of Duttenhofer GmbH & Co. KG ("DIFOX") for use of DIFOX online shops
Date: January 2022
1. Person Responsible
The controller responsible for data processing is DIFOX a branch of, Duttenhofer GmbH & Co. KG, Alfred-Nobel-Str. 6, 97080 Wuerzburg, Germany
2. Contact details of the data protection officer
The external company privacy protection officer is Dr. Carlo Piltz, Piltz Legal, Piltz Rechtsanwaelte PartGmbB, Mozartstr. 16, 12247 Berlin, Tel: +49 (0)30 814 53 50 00
3. Purpose, duration and legal bases for data processing
Your personal data are processed on the basis of your consent (Art. 6 para. 1 p. 1 lit. a) GDPR) for the purpose of subscribing to the newsletter. If you send us your personal data by e-mail when you contact us, we will process your personal data to process your requests, to contact you and possibly also to execute pre-contractual measures or to fulfil a contract (Art. 6 para. 1 p. 1 lit. b) GDPR). If required, the processing of your data will extend beyond the actual fulfilment of the contract to include the safeguarding of our legitimate interests or those of third parties as follows: The review and optimisation of processes for needs analysis and direct contact, advertising or market and opinion research, provided you have not objected to the use of your data, the assertion of legal claims and defence in the event of legal disputes, to guarantee IT security and IT operation, the facilitation of various different payment methods for your online order(s), to guarantee the operation of our website, the use of social media functions and measures for business management and the further development of services and products (Art. 6 para. 1 p. 1 lit. f) GDPR).
We are also subject to various retention and documentation obligations and may also be legally obliged to share personal data to authorities (Art. 6 para. 1 p. 1 lit. c) GDPR).
The following table provides an insight into the most important retention periods:
|Item||Retention period||Legal basis|
|Offers with order sequence, e-mails (business letters), e-mails (reminders), faxes (business letters), delivery notes, default summons and reminders||6 years||§ 147 AO, § 257 HGB|
|Outgoing invoices, receipts, e-mails (booking documents such as invoices), delivery notes, as proof of receipt, especially in connection with an invoice, cash-on-delivery tag, online invoices||10 years||§ 147 AO, § 257 HGB|
|Data on the respective sales contract for processing warranty claims||2 years||§ 438 Abs. 1 Nr. 3 BGB|
|Data on the respective contract for processing warranty claims||Depending on the respective product||§ 443 BGB|
Data are transferred to third countries (states outside the EU and the European Economic Area - EEA) only if to do so is required to execute contracts concluded with you or by law, or if you have given us your consent to do so.
We will provide details to you separately, if required by law.
4.Processing of customer data
DIFOX processes the following customer data: customer name, address, telephone number, email address, information on the content of an order, IP address , any information pertaining to a different delivery address and information on the desired payment type. The data is processed in Germany. The personal data listed above is processed and used for the purpose of managing the relevant contractual relationship. The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. b) GDPR. We also reserve the right to, at appropriate intervals, send you direct mail advertisements for the offers in our online shop. No other use is made of your personal data. In particular, we do not pass on any data to third parties unless it is for the purpose of sending the ordered goods.
You can, at any time, object to your name and address being used for mail advertising purposes (see above). Simply send an email to email@example.com.
4.2 Registration as a specialist retailer (new customer form)
You have the option to register as a specialist retailer with DIFOX, so that DIFOX can then create a customer account for you in our shop on the website. We do this
- so that you can use our services, in particular so that you can see our up-to-date prices;
- to manage your user data and settings;
- where applicable, to manage your newsletter subscription with DIFOX; and
- for the inspection of invoices and outstanding arrears.
For a detailed breakdown of the minimum data which are processed, please refer to the page with the new customer form (https://www.difox.com/shop/en/difox/RegistrationToken). The purpose of the procedure is to validate your registration and, if necessary, to clear up any misuse of your personal data.
The legal basis for the data processing is Article 6 (1)(1)(b) GDPR.
As Section 1 (9)(11)(1)(1) MLA obliges us to identify contracting parties before establishing a business relationship or carrying out a transaction, we will process a copy of the applicant's identity card in the context of new customer registration for the purpose of combating money laundering, Section 58 MLA. The copy will not be processed for any other purpose. In accordance with Section 8 (4)(1) and (3) MLA, this copy of the ID will in principle be kept for five years after the termination of our business relationship and subsequently destroyed, unless other statutory retention provisions require us to keep it for longer, Section 8 (4)(2) MLA.
