Citycare24.de data protection notice (obligations to provide information in accordance with Article 13 GDPR)
Table of contents
2. Name and contact details of the controller
3. Name and contact details of the data protection officer
4. Collection of personal data for informational use
6. Use of functions on our website
7. Use of our online shop
9. Sharing data with third parties
9.1 Use of Google Analytics
9.2 Incorporation of the Trusted Shops Trustbadge
9.3 Involvement of third-party services
9.4 Involvement of Idealo logo
10. Recipients or categories of recipients
11. Storage period
12. Your rights
12.1 Right of access
12.2 Right to rectification
12.3 Right to erasure (“Right to be forgotten”)
12.4 Right to restriction of processing
12.5 Right to information
12.6 Right to data portability
12.7 Right to object
12.8 Right to withdraw declaration of consent under data protection law
12.9 Automated individual decision-making, including profiling
12.10 Right to lodge a complaint
13. Legal basis for processing
In our view, data protection should transparent, easy to understand and above all, fair to all parties. In this data protection notice, we would therefore like to inform you of what personal data we collect from you and use, whether this may be transferred to third-parties (and if so which), how long we will store the data for and what rights you have, should you not be in agreement with our responsible approach. Should you have any remaining questions after reading this detailed data protection notice, please don’t hesitate to get in contact with us using the contact details provided.
So that we proceed based on the same assumptions, we would like to start by clarifying some definitions. This will ensure that all participants understand what we mean by the following notice and how we will proceed from it.
Personal data: This shall mean any information that relates to an identified or identifiable natural person (referred to hereafter as the ‘data subject’). A natural person shall be regarded as identifiable if they can be identified directly or indirectly, particularly through assignment to an identifier such as a name, to a code, to location data, to an online identifier or to one or more special features which are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
Processing: Processing shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Restriction of processing: The restriction of processing shall mean the marking of stored personal data with the aim of restricting its future processing.
Profiling: This shall mean any form of automated processing of personal data consisting of the use of personal data to evaluate or predict certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation: This shall mean the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller: This shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Recipient: This shall mean a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of this data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third party: Third party shall mean a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.
Consent: Consent shall mean any declaration of intent freely submitted by the data subject in an informed way and without ambiguity for a specific instance, submitted in the form of a declaration or other clear act of confirmation, with which the data subject makes clear that they are in agreement with the processing of their personal data.
The controller for the data processing is
You can reach us by post, by email at firstname.lastname@example.org or by telephone
042 98 / 9067 370.
IT-Kanzlei Lutz, Stefan Lutz, LL.M.,
Borgfelder Landstr. 2
You can reach Mr Stefan Lutz by post, by email at email@example.com or by telephone at 0421 / 3 22 88 90.
If you use our website for information purposes only, i.e. if you do not register with us or you send us information in a different way, we collect only the personal data that your browser sends to our server. If you would like to view our website, we collect the following data required for technical purposes to display our website to you and to guarantee stability and security (the legal basis for this is Article 6(1)(1)(f) GDPR):
(1) In addition of the previously mentioned data, cookies will be stored on your computer when you use our website. Cookies are small text files which are stored on your hard drive by the browser you use and which transmit certain information to the body setting the cookie (in this case us). Cookies cannot run programs or transfer viruses to your computer. They help to make internet services altogether more user-friendly and effective (the legal basis for this Article 6 (1)(1)(f) GDPR).
a) This website uses the following type of cookies, the scope and function of which are explained below:
b) Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID which allows different requests from your browser to be assigned to the general session. This enables your computer to be recognised you if you return to the website. Session cookies are automatically deleted when you log off or close the browser.
c) Permanent cookies are automatically deleted after a given time, which can be different for each cookie. You can delete cookies at any time through the security settings of your Internet browser.
d) You can configure your browser settings as you wish and reject, for example, the acceptance of third-party cookies or all cookies. We wish to point out that in doing so you may possibly not be able to use all of the website’s functions.
(2) This stored information is separated from any other data that may be given to us. In particular, data from cookies is not connected to your other data.
