Data protection

1. Content of this Statement

Data collection takes place for the distribution, sale as well as procurement of products and services and all associated secondary transactions.

Secondary purposes are accompanying or supporting functions such as the administration of personnel, suppliers and service providers. If we have received your consent, we will contact you for marketing purposes, for example by e-mail, letter or telephone, to inform you about products, offers or special events.

In this Data Protection Statement, we shall explain to you our handling of your personal data when you visit us at siku.de. In addition, we will inform you of your rights under the General Data Protection Regulation (GDPR).  

2. Data Controller and data protection officer

The data controller within the meaning of the GDPR for the processing of your data on www.toddysbysiku.com is:
Sieper GmbH
Schlittenbacher Straße 60
58511 Lüdenscheid, Germany
Phone: 0049 2351-876-0
Fax: 0049 2351-876-166
E-mail: contact@toddysbysiku.com

The contact data of our Data Protection Officer is: 
Sieper GmbH
Mr. Friedhelm Kolks
Schlittenbacher Straße 60
58511 Lüdenscheid, Germany
datenschutzbeauftragter@siku.de

3. Individual functions of the website

In the following, we will explain to you the handling of your data when you use individual functions of our website.

3.1. Subscription to the newsletter

For you to be able to subscribe to a newsletter, we need your e-mail address. Stating your name is voluntary and is used for personal address.

By ordering the newsletter, you grant us your data protection consent to send you information on products and services of Sieper GmbH relating to toys, in particular toy models, by e-mail. You can revoke this consent at any time with effect for the future by clicking on the unsubscribe link provided in the newsletter or by sending us a message.

After registration, you will receive an e-mail asking you to click on a confirmation link. Only after this confirmation will you receive the subscribed newsletter (double opt-in). We log the date/time and IP address of this confirmation.

Your consent constitutes the legal basis for the processing. We will delete your data when you unsubscribe from the newsletter.

Our newsletters contain special images (web bugs) and similar techniques, on the basis of which we can recognise whether and when an e-mail has been opened. When a link is clicked on in a newsletter, we also record it. However, we use this data only statistically (i.e. without reference to individuals) in order to optimise our newsletters and offers and to understand better what interests our customers.

3.2. Prize Game

Sieper GmbH collects and uses the data of the participants only for the purpose of implementing the prize game. Any further collection and use of the data takes place only to the extent that the participants agree to it.

The specification of personal data is required for the participation in the prize game. The participant expressly agrees that the data transmitted by him may be collected and processed for the purpose of implementing and executing the prize game. The participant also agrees to receiving news concerning the prize game from Sieper GmbH at the e-mail address filed by him. In the event of a revocation, the participant will be excluded from the prize game.

The personal data entered and transmitted by the participant is collected, stored, used and passed on to third parties, e.g. for the delivery of the prize (mail service, parcel service) by Sieper GmbH solely for the purpose of implementing and executing the prize game. After full implementation of the prize game, the data is immediately and permanently deleted.
The subscription to the newsletter is not mandatory for taking part in the prize game. When you subscribe to the newsletter, we use your e-mail address for sending the newsletter. In this case, the provisions in item 3.1 apply.

3.3. Google Maps

We can use on our website services by Google LLC (United States) for the display of maps (e.g. when searching for dealers). To display the map, it is necessary that Google processes your IP address.

In relation to the map service provided by Google, the data protection statement of Google applies. With the use of Google Maps, you enter into a direct user relationship with Google.

The execution of the contract (provision of the map service) and our legitimate interest in the involvement of a specialised map provider constitute the legal basis for this data processing.

Google has a so-called EU-U.S. Privacy Shield certification. The EU-U.S. Privacy Shield Agreement is a data protection agreement designed to ensure an adequate level of data protection for data transfers to certified U.S. companies. The EU Commission has established the adequacy of the assured data protection level according to the EU-U.S. Privacy Shield agreement with a decision on 12 July 2016 (file no. C(2016) 4176). You can view the current status of the certification of Google according to the EU-U.S. Privacy Shield agreement online.

3.4. Social Media Buttons

We have integrated plugins of Facebook on our Web site.

For sharing our content via social networks we offer so-called social media buttons. For this purpose, we use the “c’t Shariff” solution developed by Heise-Verlag, which provides social media buttons that comply with data protection regulations.
The buttons offered directly by the operators of social networks illegally transmit personal data, such as the IP address or entire cookies, as soon as you load a website on which they are integrated, thus providing the social services with precise information about your surfing behavior without being asked. You do not need to be logged in or a member of the respective network to do this. A Shariff button, on the other hand, only establishes direct contact between the social network and the visitor when the latter actively clicks on the Share button. In this way, Shariff prevents you from leaving a digital trail on every page you visit and improves data protection. By using Shariff, we can protect your personal data and still integrate buttons for social sharing. You can find further information about c’t Shariff at https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html

The following Social Plugins are in use with us:

Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications sowie http://www.facebook.com/about/privacy/your-info#everyoneinfo.
Facebook has submitted to the EU-US privacy shield, https://www.privacyshield.gov/EU-US-Framework.

Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter has submitted to the EU-US privacy shield, https://www.privacyshield.gov/EU-US-Framework.

WhatsApp Inc., 1601 Willow Road, Menlo Park, California 94025, USA; https://www.whatsapp.com/legal/#privacy-policy. WhatsApp has submitted to the EU-US privacy shield, https://www.privacyshield.gov/EU-US-Framework.

3.5. Youtube

We have integrated plugins of YouTube for display on our Web site. When you access pages with these plugins, only a preview image is initially displayed. When you click on them, a direct connection between your device and YouTube is created for playing the video, and YouTube can collect and process further data on your use of the website.

We use on our website videos and plugins of YouTube. YouTube is a service provided by YouTube LLC (901 Cherry Ave., San Bruno, CA 94066, United States; “YouTube”). YouTube LLC is a subsidiary of Google LLC (1600 Amphitheatre Pkwy, Mountain View, CA 94043, United States; “Google”).

We use the so-called “advanced data protection mode” of YouTube. This means that when our Web pages are accessed, only a preview image of the embedded videos of YouTube, or Google, is retrieved.

Only when you open the video with a click is further data transmitted to YouTube, or Google, and cookies are placed by these third party providers. When you are logged into a YouTube or Google account, addition data on the video access can be directly allocated to your account (depending on your account settings). If you don’t want such an allocation to your profile, you must first log out of your YouTube or Google account.

Google has a so-called EU-U.S. Privacy Shield certification that is also valid for the subsidiary YouTube. The EU-U.S. Privacy Shield Agreement is a data protection agreement designed to ensure an adequate level of data protection for data transfers to certified U.S. companies. The EU Commission has established the adequacy of the assured data protection level according to the EU-U.S. Privacy Shield agreement with a decision on 12 July 2016 (file no. C(2016) 4176).

You can view the current status of the certification of Google according to the EU-U.S. Privacy Shield agreement online.

For more information on the purpose and scope of the data collection and processing by YouTube and Google, please refer to the data protection statement of Google: https://www.google.com/intl/de_de/policies/privacy/. There you will also find more information on your rights in this regard and setting options to protect your privacy.

Your data will be processed on the basis of Section 6 (1) p. 1 f) GDPR (balancing of interests) and in our interest in order to make the videos available to you on our website and, at the same time, to relieve our servers.

4. Analysis of the website visit

Analysis of the visitor behavior

Our website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. This allows us to regularly improve our website and make it more interesting. The legal basis for the use of Google Analytics is Art. 6 para. 1 sentence 1 lit. f) GDPR.

The information generated by the cookie about your use of our website (including your IP address in anonymous form) is transferred to a Google server in the USA and stored there. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. The collection and storage of data can be revoked at any time with effect for the future.

You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link.

As an alternative to the browser add-on or within browsers on mobile devices, please click the checkbox to prevent the collection by Google Analytics within this website in the future (the opt out only works in the browser and only for this domain). An opt-out cookie will be placed on your device.

Third party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Irland, Fax: +353 (1) 436 1001. 

• User conditions
• Data protection overview
• and the privacy policy

5. Additional Information

5.1. Mandatory Data

All mandatory information fields are marked with an asterisk (“*”) on our website. Without this information, the use of the respective function is not possible.

5.2. Data Recipient

Your data will be received by the competent departments of Sieper GmbH, e.g. the Marketing department.

For the technical operation of the Web site, we may involve technical service providers, who are bound by instructions, for order processing. For the newsletter, we make use of services of the provider Episerver GmbH in Berlin; Hosting is currently performed by:

Bechtle GmbH 
IT-Systemhaus Dortmund 
Niederlassung Freudenberg 
Hommeswiese 136, DE-57258 Freudenberg
https://www.bechtle.com/

A transfer to countries outside the European Economic Area only takes place if expressly stated.

5.3. Criteria for the storage period

The legislator has enacted a variety of storage obligations and periods. After the expiration of these periods, the respective data is routinely deleted if it is no longer required for fulfilling the contract. We assess the storage period for your data on the basis of the specific purposes for which we use it. In addition, we are subject to statutory retention and documentation obligations that arise, in particular, from the German Commercial Code (HGB) and the Tax Code (AO) and in many cases amount to six to ten years. Finally, the storage period is also based on statutory limitation periods; pursuant to Sections 195 et seqq of the German Civil Code (BGB), they usually amount to three years (as of the end of the calendar year).