The legal basis for this data processing is Article 6(1)(c) GDPR in conjunction with Section 1 (9)(11)(1)(1) MLA.
DIFOX may also deliver goods to the end customer as a drop shipper. Drop shipping refers to a special form of business conducted in trading between a supplier and an (online) retailer. The supplier offers the retailer products which the latter then offers for sale in its online shop. As soon as a product is purchased by a customer, the retailer forwards the order to the supplier. The latter sends the goods in a neutral form directly to the end customer, meaning that the retailer does not have any contact with the goods at all. As a rule, the end customer does not notice that the actual sender is the supplier rather than the retailer. DIFOX processes the data of the end customer (name, address, telephone number, e-mail address) provided by the specialist retailer so that it can carry out the drop shipment.
The legal basis for data processing for the delivery of the product in question to the end customer is Art. 6 (1)(1)(b) and (f) GDPR. DIFOX's legitimate interest consists in its desire to fulfil its contractual obligation to the retailer as a drop shipper and to deliver the ordered product to the end customer.
4.4 Use of email addresses for advertising purposes (sending newsletters)
4.4.1 Newsletters in general
You have the option of subscribing to DIFOX's email newsletter.
After you register, DIFOX will therefore use your email address for its own advertising purposes. You may unsubscribe at any time by using the function displayed for this purpose in the newsletter, with an email to firstname.lastname@example.org or – if available – the corresponding option in the settings in your user account. Your email address will be saved in order to facilitate delivery of our newsletter. The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. a) GDPR.
4.4.2 Newsletter dispatch in existing customer relationship
If you have already purchased goods or services from us, DIFOX will also use your email address and the first and last name of the contact person on file for personalisation purposes in order to send you our newsletter for direct advertising of similar goods or services, if you have not objected to this use of the aforementioned data. You can of course object to the sending of our newsletter at any time with effect for the future by clicking on "unsubscribe" at the end of the newsletter or by contacting our data protection officer at email@example.com . You do not incur any costs other than the transmission costs according to the basic tariffs for this.
The legal basis for this data processing is Art. 6 para. 1 S. 1 lit. f) GDPR. Our legitimate interest rests in being able to inform you about our latest offers for our products by means of direct advertising.
4.5 Processing of personal data in the context of payment
"Payment in advance (bank transfer)" payment type, "Purchase on account" payment type
If you are given the option of "Payment in advance (bank transfer)", "Purchase on account" during your order, DIFOXalone processes the personal data which you entered during the ordering process in order to carry out the contractual relationship with you.
The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. b) GDPR.
4.6 Special conditions / rebate
DIFOX may send reports to its manufacturers and suppliers to allow it to verify possible special conditions in the context of initiation of the contract or downstream bonuses (kickbacks) after the execution of a contract for a customer. These reports contain the company name and may in individual cases also feature personal data, namely the name of the entrepreneur. The legal basis for this data processing is Article 6 (1)(1)(b) GDPR. A contact person in the customer's company for whom the special conditions are being verified may also be named. The legal basis for this data processing is Article 6 (1)(1)(f) GDPR. DIFOX's legitimate interest consists in making it possible for the manufacturer or supplier to contact the customer, if required. In addition, its legitimate interest consists in ensuring that the product manufacturer cannot verify any special conditions / rebates without unnecessary information.
4.7 Merchandise insurance contract
DIFOX is co-insured under the terms of a merchandise insurance contract. Specialist services of the insurer (credit insurance, factoring, risk assessment and collection) are drawn upon within the framework of this contract. Insofar as DIFOX makes use of the described services, personal data concerning the unfulfilled contract will be transmitted to Coface. The legal basis for this data processing is Art. 6 para. 1 p. 1 lit. f) of GDPR. Our legitimate interest exists in the sense that we protect ourselves from payment defaults and assert our rights and would like to assert claims.
5. Processing of personal data
However, when the DIFOX website is accessed, the following data is automatically logged by the web server:
- IP address of the requesting PC;
- Date and time of the request;
- Access method/function requested by the requesting PC;
- Entry values (e.g. file name) requested by the requesting PC;
- Web server access status (file transferred, file not found, command not executed etc.);
- Name of the requested file and
- URL from which the file was requested/the desired function was released.
This information is used exclusively for the purpose of identifying and tracing unauthorised accesses to the web server and other criminal acts. The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f) GDPR. Our legitimate interests are the assurance of IT security as well as the assurance of the operation of our Internet presence.