(3) You can revoke your consent for this data processing at any time with future effect.
(1) In addition to the purely informational use of our website, we offer various services which could be of interest to you. To make use of these, you must usually provide additional personal data, which we use to realise the particular service. Where it is possible to provide additional information voluntarily, this is indicated accordingly.
(2) When getting in contact with us via email or the contact form, we will store your email address and, if provided, name and telephone number, in order to answer your queries. (The legal basis for this is Sentence 1 of Article 6(1)(b) GDPR.)
(1) If you want to order something in our online shop, in order to conclude the contract, you must provide your personal data so that we can process your order. Mandatory details required to process contracts are marked specifically, other details are optional. We use the data provided by you to process your order. To do this, we can send your payment details to our house bank and/or other payment service providers. The legal basis for this is Sentence 1 of Article 6(1)(b) GDPR.
You can also opt to create a customer account through which we can save your data for future purchases. When creating an account under “Mein Konto” [My Account], the storage of your data can be revoked. You can delete at any time all additional data in the customer area, including your user account.
We may also process the data you provide in order to inform you of other interesting products from our portfolio or to send you emails with technical information.
(2) Under commercial and tax law, we are obliged to store your address, payment and order details for a period of ten years. However, after two years we restrict processing, meaning your data will only be used to comply with legal obligations.
(3) In order to prevent unauthorised access by third parties to your personal data, in particular financial data, the ordering process is encrypted with TLS technology.
If you would like to receive the newsletter offered on the website, we will require your email address as well as information allowing us to verify that you are the owner of the specified email address and that you have agreed to receive the newsletter.
In order to ensure you have agreed to receive the newsletter, we use the so-called double opt-in process. As part of this, potential recipients are added to a mailing list. The user is then given the opportunity through a confirmation email to legally confirm their registration. Only once confirmation has been received does the address join the active mailing list.
This data is used exclusively to send the requested information and offers.
The newsletter software used is Newsletter2Go. Your data is transferred here to Newsletter2Go GmbH. Newsletter2Go is prohibited from selling your data or from using it for purposes other than sending the newsletter. Newsletter2Go is a certified, German supplier, chosen in accordance with the requirements of the GDPR and Bundesdatenschutzgesetz [Federal Data Protection Act].
You can find further information here: https://www.newsletter2go.de/informationen-newsletter-empfaenger/
You may at any time revoke your consent for the storage of your data and email address, as well their use for the sending of the newsletter by following the “unsubscribe” link in the newsletter or emailing firstname.lastname@example.org
The data protection measures are subject to constant technological developments, so please stay informed by regularly reading our data protection declaration.
(1) We will only share your personal data with third parties where sales campaigns, competitions, bookings or the conclusion of contracts are being offered by us in partnership with a third-party provider. In these cases you will be especially informed of this data sharing with third parties prior to it occurring.
(2) On some occasions, we make use of external service providers in order to process your data. These providers have been carefully chosen by us and appointed in writing. They are bound to our instruction and are regularly monitored by us. The service providers will not send this data to third parties. Where these service providers have offices in the USA, we will inform you of this as well as of their specific functions. This data processing also occurs in accordance with current law.
(1) This website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses so-called “cookies”, which are text files placed on your computer to enable your use of the website to be analysed. The information generated by the cookies regarding your use of this website will usually be transferred to a Google server in the USA and stored there. If IP anonymization is activated on this website, your IP address will be shortened by Google beforehand within the member states of the European Union or other signatories to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity and to provide other services to the website operator regarding website and internet use.
(2) The IP address transferred by your browser within the scope of Google Analytics will not be aggregated with any other data held by Google.
(3) You may prevent the storage of cookies by selecting the appropriate settings on your browser software; however, please note that if you do so, you may not be able to use all the functions of this Website to their full extent. You can also prevent collection of the data (including your IP address) generated by the cookies and related to your use of the website by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
(4) This website uses Google Analytics with the extension “_anonymizeIp()”. This means that IP addresses are further processed in a truncated form so that personal identification is excluded. If personal identification becomes possible via the data collected, this is immediately excluded and the personal data fully deleted.
