Data Privacy Statement of LEICHT Küchen AG for the website global-kitchen-design.com
This Data Privacy Statement details the type, scope and purpose of the processing of personal data within our online service and of the associated websites, functions and content as well as external online presence, such as for example our social media profiles (hereinafter commonly referred to as “online service”).
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; hereinafter, personal data is always meant whenever “data” is mentioned.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is extensive and encompasses virtually all dealings with data.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Users” are visitors to and users of our online service.
“GDPR” is the General Data Protection Regulation.
Name/company: LEICHT Küchen AG
Street, no.: Gmünder Straße 70
Postcode, town, country: 73550 Waldstetten | Germany
Commercial register/no.: HRB 701337, Court of Registration: Ulm District Court
Management Board: Stefan Waldenmaier (CEO), Ralph Glorim
Tel.: +49 | 7171 | 402-0
E-mail address: email@example.com
Data Protection Officer:
The Data Protection Officer can be reached at:
E-mail address: firstname.lastname@example.org
or can be contacted by post using the address above and adding “FAO Data Protection Officer”.
III. Types of processed data:
1. Every time our website is accessed, our system automatically collects data and information from the computer system of the device accessing the site.
This process involves the collection of the following data:
Information about the browser type and the version used;
The user’s operating system;
The user’s Internet service provider;
The user’s IP address;
Date and time of access;
Websites from which the user’s system has gained access to our website;
Websites which are called up by the user’s system via our website.
2. If you use our services and download projects, we also collect and process the following data:
Name (also first and last names of contact persons), name, e-mail address, IP address, language, password, profile picture, project pictures, project name, project addresses, project type, project categories.
IV. Purpose of data collection
1. As long as it only concerns the use of our website, we process our users’ personal data only as far as this is necessary to provide a functioning website, as well as functioning content and services. Users’ personal data is processed regularly only after a user has given his/her consent. Cases in which it is not possible to obtain previous consent for real reasons and cases where it is permitted to process data due to legal regulations are an exception to this rule.
2. Whenever our online services are used, we store the IP address and time of a particular action by a user. This storage takes place on the basis of our justified interests as well as of protection against malpractice and other unauthorised use. As a matter of principle, this data is not passed on to third parties, unless it is necessary in the pursuit of our rights or we are legally obliged to do so pursuant to point (c) of Article 6(1) of the GDPR.
V. Lawfulness for processing personal data
Point (a) of Article 6(1) of the GDPR is the applicable legal basis insofar as we obtain the data subject’s consent to process personal data.
Point (b) of Article 6(1) of the GDPR is the applicable legal basis in the processing of personal data necessary for the performance of a contract to which the data subject is party. This also applies to processing procedures which are necessary to execute precontractual measures.
Point (c) of Article 6(1) of the GDPR is the applicable legal basis insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject.
Point (d) of Article 6(1) of the GDPR is the applicable legal basis in the case where vital interests of the data subject or another natural person necessitate the processing of personal data.
Point (f) of Article 6(1) of the GDPR is the applicable legal basis for processing if processing is necessary for the purposes of protecting a legitimate interest of our company or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
VI. Security, order processing, transfer to other countries
1. Security measures
Taking into account, pursuant to Article 32 of the GDPR, the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood of occurrence and severity of the risk for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; these measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the relevant access, input, transmission, safeguarding of availability and separation of the data. Furthermore we have set up procedures which guarantee a perception of the rights of data subjects, erasure of data and a reaction to any endangerment of the data. Moreover we already consider the protection of personal data in the development and/or selection of hardware, software as well as procedures, in accordance with the principle of data protection with technology engineering and with data-protection-friendly presettings (Article 25 of the GDPR).
The security measures include in particular the encrypted transmission of data between your browser and our server.
2. Collaboration with order processors and third parties
If within our processing we disclose data to other persons and companies (order processors or third parties), transmit such to them or otherwise grant them access to the data, this takes place only with legal permission (e.g. when the transmission of data to third parties, such as payment service providers, is necessary to fulfil the contract in accordance with point (b) Article 6(1) of the GDPR), you have given your consent, a legal obligation allows for this or on the basis of our justified interests (e.g. when using authorised agents, web hosts, etc.).
Insofar as we commission third parties to process data on the basis of what is referred to as an “order processing contract”, this is based on Article 28 of the GDPR.
3. Transfer to third countries
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this takes place as part of the availment of services of third parties or the disclosure or transmission of data to third parties, this only occurs if it takes place to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our justified interests. Subject to legal or contractual permission, we only process the data or have the data processed in a third country when the special requirements of Article 44 et seq. of the GDPR apply. In other words, the processing takes place for example on the basis of special guarantees such as the officially recognised ascertainment of one of the EU compliant data privacy protection levels (e.g. for the USA through the “Privacy Shield”) or the observance of officially recognised special contractual obligations (known as “standard contract clauses”).