This DIFOX website uses the following types of cookie, the scope and functionality of which is outlined below:
Transient cookies are automatically deleted when you close your browser. These particularly include session cookies. These save a 'session ID', which is used to assign various requests from your browser to the overall session. This allows us to recognise your computer when you revisit our website. Session cookies are deleted when you sign out or close the browser.
Persistent cookies are automatically deleted after a set period of time that can differ depending on the cookie. You can delete cookies in your browser's security settings at any time.
You can configure your browser settings as you wish and, for example, reject third-party cookies or all cookies. Please note that you may then be unable to use all the functions of this website.
5.3 Google Analytics
If you have given your consent, we use the web analysis service Google Analytics of Google Ireland Limited, Gordon House, Barrow Street Dublin 4. Ireland ("Google") on our website. The use includes the "Universal Analytics" operating mode. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus analyse the activities of a user across devices. Google Analytics uses so-called "cookies", text files that are stored on your computer and that allow an analysis of the use of the website by you. The analysis by Google Analytics enables us to analyse the use of our website in order to compile reports on website activity and to make our website even more convenient and secure for you. In addition, we can further improve our website offer for you on the basis of visits and statistical analyses. The legal basis for placing and accessing Google Analytics cookies set on your device is § 25 para. 1 sentence 1 of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG). With regard to the processing of personal data in the context of the use of Google Analytics, the legal basis is Art. 6 para. 1 P. 1 lit. a) GDPR.
5.4 Contact form
You will find a contact form on DIFOX's website. The data you enter there will be stored for the purpose of individual communication with you, and the data processing is justified, in accordance with Art. 6 para. 1 p. 1 lit. f) GDPR, by our desire to offer you a simple contact option. Your data will also be stored for the purpose of answering your request, as well as for possible follow-up questions.
If you contact us in order to request a quote, the legal basis for data processing is Art. 6 para. 1 p. 1 lit. b) GDPR.
5.5 Newsletter tracking
DIFOX uses Emarsys Marketing Suite to track the recipient behaviour of our newsletter. Recipient reactions (opening a mail, clicking on text and image links, downloading images with an e-mail program) are recorded and stored anonymously for statistical purposes. It is not possible to identify individual users from the data used. The legal basis for this data processing is Art. 6 para. 1 p. 1 lit. f) of GDPR. The legitimate interest of DIFOX is the provision of better and accurate information for recipients of the newsletter.
5.6 Facebook fan page
DIFOX operates a so-called fan page on Facebook. These are websites that are offered on the Facebook platform to present DIFOX as a company and to get in touch with customers and interested parties, for example.
5.6.1 Shared responsibility with Facebook
The results of this processing are provided to us, as the fan page operator, and then through Facebook in an aggregated, statistical and anonymous form of user statistics. We do not have access to the data processed by Facebook. Facebook provides more information about Insights under the following link: https://www.facebook.com/help/pages/insights.
Facebook describes which data it processes for more of its own purposes in its Data Policy, available under the following link:https://www.facebook.com/about/privacy.
There, you will also find information about options for contacting Facebook as well as the settings options for advertisements. Facebook remains solely responsible for the processing of such personal information in relation to visits to fan pages that are not under shared responsibility.
If you are currently logged in as a user on Facebook, there is a cookie with your Facebook ID on your device. This enables Facebook to see that you visited our fan page and how you used it. This also applies to all other Facebook pages. To avoid this, you should log out of Facebook or disable the "stay signed in" feature, delete the cookies present on your device, then exit and restart your browser.
Please note that data from the survey phase will also be passed on to locations in the USA and thus outside the territory of the European Union. No adequacy decision has been made by the European Commission for the USA itself. However, Facebook is a participant in the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
In the agreement made with DIFOX (available at: https://www.facebook.com/legal/terms/page_controller_addendum), Facebook agrees to assume the primary responsibility according to the GDPR for the processing of so-called Insights Data and all obligations to comply with the DSGVO with regard to the processing of this Insights Data. The essence of the agreement can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data.
If you wish to exercise your interest in tort (for what these are, see below under point 5) in line with GDPR, we point out that we cannot fully fulfil these rights in case of doubt. It would therefore be more effective for you to contact Facebook directly. Information about your rights regarding page insights is provided by Facebook here: https://www.facebook.com/legal/terms/information_about_page_insights_data.
With regard to page insights and joint responsibility with Facebook, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. Information on how to exercise your right to object can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data.
If you still need help, feel free to contact us. We will forward your request to Facebook, insofar as it relates to Insights Data.
