1. Privacy statement – general section
We care about your privacy
We welcome your interest in our company, products and services and want you to feel that you and your personal data are safe when you visit our website. We take the protection of your personal data very seriously and are committed to observing the provisions of the Federal Data Protection Act. We want you to know which data we collect and how we use them. We have implemented technical and organisational measures to ensure that we and our external service providers comply with data protection regulations. We draw your attention to the fact that security loopholes may exist when transmitting data via the Internet. It is impossible to provide absolute protection of data against access by third parties.
How do we collect your data?
On the one hand, your data is collected when you provide it to us. This may be data you enter in a contact form. Other data are automatically collected by our IT systems when you visit our website. These are predominantly technical data (e.g. Internet browser, operating system or time of day of the page view). These data are collected automatically as soon as you enter our website.
What do we use your data for (purpose of the processing)?
- Error-free provision of the website, its content and functions
- Performance of contractual services and customer care
- Answering contact enquiries and communication with users
- Marketing, advertising and market research
- Security measures
What are your rights with respect to your data?
You have the right to obtain free of charge information about the origin, recipients and purpose of your stored personal data at any time. You also have the right to request the rectification, restriction of processing or erasure of this data. With regard to this or other questions concerning data protection you may contact us at any time at the address provided in the imprint. Furthermore, you may submit a complaint to the competent supervisory authority.
Analysis tools and tools by third-party providers
Persons under the age of 18 may not transfer personal data to us without the consent of a parent or legal guardian. We do not request or collect personal data from minors nor do we transfer such data to third parties.
We check the information on this website with the utmost care. However, we assume no liability for the correctness, completeness or validity of the content of our own websites.
We have implemented technical and organisational security measures to protect your personal data from loss, destruction, manipulation and unauthorised access. All our employees and all third-party data processors are obliged to comply with the Federal Data Protection Act and to treat personal data confidentially. When personal data are recorded and processed, they are transferred in encrypted form to prevent their misuse by third parties. We are constantly updating our security measures to reflect advances in technology.
Links to other websites
2. Name and contact data of the person in charge of the processing
The data controller of the website www.mac-jeans.com is:
MAC Mode GmbH & Co. KGaA Industriestr. 2
Phone: +49 (0) 9463 855-0
Fax: +49 (0) 9463 855-199
The controller for your purchases via online shopping portals
Data protection officer required by law
We have appointed an external Data Protection Officer for our company:
Datenschutz Symbiose GmbH
Dr Marion Herrmann
3. Content delivery networks (CDN)
To ensure that the presentation of our website is as error-free and secure as possible, we use various content delivery networks. A content delivery network is a network of powerful servers that cache content at different locations around the world. In this way it provides website content in a very short time while at the same time relieving the web host by spreading the data traffic over different cache servers. As a result, users are able to access website content without long waiting times. When content delivery networks employ this technology, they process a variety of personal data. This may include your IP address, URLs of web pages accessed, date and time of access, location based on your IP address and the location of the server as well as telemetry data (e.g. mouse clicks, movement patterns and associated browser data). On our website we use the content delivery networks of Google, DataCamp, Amazon Cloudfront, Fastly, Cloudfront and Akamai. For more details, please see the remarks below. The use of content delivery networks is based on our legitimate interest in providing our website in a way that is as error-free and secure as possible (Art. 6 (1) point (f) GDPR).
The individual content delivery networks:
Google Cloud CDN
We use the content delivery network Google Cloud CDN. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google offers a globally distributed content delivery network. The transfer of information between your browser and our website is technically routed via the Google network. This allows us to increase the global accessibility and performance of our website. The use of Google Cloud CDN is based on our legitimate interest in providing our website in a way that is as error-free and secure as possible (Art. 6 (1) point (f) GDPR). The transfer of data to the USA is based on the EU Commission’s standard contractual clauses. You will find details at: https://cloud.google.com/terms/eu-model-contract-clause. Further information on Google Cloud CDN is available at: https://cloud.google.com/cdn/docs/overview?hl=en.
We have signed an order processing (OP) agreement for the use of the above-mentioned service. This agreement is required under data protection law and ensures that the processor processes the personal data of our website visitors only in accordance with our instructions and in compliance with GDPR.
Amazon CloudFront CDN
We use the content delivery network Amazon CloudFront CDN. Provider is Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (henceforth “Amazon”). Amazon CloudFront CDN is a globally distributed content delivery network. Here the transfer of information between your browser and our website is technically routed via the content delivery network. This allows us to increase the global accessibility and performance of our website. The use of Amazon CloudFront CDN is based on our legitimate interest in providing our website in a way that is as error-free and safe as possible (Art. 6 (1) point (f) GDPR). The transfer of data to the USA is based on the EU Commission’s standard contractual clauses. You will find details at: https://aws.amazon.com/en/blogs/security/aws-gdpr-data-processing-addendum/. Further information on Amazon CloudFront CDN is available at: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.
