of Duttenhofer GmbH & Co. KG ("DIFOX") for use of DIFOX online shops
Date: January 2020
1. Person Responsible
The controller responsible for data processing is DIFOX a branch of, Duttenhofer GmbH & Co. KG, Alfred-Nobel-Str. 6, 97080 Wuerzburg, Germany
2. Contact details of the data protection officer
The external company privacy protection officer is Dr. Carlo Piltz, Reusch Rechtsanwälte, Joachimsthaler Str. 34, 10719 Berlin, Germany,Tel.: + 49 (0) 30 23 328 95 0
3. Purpose, duration and legal bases for data processing
Your personal data are processed on the basis of your consent (Art. 6 para. 1 p. 1 lit. a) GDPR) for the purpose of subscribing to the newsletter. If you send us your personal data by e-mail when you contact us, we will process your personal data to process your requests, to contact you and possibly also to execute pre-contractual measures or to fulfil a contract (Art. 6 para. 1 p. 1 lit. b) GDPR). If required, the processing of your data will extend beyond the actual fulfilment of the contract to include the safeguarding of our legitimate interests or those of third parties as follows: The review and optimisation of processes for needs analysis and direct contact, advertising or market and opinion research, provided you have not objected to the use of your data, the assertion of legal claims and defence in the event of legal disputes, to guarantee IT security and IT operation, the facilitation of various different payment methods for your online order(s), to guarantee the operation of our website, the use of social media functions and measures for business management and the further development of services and products (Art. 6 para. 1 p. 1 lit. f) GDPR).
We are also subject to various retention and documentation obligations and may also be legally obliged to share personal data to authorities (Art. 6 para. 1 p. 1 lit. c) GDPR).
The following table provides an insight into the most important retention periods:
|Item||Retention period||Legal basis|
|Offers with order sequence, e-mails (business letters), e-mails (reminders), faxes (business letters), delivery notes, default summons and reminders||6 years||§ 147 AO, § 257 HGB|
|Outgoing invoices, receipts, e-mails (booking documents such as invoices), delivery notes, as proof of receipt, especially in connection with an invoice, cash-on-delivery tag, online invoices||10 years||§ 147 AO, § 257 HGB|
|Data on the respective sales contract for processing warranty claims||2 years||§ 438 Abs. 1 Nr. 3 BGB|
|Data on the respective contract for processing warranty claims||Depending on the respective product||§ 443 BGB|
Data are transferred to third countries (states outside the EU and the European Economic Area - EEA) only if to do so is required to execute contracts concluded with you or by law, or if you have given us your consent to do so.
We will provide details to you separately, if required by law.
4.Processing of customer data
DIFOX processes the following customer data: customer name, address, telephone number, email address, information on the content of an order, IP address , any information pertaining to a different delivery address and information on the desired payment type. The data is processed in Germany. The personal data listed above is processed and used for the purpose of managing the relevant contractual relationship. The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. b) GDPR. We also reserve the right to, at appropriate intervals, send you direct mail advertisements for the offers in our online shop. No other use is made of your personal data. In particular, we do not pass on any data to third parties unless it is for the purpose of sending the ordered goods.
You can, at any time, object to your name and address being used for mail advertising purposes (see above). Simply send an email to firstname.lastname@example.org.
4.2 Registration as a specialist retailer (new customer form)
You have the option to register as a specialist retailer with DIFOX, so that DIFOX can then create a customer account for you in our shop on the website. We do this
- so that you can use our services, in particular so that you can see our up-to-date prices;
- to manage your user data and settings;
- where applicable, to manage your newsletter subscription with DIFOX; and
- for the inspection of invoices and outstanding arrears.
For a detailed breakdown of the minimum data which are processed, please refer to the page with the new customer form (https://www.difox.com/shop/en/difox/RegistrationToken). The purpose of the procedure is to validate your registration and, if necessary, to clear up any misuse of your personal data.
The legal basis for the data processing is Article 6 (1)(1)(b) GDPR.
As Section 1 (9)(11)(1)(1) MLA obliges us to identify contracting parties before establishing a business relationship or carrying out a transaction, we will process a copy of the applicant's identity card in the context of new customer registration for the purpose of combating money laundering, Section 58 MLA. The copy will not be processed for any other purpose. In accordance with Section 8 (4)(1) and (3) MLA, this copy of the ID will in principle be kept for five years after the termination of our business relationship and subsequently destroyed, unless other statutory retention provisions require us to keep it for longer, Section 8 (4)(2) MLA.
The legal basis for this data processing is Article 6(1)(c) GDPR in conjunction with Section 1 (9)(11)(1)(1) MLA.
