Privacy policy and information on data protection

The protection of your personal data that you make available to us for processing is of particular concern to us. In the following, we inform you about the processing of personal data when using our website.

Within the scope of our responsibility under data protection law, additional obligations have been imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR") in order to ensure the protection of personal data of the data subject (we also refer to you as data subject hereinafter as "customer", "user", "you", "you" or "data subject").

Insofar as we decide either alone or jointly with others on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and 14 GDPR). With this declaration (hereinafter: "data protection notice"), we inform you about the manner in which your personal data is processed by us.

(1) Definitions

Following the example of Art. 4 of the GDPR, this data protection notice is based on the following definitions:

- "Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain personal data).

- "Processing" (Art. 4 No. 2 GDPR) means any operation which involves the handling of personal data, whether or not by automated (e.g., technology-based) means. This includes, in particular, the collection (e.g., acquisition), recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as the change of a purpose or intended use on which a data processing was originally based.

- "Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

- "Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or processor; this also includes other group-affiliated legal entities.

- "Processor" (Art. 4 No. 8 GDPR) is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller, in particular in accordance with the controllers instructions (e.g., IT service provider). In the sense of data protection law, a processor is in particular not a third party.

- "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.

(2) Name and address of the controller

We are the controller of your personal data within the meaning of Art. 4 No. 7 GDPR:

WMF GmbH
WMF Platz 1, 73312 Geislingen/Steige
Phone +49 (0) 7221 25-1; Fax: + 49 (0) 7331 453 87
E-mail address info(at)wmf.de

For further information on our company, please refer to the imprint details on our website.

(3) Contact details of the data protection officer

Our company data protection officer is available at all times to answer any questions you may have and to act as your contact person on the subject of data protection at our company. His contact details are:

WMF GmbH
Data Protection
WMF Platz 1, 73312 Geislingen/Steige
dataprivacy(at)wmf.de

(4) Processing of personal data

If you would like to order in our web shop, it is necessary for the conclusion of the contract that you provide your personal data, which we need for the purpose of processing your order. Mandatory information required for the processing of contracts is marked separately, other information is voluntary. For payment, you can provide your payment details to our payment service providers, whereby these third parties are each independently responsible for the payment processing. If you select invoice as the payment method, we may carry out a credit check. The legal basis for this is Art. 6 para. 1 p. 1 lit. b GDPR.

We may also process the data you provide to inform you about other interesting products from our portfolio or to send you emails with technical information.

(5) Legal basis for data processing

In principle, any processing of personal data is prohibited by law and only permitted if the data processing falls under one of the following justifications:

- Art. 6 para. 1 sentence 1 lit. a GDPR ("consent"): If the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative action that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;

- Art. 6 para. 1 p. 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject;

- Art. 6 para. 1 p. 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a legal obligation to keep records)

(6) Data deletion and storage period

For the processing operations carried out by us, we indicate below in each case how long the data will be stored by us and when it will be deleted or blocked. Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. In principle, your data is only stored on our servers in the area of application of the GDPR, subject to a possible transfer in accordance with the regulations in (8) and (9).

However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings or if storage is provided for by statutory regulations to which we are subject as the responsible party (e.g., § 257 HGB, § 147 AO). If the storage period prescribed by the legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

(7) Data security

We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties (e.g., TLS encryption for our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

We will be happy to provide you with more detailed information on request. Please contact our data protection officer (see (3)).

(8) Cooperation with processors

As with any larger company, we also use external domestic and foreign service providers (e.g., for IT, logistics, telecommunications) to process our business transactions. These service providers only act on our instructions and are contractually obliged to comply with data protection regulations in accordance with Article 28 of the Data Protection Regulation (GDPR).

If personal data from you is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g., for advertising purposes), this is done on the basis of existing order processing relationships.

(9) Conditions for the transfer of personal data to third countries

In the course of our business relationships, your personal data may be passed on or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), e.g., in third countries. Such processing takes place exclusively for the fulfilment of contractual and business obligations and to maintain your business relationship with us. We will inform you about the respective details of the transfer in the following at the relevant points.

Some third countries are certified by the European Commission as having a level of data protection comparable to the EEA standard through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct. Please contact our data protection officer (see under (3)) if you would like more information on this.

(10) Legal obligation to transmit certain data

We may, under certain circumstances, be subject to a specific legal or statutory obligation to make the lawfully processed personal data available to third parties, in particular public bodies (Art. 6 para. 1 p. 1 lit. c GDPR).

11) Your rights

You can assert your rights as a data subject regarding your processed personal data at any time by contacting us using the contact details provided at the beginning of (3). As a data subject, you have the right

- to request information about your data processed by us in accordance with Art. 15 GDPR;

- to demand the correction of incorrect or the completion of your data stored by us without delay in accordance with Art. 16 GDPR;

- pursuant to Art. 17 GDPR to request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;

- demand the restriction of the processing of your data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you or the processing is unlawful;

- pursuant to Art. 20 GDPR to receive your data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller ("data portability");

- object to the processing in accordance with Art. 21 GDPR, provided that the processing is based on Art. 6 (1) sentence 1 lit. e or lit. f GDPR;

- in accordance with Art. 7 (3) of the GDPR, revoke your consent - e.g., your voluntary, informed and unambiguous will, made clear by a declaration or other unambiguous affirmative action, that you agree to the processing of the personal data in question for one or more specific purposes - given once (also before the GDPR applies, e.g., before 25.5.2018) at any time vis-à-vis us, if you have given such consent. This has the consequence that we may no longer continue the data processing based on this consent in the future, and

- complain to a data protection supervisory authority about the processing of your personal data in our company in accordance with Art. 77 GDPR.

status 2/2023