We have signed an order processing (OP) agreement for the use of the above-mentioned service. This agreement is required under data protection law and ensures that the processor processes the personal data of our website visitors only in accordance with our instructions and in compliance with GDPR.
Akamai Content Delivery Network
We use the content delivery network (CDN) of Akamai Technologies GmbH, Parkring 20, 85748 Garching, Germany (Akamai) to increase the security and delivery speed of our website. A CDN is a network of globally distributed servers that is able to deliver content to website users in an optimised way. For this purpose the following personal data may be processed in Akamai server log files:
- your IP address
- URLs of pages visited
- date and time of access
- location based on your IP address and the location of the Akamai server
- telemetry data (e.g. mouse clicks, movement patterns and associated browser data)
The use of Akamai is based on our legitimate interest in providing our website in a way that is as error-free and safe as possible (Art. 6 (1) point (f) GDPR). You have the right to object to the processing. Whether the objection is successful is to be determined by balancing interests. The processing of the data listed in this section is neither legally nor contractually required. Without the processing it is not ensured that the website works properly. Your personal data will be stored by Akamai as long as necessary for the purposes described above. Further information on objection and removal options towards Akamai is available at: https://www.akamai.com/site/en/documents/akamai/akamai-data-protection-addendum.pdf.
Akamai has implemented compliance measures for international data transfers. They apply to all activities worldwide where Akamai processes personal data of natural persons in the EU. These measures are based on the EU’s standard contractual clauses (SCCs). More information is available at: https://www.akamai.com/us/en/multimedia/documents/akamai/akamai-pre-signed-eu-standard-contractual-clauses.pdf.
4. General remarks on data processing
Relevant legal bases
SSL or TLS encryption
For reasons of security and to protect the transfer of confidential content such as orders or enquiries which you submit to us as website operator, this page uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. When the SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Objection to promotional e-mails
We herewith object to the use of contact data which has been published in connection with our obligation to post an imprint in order to send advertising and information material that has not been expressly requested. The operators of the web pages expressly reserve the right to take legal steps if they receive advertising information materials such as spam e-mails which have not been requested.
Information about the web server location (Section 13 (1) of the Telemedia Act (TMG))
The data we receive via our website is processed on servers in Germany.
5. Cooperation with processors and third parties
Data transfer when concluding contracts for online shops, distributors and shippers
We transfer personal data to third parties only if this is necessary for performing the contract, for example to the company engaged to ship the goods or the bank charged with processing payment. Your data is not transferred for any other purpose unless you explicitly consent to the transfer or on the basis of a legal obligation or of our legitimate interest (e.g. when agents, web hosts, etc. are used). Your data will not be transferred to third parties, for example for advertising purposes, without your express consent. The basis for data processing is Art. 6 (1) point (b) GDPR which permits the processing of data for the performance of a contract or of pre-contractual measures. If we commission third parties with the processing of data on the basis of a so-called “order processing agreement”, this is based on Art. 28 GDPR.
Transfer to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if we do so when using the services of third parties or when disclosing or transferring data to third parties, this happens only if it serves to meet our (pre)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process the data or have them processed in a third country only if the special requirements of Art. 44 et seq. GDPR apply. This means that the processing takes place, e.g., on the basis of special guarantees such as the officially recognised determination of a data protection level that is in accordance with that of the EU or in compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).
6. Data collection on our website
Server log files
Your visit to our websites is logged. The provider of the pages automatically collects and stores information in so-called server log files which your browser automatically transmits to us. These are:
- browser type and version
- operating system used
- referrer URL
- host name of the accessing computer
- time of server request
- IP address
As a general rule, it is not possible for us to establish the user’s identity, nor is this intended. These data are not merged with other data sources. The basis for data processing is Art. 6 (1) point (b) GDPR which permits the processing of data for the performance of a contract or of pre-contractual measures. These data are recorded only for data protection purposes and to help us optimise our website. The data are not evaluated in any way other than in anonymised form for statistical purposes. No personal surfing profile or similar will be recorded or processed. Moreover, personal data will only be stored if you specifically allow this, e.g. through registration, a survey, a competition, an online application or the performance of a contract. The respective input and contact forms provide information about the purposes for recording the data requested there. These data are transmitted in encrypted form via the Internet.
a) What exactly are cookies?
Cookies are text files which are stored on your computer, tablet or mobile phone when you visit a website. They are generally used to make websites more effective. Some cookies (session cookies) are automatically erased when you close your browser whereas others (persistent or tracking cookies) are archived on your device until a certain expiry date or until you empty your browser’s cache and enable us to identify you as a repeat visitor to our website. Most Web browsers accept cookies automatically. However, you can change this in your browser settings. You will find more information about cookies at: www.allaboutcookies.org.
c) What types of cookies are used?
You can delete the cookies set for our website. However, this will also erase your individual data, content and cookie settings so you will not be recognised as a repeat visitor the next time you access our website.