DIFOX may also deliver goods to the end customer as a drop shipper. Drop shipping refers to a special form of business conducted in trading between a supplier and an (online) retailer. The supplier offers the retailer products which the latter then offers for sale in its online shop. As soon as a product is purchased by a customer, the retailer forwards the order to the supplier. The latter sends the goods in a neutral form directly to the end customer, meaning that the retailer does not have any contact with the goods at all. As a rule, the end customer does not notice that the actual sender is the supplier rather than the retailer. DIFOX processes the data of the end customer (name, address, telephone number, e-mail address) provided by the specialist retailer so that it can carry out the drop shipment.
The legal basis for data processing for the delivery of the product in question to the end customer is Art. 6 (1)(1)(b) and (f) GDPR. DIFOX's legitimate interest consists in its desire to fulfil its contractual obligation to the retailer as a drop shipper and to deliver the ordered product to the end customer.
4.4 Use of email addresses for advertising purposes (sending newsletters)
4.4.1 Newsletters in general
You have the option of subscribing to DIFOX's email newsletter.
After you register, DIFOX will therefore use your email address for its own advertising purposes. You may unsubscribe at any time by using the function displayed for this purpose in the newsletter, with an email to email@example.com or – if available – the corresponding option in the settings in your user account. Your email address will be saved in order to facilitate delivery of our newsletter. The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. a) GDPR.
4.4.2 Newsletter dispatch in existing customer relationship
If you have already purchased goods or services from us, DIFOX will also use your email address and the first and last name of the contact person on file for personalisation purposes in order to send you our newsletter for direct advertising of similar goods or services, if you have not objected to this use of the aforementioned data. You can of course object to the sending of our newsletter at any time with effect for the future by clicking on "unsubscribe" at the end of the newsletter or by contacting our data protection officer at firstname.lastname@example.org . You do not incur any costs other than the transmission costs according to the basic tariffs for this.
The legal basis for this data processing is Art. 6 para. 1 S. 1 lit. f) GDPR. Our legitimate interest rests in being able to inform you about our latest offers for our products by means of direct advertising.
4.5 Processing of personal data in the context of payment
"Payment in advance (bank transfer)" payment type, "Purchase on account" payment type
If you are given the option of "Payment in advance (bank transfer)", "Purchase on account" during your order, DIFOXalone processes the personal data which you entered during the ordering process in order to carry out the contractual relationship with you.
The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. b) GDPR.
4.6 Special conditions / rebate
DIFOX may send reports to its manufacturers and suppliers to allow it to verify possible special conditions in the context of initiation of the contract or downstream bonuses (kickbacks) after the execution of a contract for a customer. These reports contain the company name and may in individual cases also feature personal data, namely the name of the entrepreneur. The legal basis for this data processing is Article 6 (1)(1)(b) GDPR. A contact person in the customer's company for whom the special conditions are being verified may also be named. The legal basis for this data processing is Article 6 (1)(1)(f) GDPR. DIFOX's legitimate interest consists in making it possible for the manufacturer or supplier to contact the customer, if required. In addition, its legitimate interest consists in ensuring that the product manufacturer cannot verify any special conditions / rebates without unnecessary information.
4.7 Merchandise insurance contract
DIFOX is co-insured under the terms of a merchandise insurance contract. Specialist services of the insurer (credit insurance, factoring, risk assessment and collection) are drawn upon within the framework of this contract. Insofar as DIFOX makes use of the described services, personal data concerning the unfulfilled contract will be transmitted to Coface. The legal basis for this data processing is Art. 6 para. 1 p. 1 lit. f) of GDPR. Our legitimate interest exists in the sense that we protect ourselves from payment defaults and assert our rights and would like to assert claims.
5. Processing of personal data
However, when the DIFOX website is accessed, the following data is automatically logged by the web server:
- IP address of the requesting PC;
- Date and time of the request;
- Access method/function requested by the requesting PC;
- Entry values (e.g. file name) requested by the requesting PC;
- Web server access status (file transferred, file not found, command not executed etc.);
- Name of the requested file and
- URL from which the file was requested/the desired function was released.
This information is used exclusively for the purpose of identifying and tracing unauthorised accesses to the web server and other criminal acts. The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f) GDPR. Our legitimate interests are the assurance of IT security as well as the assurance of the operation of our Internet presence.
This DIFOX website uses the following types of cookie, the scope and functionality of which is outlined below:
Transient cookies are automatically deleted when you close your browser. These particularly include session cookies. These save a 'session ID', which is used to assign various requests from your browser to the overall session. This allows us to recognise your computer when you revisit our website. Session cookies are deleted when you sign out or close the browser.
Persistent cookies are automatically deleted after a set period of time that can differ depending on the cookie. You can delete cookies in your browser's security settings at any time.
You can configure your browser settings as you wish and, for example, reject third-party cookies or all cookies. Please note that you may then be unable to use all the functions of this website.
