Privacy & Security
Do you agree to the use of cookies?
-
Contact
Hama GmbH & Co KG
Dresdner Straße 9
86653 Monheim
Phone.: +49 9091 502-0
E-Mail: info.de@hama.com
Web: de.hama.com
Place of Business - D-86653 Monheim, Dresdner Str. 9
Commercial Register - County Court Augsburg A 12159
Managing Director: Christoph Thomas, Christian Sokcevic -
General information on data processing
-
General information on data processing
We only process our users’ personal data to the extent necessary for the provision of a functionalwebsite as well as the provision of our content and services. In general, we only process our users’ personal data with the users’ consent. One exception is in cases when it is not possible to obtain the user’s consent in advance for practical reasons and the company is permitted to process this data within the scope of the law.
-
Legal basis for the processing of personal data
When consent has been obtained from the data subject for the processing operations for the processing of personal data, point (a) of Article 6(1) of the EC General Data Protection Regulation (GDPR) serves as the legal basis.
When the processing of personal data is necessary for the performance of a contract to which the data subject is party, point (b) of Article 6(1) of the GDPR serves as the legal basis. This also applies for processing operations that are required in order to take the necessary steps prior to entering into a contract.
When the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, point (c) of Article 6(1) of the GDPR serves as the legal basis.
When processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, point (d) of Article 6(1) of the GDPR serves as the legal basis.
If the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, then point (f) of Article 6(1) of the GDPR serves as the legal basis for the processing. -
Deletion of data and storage period
The personal data of the data subject is deleted or made unavailable to users once the purpose of the storage of the data no longer applies. Furthermore, data may also be stored if this storage is permitted by the European or national legislative authorities in EU regulations, laws or other guidelines that the controller is subject to. Data is also deleted or made unavailable to users once the storage period defined by the specified norms elapses as long as continued storage of the data is not required in order to conclude or perform a contract.
-
-
Provision of the website and the creation of log files
-
Description and scope of data processing
Every time our website is accessed, our system automatically records data and information from the system of the computer that is being used to access the website.
We use our website to collect personal data, e.g. your name and address or e-mail address, that you voluntarily provide us with in the form of entries made in contact forms or data entered for newsletter subscriptions. We store and use this data in order to process your requests and orders, maintain your customer account, or to provide you with access to specific information. We do not share this confidentialinformation with third parties.
Furthermore, information is automatically collected that is not assigned to a specific person (e.g. the IP address currently being used by your end device, the browser and operating system used to access the website, the date and time the website was accessed, the number of visits, average time spent on the website, pages accessed). We use this information to determine the appeal of our website and improve its functions and content.
This data is also stored in our system’s log files. This data is not stored together with the user’s other personal data. -
Legal basis for data processing
The legal basis for the temporary storage of data and log files is point (f) of Article 6(1) of the GDPR.
-
Purpose of data processing
The system must temporarily store the IP address so that it can transmit the website to the user’s computer. In order to do this, the user’s IP address must be stored during the entire session.
The IP address is then saved in a log file in order to ensure that the website works properly. Furthermore, we use this information to optimise our website and ensure that our information technology systems are secure. The data saved for these reasons is not used for marketing purposes.
These purposes also constitute legitimate interests within the scope of point (f) of Article 6(1) of the GDPR. -
Storage period
Data is deleted as soon as it is no longer required for the purpose for which it was obtained. In terms of the data recorded for the provision of the website, this is the case as soon as the session in question ends.
Data saved in the log files is deleted after 30 days. It is possible that data could be stored for longer than 30 days. In this case, the IP address of the user is deleted or anonymised so that it is no longer possible to associate it with the client that accessed the website. -
Opt-out and disposal options
The collection of data required for the provision of the website and the storage of data in log files is essential in order to operate the website. For this reason, the user cannot opt out.
-
-
Cookies
This website uses two different types of cookies:
-
Persistent cookies are stored on your computer and stay there until they expire or are deleted. Closing your browser does not delete these cookies.
-
Session cookies are generated every time you visit one of our website pages. A session cookie is automatically deleted when you close your browser. All of the information saved in the cookie file is also deleted then.
With cookies, it is impossible to download personal information from the user’s computer on which the cookies are saved.
-
Use of cookies
Tracking cookies collect data about how the user uses the websites that he or she accesses.
Cookies store information about the way the website is used in terms of the history, favourite content and personal settings.
Third-party cookies make it possible to exchange data with third-party websites.
Advertising cookies make it possible to show the user personalised advertising.
-
Consent to the storage of cookies and retrieval of the information stored within those cookies
The user must give their consent to allow cookies to store information on their computer and allow the information stored in those cookies to be retrieved. This consent is given via the cookie settings in the user’s installed browser. Every Internet browser automatically has cookies enabled as standard. To this effect, we ask that our customers check their browser settings and, if necessary, change the settings to enable cookies.