Purpose of the different types of cookies: Session cookies are erased when you close your browser. They are used to record how users navigate the website and how long they spend there. They store the content of your shopping cart and your customer account information for the duration of your visit and keep your login active during the session.
Persistent cookies or tracking code: These contain no personal data. They record the location from which the website was accessed, the search engine that was used, which links were clicked and which search terms were used and identify the user’s location at the time the website was accessed. They also record the number of visits and the duration of first, current and previous visits. These cookies only register visits to mac-jeans.com and are not activated when visiting other websites.
d) Do you consent to our cookies?
We offer several online features aimed at making your visit to our website as pleasant as possible. However, these features only function with the aid of cookies which will be activated if you consent at the start.
If you do not want us to recognise your computer, you can prevent the storage of cookies on your hard drive by selecting “Do not accept cookies” in your browser settings. Please consult your browser manual to find out how this works. However, you should be aware that some “essential” cookies are required to enable you to smoothly navigate our website and to select, configure and save your products. Moreover, we use these cookies only to monitor the efficiency of our website and track visitor frequency.
Consent query via Usercentrics
This website uses the consent technology of Usercentrics to obtain your consent to the storage of specific cookies on your terminal or to the use of specific technologies and to document them in compliance with data protection regulations. Provider of this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, URL: https://usercentrics.com/de/ (henceforth “Usercentrics”). Usercentrics uses Google’s CDN to provide its services (see section 3).
When you enter our website, the following personal data are transferred to Usercentrics:
- your consent(s) or the revocation of your consent(s)
- your IP address
- information about your browser
- information about your terminal device
- time of your visit to the website
Additionally, Usercentrics stores a cookie in your browser so it can properly allocate your consents or their revocation. The data collected in this way is stored until you request that we erase it, to erase the Usercentrics cookie itself or the purpose of the data storage no longer applies. This does not affect mandatory statutory retention periods. Usercentrics is used for obtaining the legally required consents for the use of specific technologies. The legal basis for this is Art. 6 (1) point (c) GDPR.
We have concluded an order processing agreement with the above-mentioned provider. This agreement is required under data protection law and ensures that the processor processes the personal data of our website visitors only in accordance with our instructions and in compliance with GDPR.
Recording personal data
Personal data are information about your identity. They include, for example, your name, address, telephone number and e-mail address. You do not have to disclose any personal data in order to use our website. In some cases, however, we do need your name, address and some other information in order to provide the services you request. This applies to, for example, sending information material and the goods you have ordered or answering your individual questions. In such cases, we will notify you accordingly. Moreover, we store and process only those data that you provide us voluntarily or automatically. If you are using services, we will normally only record the data we need to provide those services. If we request any additional data, this will be on a voluntary basis. Personal data are processed only to provide the service requested and to protect our own legitimate business interests.
We will only collect, process and use the personal data you provide online for the purposes notified to you. Your personal data will not be transferred to third parties without your explicit consent. We will record personal data and transfer them to government institutions and authorities entitled to receive such information only in the context of the relevant laws or if we are obliged to do so by court order. Our employees and service providers have a duty of confidentiality and must comply with the provisions of the Federal Data Protection Act.
Query by e-mail, telephone or fax
When you contact us by e-mail, telephone or fax, your enquiry including all personal data resulting from this (name, query) is stored and processed by us so we can handle your request. We will not forward this data without your consent. This data is processed on the basis of Art. 6 (1) point (b) GDPR if your enquiry relates to the performance of a contract or is necessary for implementing pre-contractual measures. In all other cases the processing is based on our legitimate interest in the effective handling of enquiries addressed to us (Art. 6 (1) point (f) GDPR) or on your consent (Art. 6 (1) point (a) GDPR) if it has been requested. The data you sent us via contact enquiries remain with us until you request that we delete them, revoke your consent to their storage or the purpose for the data storage no longer applies (e.g. after the processing of your order has been completed). This does not affect statutory provisions, especially those concerning retention periods. Your e-mails are forwarded to us without the use of additional encryption technology. It is possible that unauthorised persons may become aware of, falsify or erase personal data and confidential information in transit.
When you send us enquiries via contact form, we will store the information you have supplied in the contact form, including your contact data, for the purpose of processing your enquiry and for any follow-up question that may arise. We will not forward this data without your consent. This data is processed on the basis of Art. 6 (1) point (b) GDPR if your enquiry relates to the performance of a contract or is necessary for implementing pre-contractual measures. In all other cases the processing is based on our legitimate interest in the effective handling of enquiries addressed to us (Art. 6 (1) point (f) GDPR) or on your consent (Art. 6 (1) point (a) GDPR) if it has been requested. The data you entered in the contact form remain with us until you request that we delete them, revoke your consent to their storage or until the purpose for the data storage no longer applies (e.g. after the processing of your enquiry has been completed). This does not affect statutory provisions, especially those concerning retention periods.