5.3 Google Analytics
This website uses Google Analytics, a web analysis service of Google LLC ("Google"). Google Analytics uses so-called "cookies", text files that are stored on your computer and that allow an analysis of your use of the website. The information generated by the cookie about your use of this website will normally be transmitted to a Google server in the USA and stored there. However, in case the IP anonymity function on this website is activated, Google will first abbreviate your IP address within the member states of the European Union or in other signatory states to the agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. Google will use this information on behalf of the person responsible for this website, to compile reports on website activities and to provide the website operator with additional services associated with use of the website and of the Internet.
The IP address transmitted from your browser within the scope of Google Analytics will not be brought into contact with other data held by Google.
You can prevent storage of the cookies by using a corresponding setting of your browser software; however, please note that by doing so you may not be able to fully use all the functions of this website.You can also prevent the recording and processing by Google of the data generated by the cookie relating to your use of the website (incl. your IP address) by downloading and installing the browser plug-in available via the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
This website uses Google Analytics with the 'anonymizeIp()' extension. This means that IP address are processed in a truncated form to prevent the possibility of direct reference to a particular individual. If it should prove possible to associate data collected concerning your person directly with you as an individual, this will immediately be excluded and the personal data deleted without delay.
We use Google Analytics to analyse the use of our website and to make regular improvements. We can use these statistics to improve our products and make them more interesting to our users. In exceptional cases in which personal data is sent to the USA, Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Art. 6 para. 1 p. 1 lit. f) GDPR.
Information about the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001.
Overview of privacy: https://www.google.com/intl/de/analytics/learn/privacy.html,
5.4 Contact form
You will find a contact form on DIFOX's website. The data you enter there will be stored for the purpose of individual communication with you, and the data processing is justified, in accordance with Art. 6 para. 1 p. 1 lit. f) GDPR, by our desire to offer you a simple contact option. Your data will also be stored for the purpose of answering your request, as well as for possible follow-up questions.
If you contact us in order to request a quote, the legal basis for data processing is Art. 6 para. 1 p. 1 lit. b) GDPR.
5.5 Newsletter tracking
DIFOX uses Emarsys Marketing Suite to track the recipient behaviour of our newsletter. Recipient reactions (opening a mail, clicking on text and image links, downloading images with an e-mail program) are recorded and stored anonymously for statistical purposes. It is not possible to identify individual users from the data used. The legal basis for this data processing is Art. 6 para. 1 p. 1 lit. f) of GDPR. The legitimate interest of DIFOX is the provision of better and accurate information for recipients of the newsletter.
5.6 Facebook fan page
DIFOX operates a so-called fan page on Facebook. These are websites that are offered on the Facebook platform to present DIFOX as a company and to get in touch with customers and interested parties, for example.
5.6.1 Shared responsibility with Facebook
The results of this processing are provided to us, as the fan page operator, and then through Facebook in an aggregated, statistical and anonymous form of user statistics. We do not have access to the data processed by Facebook. Facebook provides more information about Insights under the following link: https://www.facebook.com/help/pages/insights.
Facebook describes which data it processes for more of its own purposes in its Data Policy, available under the following link:https://www.facebook.com/about/privacy.
There, you will also find information about options for contacting Facebook as well as the settings options for advertisements. Facebook remains solely responsible for the processing of such personal information in relation to visits to fan pages that are not under shared responsibility.
If you are currently logged in as a user on Facebook, there is a cookie with your Facebook ID on your device. This enables Facebook to see that you visited our fan page and how you used it. This also applies to all other Facebook pages. To avoid this, you should log out of Facebook or disable the "stay signed in" feature, delete the cookies present on your device, then exit and restart your browser.
Please note that data from the survey phase will also be passed on to locations in the USA and thus outside the territory of the European Union. No adequacy decision has been made by the European Commission for the USA itself. However, Facebook is a participant in the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
In the agreement made with DIFOX (available at: https://www.facebook.com/legal/terms/page_controller_addendum), Facebook agrees to assume the primary responsibility according to the GDPR for the processing of so-called Insights Data and all obligations to comply with the DSGVO with regard to the processing of this Insights Data. The essence of the agreement can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data.
If you wish to exercise your interest in tort (for what these are, see below under point 5) in line with GDPR, we point out that we cannot fully fulfil these rights in case of doubt. It would therefore be more effective for you to contact Facebook directly. Information about your rights regarding page insights is provided by Facebook here: https://www.facebook.com/legal/terms/information_about_page_insights_data.
With regard to page insights and joint responsibility with Facebook, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. Information on how to exercise your right to object can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data.
If you still need help, feel free to contact us. We will forward your request to Facebook, insofar as it relates to Insights Data.