Furthermore, we allow you to choose to agree to the use of cookies directly on our website. If you use this opportunity to agree to the use of cookies, you will automatically deactivate the do-not-track function. -
Legal basis for data processing
The legal basis for the processing of personal data using the technically required cookies is point (f) of Article 6(1) of the GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes with the consent of the user is point (a) of Article 6(1) of the GDPR.
-
Purpose of data processing
The purpose of the use of technically required cookies is to make it easier for the user to use the website. A number of functions on our website cannot be offered without the use of cookies. For these functions, it is necessary that the browser is still recognised when the user moves from one page to another.
The user data recorded by technically required cookies is not used to create user profiles. Analysis cookies are used for the purpose of improving the quality of our website and its content. The analysis cookies tell us how the website is used. These purposes also constitute legitimate interests for the processing personal data within the scope of point (f) of Article 6(1) of the GDPR. -
Storage period, opt-out and disposal options
Cookies are stored on the user’s computer and transmitted to our website from there. For that reason you, as the user, have total control over the use of cookies. By changing the settings in your browser, you can disable or limit the use of cookies. Cookies that have already been saved to your computer can be deleted at any time. You can also change your settings so they are deleted automatically. If you disable cookies for our website, you may not be able to fully utilise all of the functions of the website.
-
-
Contact form and e-mail addresses
-
Description and scope of data processing
Our website contains contact forms that can be used to contact us electronically. If a user takes advantage of this opportunity, we will record and store the data that they enter into the fields of the form. The personal data that is transmitted in this way is determined by the fields in the form.
Furthermore, when the user sends a message, the following data is also saved:The user’s IP address; however this information is masked by a byte
The date and time the user registered
Alternatively, the user can also contact us by writing an e-mail to the e-mail address provided. In this case, the user’s personal data that is transmitted with the e-mail will be saved.
The data collected in this way is not passed on to third parties. The data is only used to process the user’s e-mail.
-
Legal basis for data processing
The legal basis for the processing of data with the consent of the user is point (a) of Article 6(1) of the GDPR.
The legal basis for the processing of the data that is transmitted when the user sends an e-mail is point (f) of Article 6(1) of the GDPR. If the purpose of the e-mail is to conclude a contract, then the additional legal basis for the processing is point (b) of Article 6(1) of the GDPR. -
Purpose of data processing
We only process the personal data included in the contact form to process the user’s message. If the user contacts us via e-mail, this also constitutes a legitimate interest in the processing of the data. Any other personal data processed during the sending operation is used to prevent third parties from misusing the contact form and to ensure the security of our information technology systems.
-
Storage period
Data is deleted as soon as it is no longer required for the purpose for which it was obtained. In terms of the personal data from the fields in the contact form and the personal data that is sent via e-mail, this is the case when the conversation in question with the user comes to an end. The conversation ends when it is clear from the circumstances that the issue in question has been clarified conclusively.
-
Opt-out and disposal options
The user has the option at any time to revoke his or her consent to the processing of his or her personal data. If the user writes us an e-mail, he or she can object to the storage of his or her personal data at any time. Furthermore, the user can contact one of our employees at any time. In this case, the conversation cannot be continued.
All personal data that is stored during the course of the user contacting us will be deleted in this case.
-
-
Analysis by Matomo
-
Scope of the processing of personal data
We use the open-source software tool Matomo (formerly PIWIK) on our website to analyse the surfing patterns of our users. The software saves a cookie in the user’s browser (for more information on cookies, see above). When a user accesses individual pages on our website, the following data is stored:
The first three bytes of the IP address of the system the user is using to access the website
The website accessed
The website that referred the user to the website accessed (referrer)
The sub-pages that the user accesses from the accessed website
The amount of time spent on the website
The frequency with which the user accesses the website
The software runs solely on our website’s servers. The user’s personal data is not saved on these servers. The data is not passed on to third parties.
The software is set up so that IP addresses are not saved in full but rather three bytes of the IP addresses are masked (e.g.: 192.168.001.xxx). This masking means it is no longer possible to allocate the abbreviated IP address to the computer that accessed the website. -
Legal basis for the processing of personal data
The legal basis for the processing of the user’s personal data is point (f) of Article 6(1) of the GDPR.
-
Purpose of data processing
Processing the user’s personal data allows us to analyse the user’s surfing patterns and behaviour. By evaluating the data we obtain, we are able to compile information about the way the various components of our website are used. This helps us to continuously improve our website and make it more userfriendly. These purposes also constitute legitimate interests for the processing of personal data within the scope of point (f) of Article 6(1) of the GDPR. By anonymising the IP address, we sufficiently take into account the interests of the user regarding the protection of their personal data.