When competitions are held, personal data are also collected only to the extent necessary. If you wish to participate in our competition, we need your e-mail address as well as your postal address so we can notify you if you win a prize or to send you the prize. When you win the main prize, a photo is typically published along with your name, town and the prize. Other winners will be listed as Mr or Ms and surname plus the first letter of their first name and their town. By participating in the competition you declare your consent to the storage of these data. Legal bases are Art. 6 (1) point (b) GDPR (processing for conducting the competition) and, if the participant consents, Art. 6 (1) point (a) GDPR. You can revoke your consent to the processing of your data at any time. To do so, all you need to do is send us an e-mail (no specific form is necessary). The revocation of consent does not affect the lawfulness of data processing activities that have taken place up until the revocation. The data you entered in the contact form remain with us until you request that we delete them, revoke your consent to their storage or the purpose for the data storage no longer applies (e.g. after the competition has been completed). This does not affect statutory provisions, especially those concerning retention periods.
Data processing (customer and contract data)
We record, process and use personal data only to the extent that this is necessary to establish, define or modify the legal relationship (master data). The basis for this is Article 6 (1) point (b) GDPR which permits the processing of data for the performance of a contract or for implementing pre-contractual measures. We only record, process and use personal data about the utilisation of our website (usage data) to the extent that this is necessary to enable the user to utilise the service or to issue invoices. The customer data recorded will be erased on completion of the order or termination of the business relationship. This shall not affect statutory retention periods.
Shopping cart reminder
If you have already placed goods in your shopping cart but not completed the order, we will use your registered e-mail address to send you a reminder. This serves to protect our legitimate business interests (legal basis). We would like to ensure that you have not abandoned your order due to a problem with the Online Shop or a misunderstanding. The reminder e-mail will contain your data and a reference to the withdrawal of consent if you no longer wish to use this service.
Registration on our website
You can register on our website to use its additional functions or “My MAC”. We will only use the data you provide for the offer or service for which you have registered. On registration, you must provide all the mandatory information. If not, we will decline your registration. If we make any major changes to the scope of the offer or essential technical changes, we will notify you of this using the e-mail address you provide on registration. The data you provide on registration are processed on the basis of your consent (Article 6 (1) point (a) GDPR). You may withdraw this consent at any time. To do so, all you need to do is send us an e-mail (no specific form is necessary). The withdrawal of consent shall not affect the lawfulness of data processing that has already taken place. The data recorded on registration will be stored by us for as long as you are registered on our website. Thereafter they will be erased. This shall not affect statutory retention periods.
Purchasing in the Online Shop
The personal data you provide when you register and data about the type and frequency of your online orders are recorded, stored and used by MAC or third parties that have a contractual relationship with MAC if this is necessary in order to perform the contract. These third parties include companies engaged to ship the goods, banks engaged to manage payments or, in particular, companies engaged to provide customer services and as processors.
A guest account is a shortened form of registration that allows your order to be processed quickly and securely. Your e-mail address will automatically be used as your user name. We generate a password that is sent directly to this e-mail address. You may use your guest account to access all the benefits of “My MAC” where you can review your order or amend your customer data for future orders.
We use QR codes on various occasions. We have the QR codes produced by a service provider. When you scan such a QR code, this scan is recorded by the service provider via an API. The service provider employed for this purpose is Bitly Europe GmbH, located at Am Lenkwerk 13, 33609 Bielefeld, Germany, who uses the tool QR-Code Generator. An order processing agreement has been signed with this service provider. The service provider may process data outside of the EU via sub-service providers. The service provider has contractually committed to entering into suitable contractual agreements with these sub-service providers in order to ensure the protection of the data.
When the QR codes are scanned (e.g. via your smartphone) the following data may be processed:
- Number of scans
- Operating system used
- Location data (town, country)
The data will not be allocated to the respective IP address. The processed data will refer to the respective person only in rare cases and only with the help of additional information. As a rule, this is not personal data within the meaning of Art. 4 (1) GDPR. We collect and process this data in order to improve our online offers and to monitor the success of any promotional campaigns. The data is processed on the legal basis of our legitimate interest as defined in Art. 6 (1) point (f) GDPR. Our legitimate interest consists in the continuous improvement of our online and advertising offers. For certain special services, we use service providers that are specifically obliged to comply with data privacy and non-disclosure provisions in those cases where it is not possible to exclude access to personal data. These categories of data recipients are: data centres, advertising agencies, software developers with access to the platform. To the extent that there is no statutory obligation to store data temporarily, all personal data that are stored in connection with the competition are destroyed after the end of the competition (e.g. non-winners’ data) and after notification of the winners and handover of the prizes (e.g. winners’ data). In the case of recurring competitions (“competition series”), your data will be stored until the end of the competition series or until you withdraw your consent. Recurring competitions are recognisable as such and are identified accordingly.