(5) We use Google Analytics to analyse and regularly improve use of our website. The statistics obtained from this allow us to optimise our content and to make it more interesting for you. In the exceptional cases where personal data is transferred to the USA, Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Sentence 1 of Article 6(1)f) GDPR.
(6) Information on the third-party service provider: Google Dublin, Google Ireland Ltd.; Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.
Overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html
and, data protection declaration: http://www.google.de/intl/de/policies/privacy.
(7) This website also uses Google Analytics for a cross-device analysis of visitor flows which is carried out via a user ID. You can deactivate the cross-device analysis of your usage in your customer account under ‘My Data’, ‘Personal Data’.
Following an order, the Trusted Shops Trustbadge is incorporated into this web page in order to display our Trusted Shops trustmark and the rating collected, as well as to offer Trusted Shops products for buyers.
This serves to safeguard our legitimate interests to optimise marketing of our products, which prevail in the context of a balancing of interests. The Trustbadge and the services advertised with it are provided by Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne.
When the trust badge is requested, our web server automatically stores a so-called server log file that documents your IP address, date and time of request, amount of data transferred and the requesting provider (access data) and the request. This access data will not be analysed and will be automatically overwritten within seven days from the end of your visit to the site.
Personal data will only be transferred to Trusted Shops if you decide to use Trusted Shops products after completing an order or if you have already signed up to use the products. In this event, the contractual agreement between you and Trusted Shops will apply.
(1) We have integrated YouTube videos in our online services, which are stored at http://www.YouTube.com and playable directly from our website. These are all integrated in ‘extended data protection mode’, which means that if you do not play any of the videos, none of your personal data will be transferred to YouTube. Only when you play the videos will data be transferred, as per paragraph 2. We have no influence on this data transfer.
(2) When you visit our website, YouTube receives the information corresponding to the subpages that you have accessed on our website. Data named under clause 3 of this statement is also transferred. This occurs regardless of whether or not you are logged in to a YouTube user account. If you are logged in with Google your data will be associated directly with your account. If you do not want this assigned to your YouTube profile, you must log out before activating the button. YouTube stores your data as user profiles and uses them for advertising and market research purposes and/or for any necessary changes to the design of its website. This type of analysis is carried out in particular to provide personalised advertising and to inform other users on social networks about your activity on our website (even for users who are not logged in). You have the right to object to the creation of this user profile, whereby you must contact YouTube to exercise this right.
(3) For more information on the purpose and scope of data collection and processing by YouTube, please refer to the data protection statement. You will also find further information about your rights and about how to adjust your settings to protect your privacy: https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and is subject to the EU-US Privacy Shield, https://.www.privacyshield.gov/EU-US-Framework.
We use the logo of our partner, idealo (idealo internet GmbH, Ritterstraße 11, 10969 Berlin), on our website. When using our website, information is automatically sent to idealo’s server by the browser used on your end device. This information is temporarily stored in what is known as a server log file for 7 days. The following information is collected without you doing anything and is stored until it is automatically deleted:
- IP address of the requesting computer,
- date and time of access,
- name and URL of requested file,
- website from which the site is accessed (referrer URL),
- browser used and, if necessary, your computer’s operating system and the name of your access provider.
It is necessary for the system to store the IP address temporarily to enable the website to be sent. For this purpose, the IP address must be stored for the duration of the session. Storage in log files is carried out to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our IT systems. These data are not stored together with the other personal data. The legal basis for data processing is Article 6(1)(1)(f) GDPR.
Should we transfer your data to third parties, you will be explicitly advised of this in the description of the data processing in question (e.g. when using our contact form). As a matter of course, we also use external service providers for technical and organisational development, with whom we have agreed corresponding processing agreements, in accordance with Article 28 GDPR. These are for instance service providers for web hosting, sending emails, maintenance and upkeep of our IT systems etc.
You data is stored for as long as strictly necessary in order to fulfil the specific purpose, or for as long as we are required by any legal provision (e.g. under commercial law, we are obliged to retain business letters, which includes emails, for 10 years).
