if the confirmation is given. We only use this data to send the requested information and offers. You can revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time , for example via the "unsubscribe" link in the newsletter or by e-mail to firstname.lastname@example.org.
(3) The data protection measures are always subject to technical updates, for this reason we ask you to inform yourself about our data protection measures at regular intervals by inspecting our data protection declaration.
(1)You can sign up to receive our push notifications. To send our push notifications, we use the "Kumulos" delivery service operated by Kumulos Ltd, Dundee One, 5 West Victoria Dock Road, Dundee, DD1 3JT ("Kumulos").
(2) You will receive regular information about current events via our push notifications. To sign up, you will need to confirm your browser's prompt to receive notifications. This process is stored by Kumulos. This includes storing registration time, hardware and software version information, and a unique ID to anonymously identify your browser or mobile device. The collection of this data is necessary to enable us to understand the processes in the event of misuse and therefore serves our legal protection.
(3) In order to be able to show you the push notifications, Kumulos collects and processes your browser ID on our behalf, as well as your device ID in the case of mobile access.
(4) By subscribing to our push notifications, you agree to receive them. The legal basis for processing your data after you have subscribed to our push notifications and given your consent is Art. 6 (1) lit. a GDPR.
(5) Kumulos also evaluates our push notifications statistically. This enables Kumulos to recognise if and when our push notifications were displayed and clicked on by you.
(6) You can revoke your consent to the storage and use of your personal data to receive our push notifications and the statistical collection described above at any time with immediate effect for the future. For the purpose of revoking consent, you can change the setting provided for this purpose in your browser for receiving push notifications. If you use our push notifications on a desktop PC with the "Windows" operating system, you can also unsubscribe from our push notifications by right-clicking on the respective push notification in the settings that appear there.
(1) We will only share your personal data with third parties where sales campaigns, competitions, bookings or the conclusion of contracts are being offered by us in partnership with a third-party provider. In these cases you will be especially informed of this data sharing with third parties prior to it occurring.
(2) On some occasions, we make use of external service providers in order to process your data. These providers have been carefully chosen by us and appointed in writing. They are bound to our instruction and are regularly monitored by us. The service providers will not send this data to third parties. Where these service providers have offices in the USA, we will inform you of this as well as of their specific functions. This data processing also occurs in accordance with current law.
(1) This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"), provided that you have given your express consent. Google Analytics uses so-called "cookies", text files that are stored on your computer and that enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. If IP anonymization is activated on this website, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The full IP address will only be transmitted to a Google server in the USA and abbreviated there in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services related to website activity and internet usage.
(2) The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
(3) You can prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by using the browser plug-in available under the following link. Download and install in: http://tools.google.com/dlpage/gaoptout?hl=de.
(4) This website uses Google Analytics with the extension "_anonymizeIp ()". As a result, IP addresses are further processed in abbreviated form, so that they cannot be linked to a person. As far as the data collected about you is personal, this is immediately excluded and the personal data is deleted immediately.
(5) We use Google Analytics to analyze and regularly improve the use of our website. We can use the statistics obtained to improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data are transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is your express consent, Art. 6 para. 1 sentence 1 lit. a GDPR.
(7) This website also uses Google Analytics for a cross-device analysis of visitor flows, which is carried out via a user ID. You can deactivate the cross-device analysis of your usage in your customer account under "My data", "Personal data".
Following an order, the Trusted Shops Trustbadge is incorporated into this web page in order to display our Trusted Shops trustmark and the rating collected, as well as to offer Trusted Shops products for buyers.
This serves to safeguard our legitimate interests to optimise marketing of our products, which prevail in the context of a balancing of interests. The Trustbadge and the services advertised with it are provided by Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne.
When the trust badge is requested, our web server automatically stores a so-called server log file that documents your IP address, date and time of request, amount of data transferred and the requesting provider (access data) and the request. This access data will not be analysed and will be automatically overwritten within seven days from the end of your visit to the site.
Personal data will only be transferred to Trusted Shops if you decide to use Trusted Shops products after completing an order or if you have already signed up to use the products. In this event, the contractual agreement between you and Trusted Shops will apply.
(1) We have integrated YouTube videos in our online services, which are stored at http://www.YouTube.com and playable directly from our website. These are all integrated in ‘extended data protection mode’, which means that if you do not play any of the videos, none of your personal data will be transferred to YouTube. Only when you play the videos will data be transferred, as per paragraph 2. We have no influence on this data transfer.
(2) When you visit our website, YouTube receives the information corresponding to the subpages that you have accessed on our website. Data named under clause 3 of this statement is also transferred. This occurs regardless of whether or not you are logged in to a YouTube user account. If you are logged in with Google your data will be associated directly with your account. If you do not want this assigned to your YouTube profile, you must log out before activating the button. YouTube stores your data as user profiles and uses them for advertising and market research purposes and/or for any necessary changes to the design of its website. This type of analysis is carried out in particular to provide personalised advertising and to inform other users on social networks about your activity on our website (even for users who are not logged in). You have the right to object to the creation of this user profile, whereby you must contact YouTube to exercise this right.
(3) For more information on the purpose and scope of data collection and processing by YouTube, please refer to the data protection statement. You will also find further information about your rights and about how to adjust your settings to protect your privacy: https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and is subject to the EU-US Privacy Shield, https://.www.privacyshield.gov/EU-US-Framework.