a) Types of data and legal basis
Occasionally MAC conducts surveys on its company website. Participation in these surveys is voluntary. Various personal data may be collected and processed during the surveys. The surveys regularly offer expense allowances or prizes. To ensure that the expense allowance or prize can be allocated and delivered to the proper participant (“data subject”), his or her name and email address are collected. These data are processed for the purposes of fulfilling the contract in accordance with Art. 6 (1) point (b) GDPR. During the course of the survey other data may be collected as well. These data are either collected explicitly or entered independently by the data subject in open text fields. Since the data subject has previously entered his or her name and email address, these data may also contain a personal reference to the participant. It is also possible that other sensitive data may be entered for processing by the data subject via the open text fields. MAC will never explicitly collect such sensitive data. Consequently, MAC has no influence on the information that is submitted via the open text fields. The legal basis for the collection and processing of personal data via the survey form is the consent of the data subject in accordance with 6 (1) point (a) GDPR. This consent may be revoked at any time according to Art. 7 (3) GDPR. If the consent is revoked, all personal data which is processed on the basis of this consent will be promptly deleted. However, this also eliminates any outstanding claims to compensation allowances or prizes.
b) Purpose of the processing
Data may be processed in connection with surveys for different purposes (e.g. to determine customer satisfaction, analyse purchasing behaviour or receive feedback on improvement potential). The specific purposes are specially defined for each respective survey and are made available to the data subject in a transparent manner.
c) Duration of storage
Your name and email address which we collect in the course of a survey are only used for the purpose of allocating and delivering prizes or expense allowances. This data is therefore deleted as soon as the prize or expense allowance has been delivered. When the name and email address are deleted, the personal reference of the remaining data is also removed. Consequently, further processing will be anonymised and only serves purposes of analysis. The data will not be sold or passed on to third parties.
d) Recipient of the data (third-country transfer)
The personal data collected in the course of a survey is made available only to MAC employees who need the data in order to perform their duties. To conduct the surveys, MAC uses the software solution SurveyMonkey by the service provider Momentive Europe UC (2 Shelbourne Buildings, Second Floor, Shelbourne Rd, Ballsbridge, Dublin 4, Ireland). The required contractual agreements to ensure data privacy have been concluded with the service provider. Since Momentive Europe UC is a subsidiary of Momentive Inc., which is based in California, USA, the possibility that your personal data is transferred to the USA cannot be excluded. Momentive Europe UC does assure that pertinent contractual agreements have been entered into with all entities to which personal data are transferred. However, due to the broad powers of U.S. security authorities, the possibility that said security authorities access your data cannot be completely excluded. To participate in the survey, you will be redirected to a subpage of SurveyMonkey. This process may enable SurveyMonkey to gain knowledge of your connection data (IP address, log data, browser settings, etc.). Momentive Europe UC is solely responsible for the processing of this data and compliance with the pertinent legal requirements. More information on the data processing by Momentive is provided at: https://www.surveymonkey.com/mp/legal/privacy/.
e) Rights as a data subject
Duration of storage
We store the personal data provided to us via our website only for as long as is necessary to fulfil the purpose for which it was provided. If commercial and fiscal law specify retention periods, some data may be stored for up to ten (10) years. Moreover, when an order is placed online, the user’s IP address at that time is stored and used separately and in anonymised form for the duration of one (1) year to ensure data security (i.e. to prevent misuse and prosecution).
Erasure of customer data (in the Online Shop)
The data we process will be erased or the processing will be restricted in accordance with Art. 17 and 18 GDPR. If you request the erasure of your data, we can only comply with this in full if you have not yet concluded an order with us. We erase the personal data recorded to process orders and stored in our electronic customer system (e.g. data of birth, phone and fax number, e-mail address, credit score) within seven (7) working days. If you are already a customer, we are obliged to retain commercial/business documents and invoices for six (6) and ten (10) years respectively, pursuant to Section 257 HGB (German Commercial Code) and Section 147 AO (Fiscal Code). We are therefore unable to immediately erase your personal data that we are required by law to retain. In our system, these data are locked for the duration of the retention period to prevent their active use.