VII. Rights of the data subjects
If your personal data is processed, you are a data subject as defined by the GDPR and you have the following rights vis-à-vis the controller:
1. Right to information
The data subject can demand a confirmation from the controller as to whether we are processing personal data concerning him. If personal data is being processed, you can demand to be informed by the controller of the following:
a) the purposes of the processing for which the personal data is intended;
b) the categories of personal data to be processed;
c) the recipients or categories of recipients who have been provided with or will be provided with personal data concerning the data subject;
d) the planned period for which the personal data concerning the data subject will be stored, or, if specific details cannot be revealed, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or restriction of processing or to object to processing;
f) the right to lodge a complaint with a supervisory authority;
g) all available information on the origin of the data if the personal data is not obtained from the data subject;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The data subject has the right to demand information on whether the controller intends to transfer personal data concerning him or her to a third country or international organisation. In this context, the data subject can demand to be informed of the appropriate safeguards in accordance with Article 46 of the GDPR in connection with the transfer.
2. Right to rectification
The data subject has the right to request from the controller rectification and/or completion of personal data if the processed personal data concerning him or her is incorrect or incomplete. The controller must rectify the personal data without undue delay.
3. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing of personal data appertaining to the data subject where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of the use of personal data instead;
c) the controller no longer needs the personal data for the purposes of processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where the processing of personal data concerning the data subject has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject who has obtained restriction of processing pursuant to the aforementioned prerequisites shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data concerning the data subject is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based in accordance with point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
d) the personal data concerning the data subject has been unlawfully processed;
e) the personal data concerning the data subject has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data concerning the data subject has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
The right to erasure shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
5. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format.
6. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data concerning the data subject unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the processing serves the establishment, exercise or defence of legal claims.
Where personal data concerning the data subject is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
7. Right to withdraw consent
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial right of appeal, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, your workplace or the place of the alleged violation, when you are of the opinion that the processing of personal data concerning you is in breach of the GDPR.
The supervisory authority relevant to us is:
Landesbeauftragte für den Datenschutz und Informationsfreiheit (State Data Protection and Freedom of Information Officer) Baden-Württemberg, Postfach 10 29 32, 70025 Stuttgart, Germany, or Königstraße 10a, 70173 Stuttgart, Germany, Tel.: +49 (0)711/61 55 41-0, Fax: +49 (0)711/61 55 41-15, e-mail: email@example.com
“Cookies” are small files stored on a user’s computer. A range of details can be stored within the cookies. A cookie is primarily intended to store information on a user (or on the device the cookie is stored on) during or also after the user’s visit within an online service. Temporary cookies, also referred to as “session cookies” or “transient cookies”, are those which are deleted when a user leaves an online service and closes his or her browser. This type of cookie might store items placed in a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies are those which remain saved once the user’s browser is closed. This makes it possible, for example, to store the login status when the user revisits a site after several days. This kind of cookie can also save the interests of the user; this information can then be used for audience measurement or marketing purposes. “Third-party cookies” are cookies offered by suppliers other than the controller providing the online service (otherwise, if they are cookies exclusively from the controller, the cookies are referred to as “first-party cookies”).
We can use both temporary and permanent cookies and have detailed this accordingly in our Data Privacy Statement.
If users do not want cookies to be stored on their system, they are asked to disable the relevant option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. Disabling cookies can lead to the restricted functioning of this online offer.
1. When we are contacted (via the contact form or e-mail), the user’s details are processed so we can pursue the contact inquiry in accordance with point (b) of Article 6(1) of the GDPR.
2. Users have the option of creating a user account. The necessary mandatory user specifications are stipulated during registration. The data entered during registration is required for the purposes of using the service. Users can be informed about offers or provided with registration-relevant information, such as changes to the scope of service or technical situations, by e-mail. When users close their user account, the data relevant to the user account will be deleted, unless the data needs to be retained for reasons relating to commercial or tax law in accordance with point (c) of Article 6(1) of the GDPR. After terminating the contract, it is the user’s responsibility to save his or her data before the contract expires. We are entitled to delete beyond retrieval all the user’s data stored during the duration of the contract.
3. Users can subscribe to subsequent comments providing they give their consent in accordance with point (a) of Article 6(1) of the GDPR. Users receive a confirmation mail to verify that they are the owner of the e-mail address specified. Users can unsubscribe from existing comment subscriptions at any time. The confirmation mail will contain information on the cancellation rights. So we can prove a user’s consent, we store the registration time along with the user’s IP address and delete this information when the users unsubscribe from the subscription. You can revoke your consent. We can save the unsubscribed e-mail addresses until the statutes of limitation expire on the basis of our justified interests before we delete them to be able to prove consent previously given. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for data erasure can be filed at any time, providing the former existence of consent is confirmed.