6. Additional Remarks

6.1. DEFINITIONS

In the following, we explain some legal and technical terms used in this Data Protection Statement.

Personal data: Personal data is all information that relates to an identified or identifiable natural person, e.g. information in connection with your e-mail address or depot number.

Processing: Processing of personal data refers to any activity in connection with personal data, e.g. collection on an online form, storage on our servers or use for contacting you.

Cookie: A cookie is a small text file that is stored on your computer. The content of this file is transferred to our servers each time our Web site is accessed.

IP address: The IP address is a number that your Internet provider assigns to your device temporarily or permanently. With a full IP address, it is possible in individual cases – on the basis of additional information from your Internet operator – to identify the holder of the connection.

6.2. Legal Basis

The GDPR allows the processing of personal data only if there is a legal basis. We legally obligated to provide the legal basis for the processing of your data.

In the following, we will explain the terminology used in this context.

Consent: Section 6 (1) letter a) EU GDPR
This legal basis allows processing if and to the extent that you have given us your consent.

Fulfilment of contract: Section 6 (1) letter b) EU GDPR
This legal basis allows the processing insofar as it is required fot the fulfilment of a contract concluded with you, including pre-contractual measures (e.g. preparation of contract conclusion).

Fulfilment of legal obligations: Section 6 (1) letter c) GDPR
This legal basis allows us to process your data insofar as it is required for the fulfilment of a legl obligation to which we are subject.

Legitimate interests: Section 6 (1) letter f) EU GDPR
In accordance with this legal basis, processing is allowed to us, insofar as it is necassary to protect our legitimate interests (or those of third parties) and your conflicting interests do not prevail.

7. Your rights

7.1. Information

You have the right to request from us a confirmation as to whether we process the personal data concerning you; if this is the case, you have the right to information about your personal data in question and about the stipulations specified in Section 15 GDPR.

7.2. Correction

Under Section 16 GDPR, you have the right to the correction of inaccurate personal data concerning you and, if applicable, to the completion of incomplete personal data.

7.3. Deletion

You have the right to demand from us that personal data concerning you be promptly deleted if one of the reasons specified in Section 17 GDPR applies, e.g. if the data is no longer needed for the purposes pursued.

7.4. Restricion of the Processing

You have the right to demand from us the restriction of the processing, if one of the prerequisites specified in Section 18 GDPR is given – e.g. if you have objected to the processing – for the duration of the examination by us.

7.5. Data Portability

Under Section 20 GDPR, you have the right, under certain conditions, to receive, transfer and have transferred, if technically feasible, the data you have provided to us in a structured, common and machine-readable format.

7.6. Complaint

Independently of other administrative or judicial remedies, you have the right to complaint with a supervisory authority if you are of the opinion that the processing of the personal data concerning you by us infringes on the GDPR; Section 77 GDPR. You can assert this right with a supervisory authority in the Member State of your residence, your work place or the place of the alleged infringement. For the contact details of the supervisory authorities in Germany, see https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html 

7.7. Revocation (of consent)

If you provide us with a data protection consent, you have the right to revoke it at any time with effect for the future. This also applies to a data protection consent that you have given before the GDPR took effect.

7.8. Objection

You have the right to object to the processing of your personal data for reasons, which arise from your specific situation, inasmuch as we base the processing on Section 6 (1) letter e) or f) GDPR. We shall no longer process this data unless we can give proof of reasons worthy of protection for the processing that outweigh your interests, rights and liberties; or if the processing serves for the assertion, exercise or defence of legal claims (Section 21 GDPR). If your personal data is used by us for direct marketing (e.g. by e-mail), you have the right to object to the use of your data for these purposes at any time. This also applies to profiling if it is associated with direct advertising. Profiling refers to the use of personal data in order to analyse or predict specific personal aspects (e.g. interests).  

8. Confidentially and data security

Employees are deployed for working with personal data who have been pledged to confidentiality in accordance with Section 28 (3) p. 2 GDPR and have made themselves familiar with the provisions on data protection. Every employee (person) who has access to personal data is only allowed to process and use this data in accordance with the instructions of the employer/client.

Appropriate technical and organisational measures have been taken to protect personal data (Sections 28 and 32 GDPR). The confidentiality, integrity, availability and reliability of the systems and services in connection with the processing is ensured. A firewall as well as malware protection software are installed, activated and regularly updated on all systems used. With the registration of the employees, a user identification/authentication takes place at the workplaces. The used passwords must be changed at regular intervals. 

The access rights of the employees are matched to the activity profile of each employee. Agreements on order processing and on confidentiality have been entered into with the software suppliers and order processors. The technical and organisational measures to ensure processing security is periodically reviewed, assessed and evaluated.

Stand: Januar 2020