We record and process your personal data (e-mail address) if you register to receive our newsletter. You have given your consent to this by clicking the “Register” button and then the link in the confirmation e-mail. This website sends newsletters using Inxmail from Inxmail GmbH, Wentzingerstr. 17, D-79106 Freiburg, Germany. Inxmail is a service used to organise and analyse newsletter mailing. The data you provide in order to receive the newsletter (e.g. e-mail address) are stored on the Inxmail servers in Germany. Inxmail is a co-founder and member of the Certified Senders Alliance (CSA) and a signatory to Germany’s e-mail marketing quality standard. The newsletter we send via Inxmail enables us to analyse the general behaviour of the newsletter recipients. For example, we can analyse how many recipients have opened the newsletter notification and how many clicks there are on which links in the newsletter. The data are processed on the basis of your consent (Article 6 (1) point (a) GDPR). You may withdraw this consent at any time by cancelling the newsletter. The withdrawal of consent shall not affect the lawfulness of data processing activities that have already taken place. If you do not wish your data to be analysed by Inxmail, you must cancel the newsletter. We provide a link for this purpose in every newsletter notification. You may also cancel the newsletter directly from the website. The same applies if you are sent the newsletter without your explicit prior consent on the basis of the exemption contained in Section 7 (3) UWG (Unfair Competition Act) due to a prior purchase of goods or services. The data you provide us for the purpose of receiving the newsletter will be stored until you cancel the newsletter and will then be erased from both our servers and Inxmail’s servers. This shall not affect data that we have stored for other purposes (e.g. e-mail address for your “My MAC” login). We have concluded a processing agreement with Inxmail and, in using Inxmail, comply with the stringent requirements of Germany’s data protection authorities.
8. Analysis tools and advertising
We have concluded a processing agreement with Google and, in using Google Analytics, comply with the stringent requirements of Germany’s data protection authorities.
You can prevent the storage of cookies via a setting in your browser software. However, we would like to point out that you may then no longer be able to use all the website’s functions in their entirety. You can also prevent Google from recording and processing the data generated by the cookie in relation to your use of the website (including your IP address) by downloading and installing the browser add-on available here: https://tools.google.com/dlpage/gaoptout?hl=en.
Our website uses Bing Ads from Microsoft Corporation (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA – “Microsoft”). If you click on an ad displayed by Microsoft Bing Ads, a conversion tracking cookie will be placed on your computer. This cookie has limited validity and cannot be used for personal identification. If you visit certain pages on our website and the cookie has not yet expired, we and Microsoft can recognise that you clicked on the ad and were then redirected to our website. The information obtained with the aid of the conversion cookie is used to compile conversion statistics. These show the total number of users who clicked on one of our ads and were redirected to a page with a conversion tracking tag. It is not possible to personally identify the user. Use of this service is based on your consent according to Article 6 (1) point (a) GDPR and Section 25 (1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG). This consent may be withdrawn at any time. You will find more information about data protection and the cookies used by Microsoft Bing at: https://privacy.microsoft.com/en-us/privacystatement.
This website uses Clarity. Provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, https://docs.microsoft.com/en-us/clarity/ (henceforth “Clarity”). Clarity is a tool for analysing user behaviour on this website. Clarity tracks mouse movements in particular and produces a visualisation showing which parts of the website users visit especially frequently (heatmaps). Clarity can also record sessions so we can view the use of our website in video format. In addition, it provides us with information about general user behaviour on our website. Clarity uses technologies which facilitate user recognition for analytical purposes (e.g. cookies or device fingerprints). Your personal data are stored on Microsoft servers (Microsoft Azure Cloud Service) in the USA. If your consent has been obtained, the above-mentioned service is solely used on the basis of Art. 6 (1) point (a) GDPR and Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG). This consent may be withdrawn at any time. If consent has not been obtained, this service is used on the basis of Art. 6 (1) point (f) GDPR; the website operator has a legitimate interest in effective user analysis. Further details about data protection at Clarity can be found at: https://docs.microsoft.com/en-us/clarity/faq. We have concluded an order processing agreement with the above-mentioned provider. This agreement is required under data protection law and ensures that the processor processes the personal data of our website visitors only in accordance with our instructions and in compliance with GDPR.
Facebook Conversion API
The Facebook Conversion API is integrated on this website. This service is provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, the data recorded may also be transferred to the USA and other third countries. The Facebook Conversion API enables us to capture the website user’s interactions with our website and transmit them to Facebook in order to improve Facebook’s advertising performance. Moreover, targeted advertisements may be displayed on the basis of the user data (e.g. location data and interests) which are available at Facebook (audience segmentation targeting). As website operators we have no passive or active access to this user data. User analysis is conducted solely by Facebook. On the part of the website operator, data is only sent back by the server in this context. When a visitor lands on our website via a Facebook advert, Facebook assigns a click ID to that user. For the website operator, this is an anonymous data item which does not allow to identify the user. When the user associated with this click ID triggers an event on our website (e.g. a product purchase), the website sends this information back to Facebook along with the value of the purchase and the time of the purchase.
Specifically, the following data is transmitted:
- anonymous click ID
- event name (e.g. “AddToCart” or “Purchase”)
- time of event
- conversion value
Facebook utilises this data internally. The responsible entity for the further data processing is Facebook itself. Information about data processing by Facebook is available at https://www.facebook.com/privacy/policy/. Since this is not personal data for the website operator, no legal basis is required for this processing.