4. When users register, leave comments or make other contributions, their IP addresses are saved based on our legitimate interests pursuant to point (f) of Article 6(1) of the GDPR. This is for our own security for the case that someone leaves illegal content in comments and contributions (offensive comments, forbidden political propaganda, etc.). In the case we can be prosecuted ourselves for the comment or contribution and are thus interested in the identity of the author. As a matter of principle, this data is not passed on to third parties, unless it is necessary in the pursuit of our rights or we are legally obliged to do so pursuant to point (c) of Article 6(1) of the GDPR.
X. Erasure of data
Data processed by us is erased or the processing of this data is restricted in compliance with Articles 17 and 18 of the GDPR. Unless explicitly specified otherwise within this Data Privacy Statement, the data stored by us is erased as soon as it is no longer necessary for the purpose originally intended and erasure would not constitute violating legal duties to retain such data. If this data is not erased, because it is required for other, legally permissible purposes, the processing thereof will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data which must be retained for reasons relating to commercial or tax law. In accordance with legal regulations in Germany, data is retained particularly for 6 years in accordance with § 257 Paragraph 1 HGB [German Commercial Code] (account books, inventory, opening balance sheets, annual financial statements, commercial letters, accounting records, etc.) as well as for 10 years in accordance with § 147 Paragraph 1 AO [German tax code] (books, recordings, annual reports, accounting records, business and commercial letters, documents relevant for taxation, etc.).
We erase e-mail inquiries and other forms of contact via our website within a suitable period of time, within which it is no longer expected that a contract or similar will be concluded.
XI. Online presence in social media
We maintain online presences within social networks and platforms to be able to communicate with the customers, prospective clients and users active there and to be able to inform them there about our services. When the relevant networks and platforms are accessed, the Terms and Conditions as well as the data processing regulations of the relevant operators apply.
Unless stated otherwise in our Data Privacy Statement, we process the users’ data if the users communicate with us within the social networks and platforms, e.g. by making comments on our online presences or by sending us messages.
XII. Google Universal Analytics
XIII. Google Maps
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services pursuant to point (f) of Article 6(1) of the GDPR) we use the marketing and remarketing services (“Google Marketing Services” for short) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
Google has been certified under the Privacy Shield Agreement thereby guaranteeing compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google Marketing Services allow us to show ads for and on our website in a more targeted manner, showing users only those ads that are potentially of interest to them. For example, if a user is shown ads for products in which they showed an interest on other websites, this is known as remarketing. For these purposes, Google executes a code as soon as a user views our website or other websites for which Google Marketing Services have been activated, thereby incorporating so-called (re)marketing tags into the website (invisible graphics or codes, also referred to as “web beacons”). This allows a customised cookie, i.e. a small file, to be stored on the user’s device (comparable technologies may also be used instead of cookies). Cookies can be placed by various domains including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file records which websites the user visits, what content they are interested in and which offers they click on, as well as technical information relating to the browser and operating system, the referrer URL, the visit time and other details regarding the use of the online service. The user’s IP address is also logged; please note that with regard to Google Analytics, IP addresses within member states of the European Union or in other signatory states to the Agreement on the European Economic Area are truncated and that only in exceptional cases a complete IP address is transmitted to a Google server in the USA and then truncated there. The user’s IP address is not combined with the user’s data within other Google services. Google may combine the information mentioned above with such information from other sources. When the user subsequently visits other websites, they can be shown ads which are tailored to their interests.
The user’s data is processed within the Google Marketing Services using pseudonyms. This means Google does not store and process the user’s name or the e-mail address, but instead processes the relevant data within pseudonymous user profiles using cookies. This means from Google’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymisation. The information collected by Google Marketing Services regarding a user is sent to Google and stored on Google servers in the USA.
The online advertising program “Google AdWords” is also one of the Google Marketing Services we use. In the case of Google AdWords, every AdWords customer is given a different “conversion cookie”. This means that cookies cannot be traced over the websites of AdWords customers. The information collected using this cookie is used to compile conversion statistics for AdWords customers who have decided to use conversion tracking. The AdWords customers find out the total number of users who have clicked their ad and who were redirected to a site with a conversion tracking tag. They do not, however, receive any information with which they can identify users personally.
We can also use the “Google Optimizer” service. Google Optimizer gives us the opportunity to use “A/B testings” to see the effect of different versions of a website (e.g. changes to the input fields, design, etc.). Cookies are stored on the user’s device for these test purposes. Only pseudonymous user data is used.