Processing the visitor's personal data enables the provision of the fan page as well as the statistical evaluation of how our fan page is used. This evaluation is performed for us anonymously. The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f) of GDPR. Our legitimate interests regarding the collection of personal data when visiting the fan page and the production of statistical evaluations are: Communication and interaction with interested parties and customers; Dissemination of information about our company; Anonymized evaluation and presentation of the use of the fan page.
5.6.2 Our sole responsibility
DIFOX also processes the data from your use of the fan page that you voluntarily provide (in a comment, for example) for the purpose of answering your inquiries, communicating with you and publishing information regarding the content offered on the fan page or from DIFOX. The legal bases for processing are Art. 6 para. 1 p. 1 lit. b) and f) of GDPR. The legitimate interest lies in the effective information of users, customers and interested parties and communication with these persons.
You are welcome to contact us as long as it regards the data processed by us on our own account, and assert the rights to which you are entitled as our data subject. However, if these refer to processing that is purely in the area of responsibility of Facebook, we point out in advance that our options with regards exercising your rights are limited to referring you to the appropriate places of Facebook.
5.7 Online presence on other social media platforms (LinkedIn)
We maintain an online presence within social networks and platforms in order to communicate with the customers, prospects and users active there and to inform them about our services there. We point out that when you visit our online presence there, personal user data are processed by the respective social media platform for market research and advertising purposes. For these purposes, cookies are usually stored on the computers of the users, in which the user behaviour and the interests of the users are stored. Furthermore, in the usage profiles, data can also be stored independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them). These user data are provided to us by the respective platform – anonymized and aggregated for evaluation. Our legal basis with regard to this data processing is Art. 6 para. 1 p. 1 lit. f) of GDPR. Our legitimate interest is in the form of effective user information and communication with users.
The data collected by the social media platforms are also processed outside the European Union, especially in the United States. These providers are certified under the EU-US Privacy Shield.
For a detailed description of the respective processing and the possibilities of contradiction (opt-out), we refer to the following linked information of the providers.
We point out that in the case of requests for information and the assertion of user rights, these can be claimed most effectively by the providers. Only the providers have access to the data of the users and can take direct appropriate measures and provide information. If you still need help, then you can contact us.
- LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy.LinkedIn is subject to the EU-US Privacy Shield,https://www.privacyshield.gov/EU-US-Framework.
6. User's rights
6.1 Withdrawing consent, objecting
If you have given DIFOX your consent to process personal data in the context of your use of DIFOX services, you can withdraw this consent at any time pursuant to Article 7 (3) GDPR. The revocation can be sent by email to email@example.com or in writing to the address listed below. The effects of the revocation will be limited to the storage and use of personal data that may not be used or stored without your consent based on statutory permissions. This withdrawal of consent, once declared to us, will have an impact on the permissibility of the processing of your personal data. However, please note that it may not then be possible to process the data concerned in the future.
If we base the processing of personal data on the balance of interests, you may object to the processing pursuant to Article 21 GDPR. This will be the case if the processing is not specifically required to fulfil a contract with you. If you lodge such an objection, we would ask you to tell us why we should no longer process your data in the manner in which we have previously done so. If you provide a reasoned objection, we will review the matter and either cease or adapt our data processing or present you with the compelling legitimate reasons which permit us to continue to process your data. If you have exercised your right to object, the data controller will no longer process your personal data unless it can prove that there are compelling legitimate grounds for the processing that outweigh the data subject's interests, rights and freedoms or that the processing serves the purpose of the assertion, exercise or defence against legal claims.
You can of course object at any time to the processing of your personal data for the purposes of advertising and data analysis. You can notify us of your objection to advertising by e-mailing us at: firstname.lastname@example.org or via the address given below.
6.2 Your other rights
On request, DIFOX will provide you pursuant to Article 15 GDPR with information concerning the personal data stored by DIFOX. You also have the option at any time to require DIFOX to correct your data pursuant to Article 16 GDPR, to erase it pursuant to Article 17 GDPR or to restrict the processing thereof pursuant to Article 18 GDPR. Pursuant to Article 20 GDPR, you have the right to require us to hand over to you or a third party in a common machine-readable format data that we have automatically processed on the basis of your consent or for the fulfilment of a contract. If you have requested that the data be directly transferred to another controller, this will be done only if it is technically feasible.
You also have the right to lodge a complaint with a data protection supervisory authority pursuant to Article 77 GDPR.
The only data that will be excluded from deletion are those that DIFOX requires for processing outstanding orders or for asserting existing rights and claims, as well as data that DIFOX has to store as required by law. Such data will however be blocked.
You also have the right to lodge a complaint with a data protection supervisory authority pursuant to Article 77 GDPR.
We will be happy to provide you with further assistance.
DIFOX a branch of
Duttenhofer GmbH & Co. KG
+49 931 9708-466