-
Storage period
The data is deleted as soon as it is no longer required for our purposes.
-
Opt-out and disposal options
Cookies are stored on the user’s computer and transmitted to our website from there. For that reason you, as the user, have total control over the use of cookies. By changing the settings in your browser, you can disable or limit the use of cookies. Cookies that have already been saved to your computer can be deleted at any time. You can also change your settings so they are deleted automatically. If you disable cookies for our website, you may not be able to fully utilise all of the functions of the website. For more information on Matomo software’s privacy settings, click here:https://matomo.org/docs/privacy/.
-
-
Analysis of user behaviour by Web Extend
-
Scope of personal data processing
Web Extend is the data collection script of the e-mail marketing software Emarsys, which analyses the user behaviour of logged-in users. The software sets both its own cookies and third-party cookies on the user’s computer (see above for more about cookies). The domain of the third-party cookie is scarabresearch.com
The following data is collected:
Information about the service
IP address
Browser
Cookie identifiers
Pseudonymised identifiers (external IDs or encrypted e-mail address) for logged-in users
Information about browsing behaviour
ItemIDs that were viewed
ItemIDs added to the shopping basket
ItemIDs that were purchased
All personal data is generally recorded anonymously or pseudonymised. The data is stored in the database of the e-mail marketing software Emarsys.
-
Legal basis for personal data processing
The legal basis for the processing of users’ personal data is Art. 6 para. 1 lit. f of the GDPR.
-
Purpose of data processing
The processing of the personal user data enables us to analyse user behaviour. User profiles can be enhanced with the acquired data. This allows us to provide users registered for the newsletter with a bespoke offer via the newsletter.
-
Data storage period
We store your data until your consent is withdrawn. We will delete data as soon as it is no longer needed for our purposes.
-
Objection and removal
If you do not wish to receive personalised advertising, you can object at any time. You have the following two options:
-
Under “My account” in the “Newsletter” section you have the option to deactivate Web Extend.
At the beginning of the privacy policy you have the option of refusing the general consent to cookies.
-
-
-
Analysis by Google Analytics
Our website uses the web analysis service Google Analytics by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). The processing of data serves to analyse this website and its visitors. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity and to provide other services to the website operator relating to website and internet use. The IP address communicated by your browser as part of Google Analytics is not associated with any other data held by Google. Google Analytics uses cookies, which make it possible to analyse your use of the website. The information generated by the cookie regarding your use of this website is usually transferred to a Google server in the USA and stored there. IP anonymisation is activated on this website.
Google uses this to shorten your IP address beforehand within Member States of the European Union or in other signatories to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Your data may be transmitted to the USA. Transmission of data to the USA is covered by an adequacy decision by the European Commission. Processing is carried out on the basis of art. 6 (1) lit. f GDPR due to our justified interest in needs-based and targeted design of the website. You have the right to veto this processing of your personal data according to art. 6 (1) lit. f GDPR by contacting us, for reasons relating to your personal situation.You can prevent the storage of cookies by choosing corresponding technical settings in your internet browser; we would, however, like to point out that this may prevent you from making full use of all the functions of this website. You can also prevent collection of the data (including your IP address) generated by the cookies and related to your use of the website by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available at the following link [https://tools.google.com/dlpage/gaoptout?hl=en].
You can set an opt-out cookie to prevent collection by Google Analytics across devices. Opt-out cookies prevent the future collection of your data when you visit this website. You need to opt-out on all systems and devices in use for this to work comprehensively. If you click here, the opt-out cookie is set: Disable Google Analytics.
You can find more detailed information on the terms and conditions of use and data protection at https://www.google.com/analytics/terms/ and at https://policies.google.com/?hl=en.
-
Rights of the data subject
When your personal data is processed, then you are a data subject as defined in the GDPR and you have the following rights vis-à-vis the controller:
-
Right of access
You have the right to obtain confirmation from the controller as to whether or not we are processing any personal data which concerns you.
Where this is the case, you also have the right to access the following information from the controller:
the purposes for which the personal data is being processed
the categories of personal data being processed
the recipients or categories of recipient to whom the personal data has been or will be disclosed
the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
the right to lodge a complaint with a supervisory authority
where the personal data is not collected from the data subject, any available information as to the source
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to be informed if your personal data is to be transferred to a third country or to an international organisation. Where this is the case, you also have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
-
Right of rectification
You have the right to obtain the rectification of inaccurate personal data from the controller in the event that the personal data being processed that concerns you is incorrect or incomplete. The controller must rectify the data without undue delay.
-
-
Right to restriction of processing
You have the right to obtain restriction of processing of the personal data that concerns you where one of the following applies:
you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead
the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where the processing of your personal data has been restricted, such personal data shall – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing pursuant to the grounds listed above, you will be informed by the controller before the restriction of processing is lifted.