This website uses Frizbit, a multi-channel marketing tool from Frizbit Technology, S.L., Carrer Llacuna 162, 08018 Barcelona, Spain (https://frizbit.com). We use the Frizbit E-Commerce Marketing Automation Platform to increase the number of visits to the website and retain customers. For this purpose, Frizbit generates several persistent cookies with a maximum lifetime of one year which recognise users and analyse their behaviour on the website by assigning a randomly generated ID to each user. The aim is to send targeted push messages to the user’s browser. These messages may be shopping cart reminders or invitations to register for our newsletter. Consent is obtained from the data subject for the use of Frizbit. Data processing by Frizbit is thus based on the consent in accordance with Art. 6 (1) point (a) GDPR.
The website operator uses Google Ads. Google Ads is an online advertising platform provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Ads makes it possible to display advertisements in the Google search engine or on third-party websites when the user enters specific search terms (keyword targeting). Moreover, targeted advertisements may be displayed on the basis of the user data (e.g. location data and interests) which are available at Google (audience segmentation targeting). As website operators we have no passive or active access to this user data. User analysis is conducted solely by Google. On the part of the website operator, data is only sent back by the server in this context, the so-called Google Ads Conversion Tracking. When a visitor lands on our website via a Google search, Google assigns a click ID to that user. For the website operator, this is an anonymous data item which does not allow to identify the user. When the user associated with this click ID triggers an event on our website (e.g. a product purchase), the website sends this information back to Google along with the value of the purchase and the time of the purchase.
This website uses various functions of Google Analytics. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics enables the website operator to analyse the behaviour of the website visitors. The website operator receives various usage data, such as pages viewed, operating systems used and origin of the user. This data is allocated to the user’s respective terminal device. It is not allocated to a user ID. Google Analytics also enables us to record your mouse movements, scrolling and clicks. Moreover, Google Analytics uses various modelling approaches in order to augment the datasets collected and employs machine learning technologies for the data analysis. Google Analytics uses technologies which facilitate user recognition for purposes of analysing user behaviour (e.g. cookies or device fingerprinting). As a rule, the information about your use of this website that Google has collected is transferred to and stored on a Google server in the USA. Use of this service is based on your consent according to Article 6 (1) point (a) GDPR and Section 25 (1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG). This consent may be withdrawn at any time. The transfer of data to the USA is based on the EU Commission’s standard contractual clauses. You will find details at: https://privacy.google.com/businesses/controllerterms/mccs/.
Google Analytics Remarketing
Google Data Studio
We use Google Data Studio which is a data management tool for producing user-defined reports and dynamic dashboards. This draws on the data from Google Analytics and has no interfaces to other data sources (e.g. Google Ads, Attribution 360, BigQuery, Cloud SQL, MySQL, Google Tables, YouTube Analytics, etc.). The web tool does not require any local applications and can be launched from the web. Access is via a browser and the data sources are linked directly via Google Data Studio. You will find further information about the use of Google Data Studio at support.google.com/datastudio/answer/6283323.
This website uses various functions of Google DoubleClick. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland (henceforth “DoubleClick”). DoubleClick is used to show you interest-related advertisements in Google’s entire advertising network. With the help of DoubleClick, the advertisements can be targeted towards the interests of the respective viewer. For instance, our advertisements can be shown in Google search results or in web banners that are linked with DoubleClick. To be able to show viewers interest-based advertising, DoubleClick must recognise the respective viewer and allocate to him or her websites visited, clicks and other information regarding his or her user behaviour. To this end DoubleClick employs cookies or comparable recognition technologies (e.g. device fingerprinting). The collected information is compiled into a pseudonymous user profile so the respective user can be shown interest-based advertising. Use of this service is based on your consent according to Article 6 (1) point (a) GDPR and Section 25 (1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG). This consent may be withdrawn at any time. For further information on how to object the advertisements displayed by Google, please see the following links: https://policies.google.com/technologies/ads and https://adssettings.google.com/authenticated.
We use Google Signals. When you visit our website, Google Analytics records your location, search history and YouTube history as well as demographic data (visitor data), among other information. With the help of Google Signals, these data can be used for personalised advertising. If you have a Google account, the visitor data are then linked to your Google account by Google Signals and used for personalised advertising messages. The data are moreover used for compiling anonymised statistics regarding the user behaviour of our users.
Google Tag Manager
We use the Google Tag Manager. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Google Tag Manager is a tool with whose help we can install tracking or statistics tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, stores no cookies and does not perform any analyses of its own. It only serves to manage and use the tools that are embedded in it. However, the Google Tag Manager collects your IP address, which may also be transmitted to Google’s parent company in the United States. Processing takes place solely on the basis of Article 6 (1) point (a) GDPR and Section 25 (1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG), to the extent that consent includes the storage of cookies or access to information on the user’s end device (e.g. device fingerprinting) within the meaning of TTDSG. This consent may be withdrawn at any time.
Specifically, the following data is transmitted:
- anonymous click ID
- event name (e.g. “product purchase”)
- value of the purchase, if applicable
- time of the purchase
Google utilises this data internally. The responsible entity for the further data processing is Google. Information about data processing by Google is available at https://policies.google.com/privacy?hl=en&gl=de#intro. Since this is not personal data for the website operator, no legal basis is required for this processing.