We can also use the “Google Tag Manager” to integrate and manage Google analysis and marketing services on our website.
If you wish to object to interest-based advertising by Google Marketing Services, you can use the settings and opt-out options provided by Google: https://adssettings.google.com/authenticated.
XVI. Using Facebook Social Plugins
We use social plugins (“plugins”) from the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”) on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service pursuant to point (f) of Article 6(1) of the GDPR). The plugins can be interaction elements or content (e.g. videos, graphics or text) and can be recognised by one of the Facebook logos (white “f” on blue tile, the term “Like”, or a “thumbs up” sign) or marked with the phrase “Facebook Social Plugin”. The list and the appearance of the Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
Facebook has been certified under the Privacy Shield Agreement thereby guaranteeing compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
If a user accesses a function of this online service that contains such a plugin, his or her device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted directly to the user’s device by Facebook and is integrated into the online service. The processed data can be used to create usage profiles of the user. We therefore have no control over the amount of data Facebook collects with the help of this plugin and therefore inform users based on our level of knowledge.
Through the integration of plugins, Facebook receives the information that a user has accessed the corresponding site of the online service. If the user is logged into Facebook, Facebook can link the visit to his or her Facebook account. If the user interacts with the plugins, for example by clicking on the “Like” button or leaving a comment, the corresponding information will be sent directly from their device to Facebook and stored there. If the user is not a member of Facebook, it is still possible for Facebook to obtain and store his or her IP address. According to Facebook, only an anonymised IP address is stored in Germany.
If a user is a Facebook member and does not want Facebook to collect information on him or her via this online service or link it to his or her membership data stored on Facebook, he or she must log out of Facebook before using our online service and delete his or her cookies. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are platform independent, which means they are applied to all devices such as desktop computers or mobile devices.
XVII. Facebook, custom audiences and Facebook marketing services
Within our online service and based on our legitimate interests in the analysis, optimisation and economic operation of our online service and for these purposes, our online service uses “Facebook Pixel” from the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are based in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
Facebook has been certified under the Privacy Shield Agreement thereby guaranteeing compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
With the help of the Facebook Pixel, Facebook is able to determine the visitors of our online service as the target group for the presentation of advertisements, so-called “Facebook ads”. Accordingly, we use the Facebook Pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online service or who possess certain characteristics (e.g. interests in certain topics or products which are determined using the websites visited) which we transmit to Facebook (so-called “custom audiences”). This means that with the help of the Facebook Pixel, we want to make sure that our Facebook ads correspond to the potential interest of the users rather than coming across as annoying. Additionally, the Facebook Pixel allows us to track the effectiveness of Facebook ads for statistical and market research purposes by showing whether users were redirected to our website after clicking on a Facebook ad (referred to as “conversion”).
Furthermore in our use of the Facebook Pixel we also use the advanced matching feature. Hereby data such as telephone numbers, e-mail addresses or Facebook IDs of the users are sent (encrypted) to Facebook to create target groups (“Custom Audiences” or “Look Alike Audiences”). Further information on the advanced matching feature: https://www.facebook.com/business/help/611774685654668).
We also use the “Custom Audiences from File” procedure of the social network Facebook, Inc. In this case, the e-mail addresses of the newsletter recipients are uploaded in Facebook. The upload procedure is encrypted. The sole purpose of the upload is to determine recipients of our Facebook ads. In this way, we want to make sure that the ads are only shown to users who are interested in our information and services.
Facebook processes the data in accordance with Facebook’s Data Policy. Accordingly, you can find further information about how Facebook ads are displayed in general in the Facebook Data Policy: https://www.facebook.com/policy.php. Special information and details on Facebook Pixel and how it works can be found in the Facebook Help section: https://www.facebook.com/business/help/651294705016616.
You can object to Facebook Pixel collecting data and using it to display Facebook ads. To define which types of advertisements are displayed to you within Facebook, you can visit the website set up by Facebook and follow the instructions on usage-based advertising settings here: https://www.facebook.com/settings?tab=ads. The settings are platform independent, which means they are applied to all devices such as desktop computers or mobile devices.
To prevent your data being collected on our website by Facebook Pixel, please click the following link: Facebook opt-out. Note: When you click this link, an “opt-out” cookie is played on your device. If you delete the cookies in this browser, you must click the link once more. Furthermore, the opt-out is only valid within the browser you use and only within our web domain within which the link was clicked.
XX. Akismet Anti-Spam Check
XXI. Google Fonts
In the event of any dispute arising out of or in relation to this Data Privacy Statement, the original version (in German) of this Data Privacy Statement is legally binding.