Processing the visitor's personal data enables the provision of the fan page as well as the statistical evaluation of how our fan page is used. This evaluation is performed for us anonymously. The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f) of GDPR. Our legitimate interests regarding the collection of personal data when visiting the fan page and the production of statistical evaluations are: Communication and interaction with interested parties and customers; Dissemination of information about our company; Anonymized evaluation and presentation of the use of the fan page.
5.6.2 Our sole responsibility
DIFOX also processes the data from your use of the fan page that you voluntarily provide (in a comment, for example) for the purpose of answering your inquiries, communicating with you and publishing information regarding the content offered on the fan page or from DIFOX. The legal bases for processing are Art. 6 para. 1 p. 1 lit. b) and f) of GDPR. The legitimate interest lies in the effective information of users, customers and interested parties and communication with these persons.
You are welcome to contact us as long as it regards the data processed by us on our own account, and assert the rights to which you are entitled as our data subject. However, if these refer to processing that is purely in the area of responsibility of Facebook, we point out in advance that our options with regards exercising your rights are limited to referring you to the appropriate places of Facebook.
5.7 Instagram Profile
Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland ("Facebook") uses the technical platform and the services of Facebook Ireland Ltd. for the information service offered here. Instagram is a part of Facebook.
We would like to point out that you use this Instagram profile and its functions under your own responsibility. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating). Alternatively, you can also find the information offered via this page on our Internet offer at https://www.difox.com retrieve. Facebook collects your IP address and other information that is stored on your PC in the form of cookies when you visit our Instagram profile.
5.7.1 Joint controllership with Facebook
Instagram uses this information to provide us, as the operator of the Instagram profile, with statistical information about the use of the Instagram profile. Facebook provides more detailed information on this at the following link: https://help.instagram.com/1533933820244654.
The data collected about you in this context will be processed by Facebook and, if necessary, transferred to countries outside the European Union. Facebook describes in general terms which information Facebook receives and how it is used in its data usage guidelines. There, you will also find information about options for contacting Facebook as well as the settings options for advertisements. The data usage guidelines are available at the following link: https://help.instagram.com/519522125107875.
Facebook does not conclusively and clearly state how the data from visiting Instagram profiles is used for its own purposes, to what extent activities on the Instagram profile are assigned to individual users, how long Facebook stores this data, and whether data from a visit to the Facebook page is passed on to third parties, nor is this known to us. When you access an Instagram profile, the IP address assigned to your device is transmitted to Facebook. According to information from Facebook, this IP address is anonymised (for "German" IP addresses). Facebook also stores information about its users' devices (e.g. as part of the "Login notification" function); in this way, Facebook may thus be able to assign IP addresses to individual users. If you are currently logged in to Facebook as a user, a cookie with your Instagram ID will be stored on your device. This enables Facebook to understand that you have visited this page and how you have used it. This also applies to all other Facebook pages. Facebook Instagram Facebook buttons integrated into websites make it possible for Facebook to record your visits to these websites and assign them to your Instagram profile. Based on this data, content or advertising can be offered tailored to you.
To avoid this, you should log out of Facebook or disable the "stay signed in" feature, delete the cookies present on your device, then exit and restart your browser. In this way, Facebook information that can be used to identify you directly will be deleted. Instagram allows you to use our Instagram profile without your Instagram ID being revealed. When you access the interactive features of the page (like, comment, share, news, etc.), an Instagram login screen appears. After any registration, you will be recognizable as a specific user for Facebook again. For information on how to manage or delete existing information about you, please visit the following Instagram support page: https://help.instagram.com/1533933820244654.
5.7.2 Controllership by DIFOX
In addition, DIFOX is also sole controller for certain data processing. For the purpose of offering our information service, we process the following data for communication with Instagram users:
- User interactions (postings, likes, etc.);
- Profile name and data specified by the user in the conversation history, e.g. for processing service requests,
- Statistical surveys on target group advertising;
- Statistical data on user interactions in aggregated form, i.e., without personal reference for DIFOX (e.g. page activities, page views, page previews, likes, recommendations, posts, videos, page subscriptions incl. origin, times of day);
- Target group-controlled advertisements based on aggregated demographic data without reference to personal data (e.g. information on age, place of residence, language or gender); and
The processing is carried out for the purpose of answering your enquiries (if you have made an enquiry of us) or communicating with you and to publish information about events, products and services of DIFOX. The legal basis for processing for the purpose of responding to inquiries that serve to conclude a future contract and are initiated by you is Art. 6 para. 1 sentence 1 lit. b) GDPR and in the other cases Art. 6 para. 1 sentence 1 lit. f) GDPR.
Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2 Dublin, Ireland, together with the Facebook companies based in the USA, has concluded the standard data protection clauses adopted by the EU Commission, which allow the transfer of personal data to the USA in individual cases, insofar as personal data is transferred to Facebook servers in the USA and stored and processed further there.
The legitimate interest exists if the legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR (legitimate interests), in the effective provision of information for users, customers and interested parties and the communication with these persons as well as the external presentation of DIFOX.
After completing your request, your personal data provided will be deleted on our systems. If you interact with us publicly, for example by leaving a comment or "liking" a post, this data will remain publicly available on the site until it is deleted by us or you. Insofar as statutory retention obligations require longer storage, your data will only be stored for this purpose and blocked for other purposes.
To exercise your right to object, please inform us of your objection either at firstname.lastname@example.org or to the above address by post or by phone. We will then process your request immediately.
5.8 Online presence on other social media platforms (LinkedIn)
We maintain an online presence within social networks and platforms in order to communicate with the customers, prospects and users active there and to inform them about our services there. We point out that when you visit our online presence there, personal user data are processed by the respective social media platform for market research and advertising purposes. For these purposes, cookies are usually stored on the computers of the users, in which the user behaviour and the interests of the users are stored. Furthermore, in the usage profiles, data can also be stored independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them). These user data are provided to us by the respective platform – anonymized and aggregated for evaluation. Our legal basis with regard to this data processing is Art. 6 para. 1 p. 1 lit. f) of GDPR. Our legitimate interest is in the form of effective user information and communication with users.
The data collected by the social media platforms are also processed outside the European Union, especially in the United States. These providers are certified under the EU-US Privacy Shield.
For a detailed description of the respective processing and the possibilities of contradiction (opt-out), we refer to the following linked information of the providers.
We point out that in the case of requests for information and the assertion of user rights, these can be claimed most effectively by the providers. Only the providers have access to the data of the users and can take direct appropriate measures and provide information. If you still need help, then you can contact us.
- LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy.LinkedIn is subject to the EU-US Privacy Shield,https://www.privacyshield.gov/EU-US-Framework.
6. User's rights
6.1 Withdrawing consent, objecting
If you have given DIFOX your consent to process personal data in the context of your use of DIFOX services, you can withdraw this consent at any time pursuant to Article 7 (3) GDPR. The revocation can be sent by email to email@example.com or in writing to the address listed below. The effects of the revocation will be limited to the storage and use of personal data that may not be used or stored without your consent based on statutory permissions. This withdrawal of consent, once declared to us, will have an impact on the permissibility of the processing of your personal data. However, please note that it may not then be possible to process the data concerned in the future.
If we base the processing of personal data on the balance of interests, you may object to the processing pursuant to Article 21 GDPR. This will be the case if the processing is not specifically required to fulfil a contract with you. If you lodge such an objection, we would ask you to tell us why we should no longer process your data in the manner in which we have previously done so. If you provide a reasoned objection, we will review the matter and either cease or adapt our data processing or present you with the compelling legitimate reasons which permit us to continue to process your data. If you have exercised your right to object, the data controller will no longer process your personal data unless it can prove that there are compelling legitimate grounds for the processing that outweigh the data subject's interests, rights and freedoms or that the processing serves the purpose of the assertion, exercise or defence against legal claims.
You can of course object at any time to the processing of your personal data for the purposes of advertising and data analysis. You can notify us of your objection to advertising by e-mailing us at: firstname.lastname@example.org or via the address given below.
6.2 Your other rights
On request, DIFOX will provide you pursuant to Article 15 GDPR with information concerning the personal data stored by DIFOX. You also have the option at any time to require DIFOX to correct your data pursuant to Article 16 GDPR, to erase it pursuant to Article 17 GDPR or to restrict the processing thereof pursuant to Article 18 GDPR. Pursuant to Article 20 GDPR, you have the right to require us to hand over to you or a third party in a common machine-readable format data that we have automatically processed on the basis of your consent or for the fulfilment of a contract. If you have requested that the data be directly transferred to another controller, this will be done only if it is technically feasible.
You also have the right to lodge a complaint with a data protection supervisory authority pursuant to Article 77 GDPR.
The only data that will be excluded from deletion are those that DIFOX requires for processing outstanding orders or for asserting existing rights and claims, as well as data that DIFOX has to store as required by law. Such data will however be blocked.
You also have the right to lodge a complaint with a data protection supervisory authority pursuant to Article 77 GDPR.
We will be happy to provide you with further assistance.
DIFOX a branch of
Duttenhofer GmbH & Co. KG
+49 931 9708-466