We use the logo of our partner, idealo (idealo internet GmbH, Ritterstraße 11, 10969 Berlin), on our website. When using our website, information is automatically sent to idealo’s server by the browser used on your end device. This information is temporarily stored in what is known as a server log file for 7 days. The following information is collected without you doing anything and is stored until it is automatically deleted:
- IP address of the requesting computer,
- date and time of access,
- name and URL of requested file,
- website from which the site is accessed (referrer URL),
- browser used and, if necessary, your computer’s operating system and the name of your access provider.
It is necessary for the system to store the IP address temporarily to enable the website to be sent. For this purpose, the IP address must be stored for the duration of the session. Storage in log files is carried out to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our IT systems. These data are not stored together with the other personal data. The legal basis for data processing is Article 6(1)(1)(f) GDPR.
Should we transfer your data to third parties, you will be explicitly advised of this in the description of the data processing in question (e.g. when using our contact form). As a matter of course, we also use external service providers for technical and organisational development, with whom we have agreed corresponding processing agreements, in accordance with Article 28 GDPR. These are for instance service providers for web hosting, sending emails, maintenance and upkeep of our IT systems etc.
You data is stored for as long as strictly necessary in order to fulfil the specific purpose, or for as long as we are required by any legal provision (e.g. under commercial law, we are obliged to retain business letters, which includes emails, for 10 years).
As soon as the purpose of storage is no longer valid or the storage period under the specified provisions has expired, personal data is routinely blocked or erased.
In this section we would like to inform you comprehensively of your rights.
You have the right to obtain information from us at any time as to whether or not we are processing personal data concerning you. If this is the case, you can request information as outlined in the second clause of Article 15(1) GDPR.
You have the right to request information on whether personal data concerning you will be transferred to a third country or to an international organisation. In this regard, you can request information on the appropriate safeguards in accordance with Article 46 GDPR related to transmission.
You also have the right to demand immediate rectification of your incorrect personal data, in accordance with Article 16 GDPR. Under consideration of the purposes of processing, you have the right to demand the completion of incomplete personal data - also by means of an explanatory statement.
You also have the right to demand that we immediately erase personal data concerning you. We are obliged to fulfil this demand and erase personal data, provided we are not legally entitled or obliged to process the data further. For details on this please see Article 17 GDPR.
You have the right to demand that we restrict processing, provided that legal requirements in accordance with Article 18 GDPR are fulfilled.
If you have asserted the right to rectification, erasure or restriction of processing in accordance with Article 19 GDPR, we are obliged to inform all recipients to whom the personal data concerning you was disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or would involve a disproportionate effort.
You have the right to be informed by us of these recipients.
Where you data is being processed by us with your consent or as part of a contract, you have the right to receive the data concerning you in a structured, conventional, and machine-readable format. In addition, you have the right to transfer this data to another controller, provided that legal requirements in accordance with Article 20 GDPR are fulfilled.
Case-specific right to object
You have the right, for reasons arising from your own particular situation, to object at any time to the processing of personal data concerning you that is performed in accordance with Article 6(1)(e) or (f) GDPR; this also applies to any profiling based on these provisions.
We will then no longer process the personal data unless there are compelling and legitimate grounds for processing which outweigh your interests, rights and freedoms, or processing serves to assert, exercise or defend legal claims.
Right to object to the processing of data for direct advertising purposes
Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct advertising purposes, the personal data concerning you will no longer be processed for these purposes.
Notwithstanding Directive 2002/58/EC, you are also entitled in the context of the use of information society services to exercise your right of objection by means of automated procedures for which technical specifications are used.
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent will not affect the lawfulness of processing carried out based on the consent prior to withdrawal.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or similar significant adverse effects for you. This does not apply if the decision
However, these decisions may not be based on special categories of personal data in accordance with Article 9(1) GDPR, unless Article 9(2)(a) or (g) applies and suitable steps to protect rights and freedoms and your legitimate interests have been taken.
In the cases stated in a. and c., the controller will take suitable steps to safeguard rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you believe that the processing of the personal data concerning you infringes the GDPR.
The supervisory authority where the complaint was lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial legal remedy in accordance with Article 78 GDPR.
The data protection supervisory authority responsible for us is:
Die Landesbeauftragte für den Datenschutz Niedersachsen
Telephone: +49 (0511) 120 45 00
Fax: +49 (0511) 120 45 99
Insofar as not already stipulated in the specific cases of processing in the above clauses, the following section illustrates the legal basis under which we process the data.
When we obtain consent for processing operations for personal data from the data subject, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) forms the legal basis.
In the case of the processing of personal data which is necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR forms the legal basis. This also applies for processing operations that are necessary to take steps prior to entering into a contract.
When processing personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR forms the legal basis.
In the event that the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Article 6 (1)(d) GDPR forms the legal basis.
If the processing is necessary for the protection of the legitimate interests of our company or a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6 (1)(f) GDPR forms the legal basis for the processing.
- IP address
- Date and time of the server query
- Content of the request (specific page)
- Access status/HTTP status code
- Volume of data transferred in each case
- Website the request comes from
- Operating system and its interface
- Language and version of the browser software
- Transient cookies (see b)
- Permanent cookies (see c).
- is necessary for the conclusion or fulfilment of a contract between you and the controller,
- is permissible under the law of the EU or the Member States to which the controller is subject, and this law contains adequate measures to safeguard your rights and freedoms and your legitimate interests, or
- is made with your express consent.