As soon as the purpose of storage is no longer valid or the storage period under the specified provisions has expired, personal data is routinely blocked or erased.
In this section we would like to inform you comprehensively of your rights.
You have the right to obtain information from us at any time as to whether or not we are processing personal data concerning you. If this is the case, you can request information as outlined in the second clause of Article 15(1) GDPR.
You have the right to request information on whether personal data concerning you will be transferred to a third country or to an international organisation. In this regard, you can request information on the appropriate safeguards in accordance with Article 46 GDPR related to transmission.
You also have the right to demand immediate rectification of your incorrect personal data, in accordance with Article 16 GDPR. Under consideration of the purposes of processing, you have the right to demand the completion of incomplete personal data - also by means of an explanatory statement.
You also have the right to demand that we immediately erase personal data concerning you. We are obliged to fulfil this demand and erase personal data, provided we are not legally entitled or obliged to process the data further. For details on this please see Article 17 GDPR.
You have the right to demand that we restrict processing, provided that legal requirements in accordance with Article 18 GDPR are fulfilled.
If you have asserted the right to rectification, erasure or restriction of processing in accordance with Article 19 GDPR, we are obliged to inform all recipients to whom the personal data concerning you was disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or would involve a disproportionate effort.
You have the right to be informed by us of these recipients.
Where you data is being processed by us with your consent or as part of a contract, you have the right to receive the data concerning you in a structured, conventional, and machine-readable format. In addition, you have the right to transfer this data to another controller, provided that legal requirements in accordance with Article 20 GDPR are fulfilled.
Case-specific right to object
You have the right, for reasons arising from your own particular situation, to object at any time to the processing of personal data concerning you that is performed in accordance with Article 6(1)(e) or (f) GDPR; this also applies to any profiling based on these provisions.
We will then no longer process the personal data unless there are compelling and legitimate grounds for processing which outweigh your interests, rights and freedoms, or processing serves to assert, exercise or defend legal claims.
Right to object to the processing of data for direct advertising purposes
Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct advertising purposes, the personal data concerning you will no longer be processed for these purposes.
Notwithstanding Directive 2002/58/EC, you are also entitled in the context of the use of information society services to exercise your right of objection by means of automated procedures for which technical specifications are used.
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent will not affect the lawfulness of processing carried out based on the consent prior to withdrawal.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or similar significant adverse effects for you. This does not apply if the decision
However, these decisions may not be based on special categories of personal data in accordance with Article 9(1) GDPR, unless Article 9(2)(a) or (g) applies and suitable steps to protect rights and freedoms and your legitimate interests have been taken.
In the cases stated in a. and c., the controller will take suitable steps to safeguard rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you believe that the processing of the personal data concerning you infringes the GDPR.
The supervisory authority where the complaint was lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial legal remedy in accordance with Article 78 GDPR.
The data protection supervisory authority responsible for us is:
Die Landesbeauftragte für den Datenschutz Niedersachsen
Telephone: +49 (0511) 120 45 00
Fax: +49 (0511) 120 45 99
Insofar as not already stipulated in the specific cases of processing in the above clauses, the following section illustrates the legal basis under which we process the data.
When we obtain consent for processing operations for personal data from the data subject, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) forms the legal basis.
In the case of the processing of personal data which is necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR forms the legal basis. This also applies for processing operations that are necessary to take steps prior to entering into a contract.
When processing personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR forms the legal basis.
In the event that the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Article 6 (1)(d) GDPR forms the legal basis.
If the processing is necessary for the protection of the legitimate interests of our company or a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6 (1)(f) GDPR forms the legal basis for the processing.
- IP address
- Date and time of the server query
- Content of the request (specific page)
- Access status/HTTP status code
- Volume of data transferred in each case
- Website the request comes from
- Operating system and its interface
- Language and version of the browser software
- Transient cookies (see b)
- Permanent cookies (see c).
- is necessary for the conclusion or fulfilment of a contract between you and the controller,
- is permissible under the law of the EU or the Member States to which the controller is subject, and this law contains adequate measures to safeguard your rights and freedoms and your legitimate interests, or
- is made with your express consent.