-
Right to erasure
- Erasure obligation
You have the right to obtain the erasure of personal data concerning you without undue delay, and the controller is obligated to erase this personal data without undue delay where one of the following grounds applies:
the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
you withdraw the consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and there is no other legal ground for the processing
you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR
the personal data concerning you has been unlawfully processed
the personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
the personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
- Erasure obligation
- Sharing information with third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform the controllers who are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
- Exceptions
The right to erasure does not apply to the extent that processing is necessary
for exercising the right of freedom of expression and information
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in Section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.
-
Right to information
If you exercise your right of rectification, to erasure or to restriction of processing vis-à-vis the controller, the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
You also have the right to be informed about those recipients by the controller upon request.
-
Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where:
the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and
the processing is carried out by automated means.
In exercising your right to data portability, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others may not be affected by the exercise of this right.
The right of data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
-
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.
The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services – and notwithstanding Directive 2002/58/EC – you may exercise your right to object by automated means using technical specifications.
-
Right to withdraw the declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal.
-
Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. However, this does not apply if the decision:
is necessary for entering into or performance of a contract between you and the controller
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your express consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) of the GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to above in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
-
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you violates the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
AddThis
Our website uses social plugins (“plugins”) from the bookmarking service AddThis, which is operated by AddThis LLC, Inc. 8000 Westpark Drive, Suite 625, McLean, VA 2210, USA “AddThis”). These plugins generally feature an AddThis logo, for example in the form of a white plus sign on an orange background. For an overview of the AddThis plugin and its appearance, click here: www.addthis.com/get/sharing When you access a page on our website that contains one of these plugins, the browser connects directly to the AddThis servers. The content of the plugin is directly communicated to your browser and integrated into the page by AddThis. This integration provides AddThis with information that your browser has accessed the corresponding page of our website and saves a cookie on your end device to identify your browser. This information (including the IP address) is directly communicated from your browser to one of AddThis’ servers in the US and saved there. AddThis uses the data to create anonymised user profiles that serve as the basis for personalised, interest-based advertising for users who visit websites with AddThis plugins. For information on the purpose and scope of the data collection as well as further processing and use of the data by AddThis, please refer to AddThis’ data privacy policy: www.addthis.com/privacy/privacy-policy. If you object to AddThis collecting your data, you can set an opt-out cookie which you can download by clicking the following link: www.addthis.com/privacy/opt-out You can also use browser extensions to completely block the AddThis plugin from loading, e.g. with the NoScript script blocker (http://noscript.net/).
Google Tag Manager
Google Tag Manager is a solution we use to manage website tags via an interface in order to be able to integrate Google Marketing services into our online presence. The Tag Manager itself (which implements the tags) does not process any of the user's personal data. With regard to the processing of the user's personal data, reference is made to the following information regarding Google services. Usage policy: https://www.google.com/intl/de/tagmanager/use-policy.html.
Usercentrics
This website uses Usercentrics' cookie consent technology to obtain the user's consent to the storage of certain cookies on the user's device and to document this consent in accordance with data protection regulations. The provider of this technology is Usercentrics GmbH, Rosental 4, 80331 Munich, Germany, website: https://usercentrics.com/ (hereinafter ‘Usercentrics’).
When you visit our website, the following personal data is collected and transmitted to Usercentrics:
- Your consent(s) or your withdrawal of consent(s)
- Your IP address
- Information about your browser
- Information about the user's end device
- The duration of your visit to the website
In addition, Usercentrics stores a cookie in the user's browser in order to be able to assign the consent given or revoked to the user. The data collected in this way is stored until the user asks us to delete it, deletes the Usercentrics cookie themselves or the purpose of the storage no longer applies. Mandatory statutory retention obligations remain unaffected by this.
Usercentrics is used to obtain the legally required consent to the use of cookies. The legal basis is Art. 6 para. 1 sentence 1 lit. c GDPR.
Legal regulations or contractual provisions for the provision of personal data; necessity for the conclusion of a contract; obligation of the data subject to provide personal data; possible consequences of failure to provide data
The provision of personal data is legally required in some cases (e.g. in tax law) or is delineated in contractual provisions.
In order to conclude a contract, it may be necessary to provide us with personal data that we need to process for this purpose. Without the provision of this data, it may be impossible to conclude the contract.
For more information about the necessity of the provision of personal data with regards to a specific case, you can contact our employees at any time. Our employees will also inform you as to the possible consequences of the failure to provide this data.
Name and address of the data security officer
The data security officer of the controller is:
Data security officer
Hama GmbH & Co KG
Dresdner Str. 9
86653 Monheim
Deutschland
E-Mail: dpo@hama.com