We have activated the IP anonymisation function on this website. In the Member States of the European Union and in other States party to the Agreement on the European Economic Area, your IP address will be truncated by Google prior to transfer to the USA. In exceptional cases, the full IP address will be transferred to a Google server in the USA and truncated there. Acting on behalf of the operator of this website, Google uses this information to evaluate your use of the website, compile reports about website activities and provide the website operator with other services associated with the use of the website and the Internet. The IP address transmitted from your browser by Google Analytics will not be merged with other Google data.
This website uses Matomo, an open-source web analytics service. Matomo applies technologies which facilitate cross-page user recognition for analytical purposes (e.g. cookies or device fingerprints). The information about the use of this website recorded by Matomo is saved on our server. The IP address is anonymised beforehand. Matomo enables us to record and analyse data about our visitors’ use of our website. In this way, we can identify when which pages were viewed and from which region. We also record various log data (e.g. IP address, referrer, browser and operating system used) and can measure whether our website visitors perform certain activities (e.g. clicks, purchase transactions, etc.). The use of this analysis tool is twofold. One part of the processing is based on Article 6 (1) point (f) GDPR. The website operator has a legitimate interest in the anonymised analysis of user behaviour in order to optimise its website and its advertising. In this case data is recorded without using cookies. Therefore visitors are not recognised after a session has ended and no e-commerce reports are generated (shopping cart, product pages, purchase). Only the total purchase value is recorded. The other part of the processing is solely based on your consent according to Article 6 (1) point (a) GDPR and Section 25 (1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG). In this variant, cookies are used for cross-session user recognition and e-commerce reporting is activated. If you were redirected to our website via a Google advert, it is also possible that the click ID is transmitted back to Google Ads by the server. This consent may be withdrawn at any time. We use IP anonymisation when performing analyses with Matomo. Your IP address will be truncated before the analysis so that it can no longer be assigned to you. We host Matomo solely on our own servers which means that we retain all analytical data and do not transfer it to third parties.
Duration of storage
Data stored at Google at user and event level that is linked to user identifier (e.g. user ID) or advertising identifiers (e.g. DoubleClick cookies, Android advertising ID) are anonymised or erased after 14 months. For pertinent details, please see this link: https://support.google.com/analytics/answer/7667196?hl=en.
To display our Trusted Shops seal of approval and to offer Trusted Shops membership to buyers after an order, the Trusted Shops trust badge is integrated on this website. This serves to protect our legitimate interests in optimal marketing by enabling secure shopping in accordance with Art. 6 para. 1 p. 1f GDPR, which prevail in the context of a balancing of interests. The trust badge and the services advertised with it are an offer of Trusted Shops AG, Subbelrather Str. 15C, 50823 Cologne ("Trusted Shops"), with whom we are jointly responsible for data protection pursuant to Art. 26 GDPR. Within the scope of this data protection notice, we inform you in the following about the essential contractual contents in accordance with Art. 26 (2) GDPR. Within the framework of the joint responsibility existing between us and Trusted Shops, please contact Trusted Shops in preference in the event of data protection questions and to assert your rights using the contact options given under https://www.trustedshops.de/impressum-%20datenschutz/#kontaktmoeglichkeiten-und-recht. Irrespective of this, however, you can always contact the responsible person of your choice. Your enquiry will then, if necessary, be passed on to the other responsible party for a response.
1. data processing when integrating the trust badge/other widgets
The trust badge is provided by a US-American CDN provider (content delivery network). An appropriate level of data protection is ensured by standard data protection clauses and other contractual measures. When the trustbadge is called up, the web server automatically saves a so-called server log file, which also contains your IP address, date and time of the call-up, amount of data transferred and the requesting provider (access data) and documents the call-up. The IP address is anonymised immediately after collection so that the stored data cannot be assigned to you personally. The anonymised data is used in particular for statistical purposes and for error analysis.
2. data processing after order completion
If you have given your consent, the trust badge accesses order information stored in your terminal device (order total, order number, purchased product, if applicable) and email address after the order has been completed and your email address is hashed using a cryptological one-way function. The hash value is then transmitted to Trusted Shops with the order information in accordance with Art. 6 para. 1 p. 1a GDPR. This serves to check whether you are already registered for Trusted Shops services. If you are registered, further processing will take place in accordance with the contractual agreement between you and Trusted Shops (available at: https://www.trustedshops.com/tsdocument/BUYER_AUTO_PROTECTION_TERMS_de.pdf). If you are not yet registered for the services or do not give your consent to automatic recognition via the Trustbadge, you will subsequently be given the opportunity to give your consent to receive rating invitations. Without consent, no order information will be transmitted to Trusted Shops. Trusted Shops uses service providers in the areas of hosting, monitoring and logging. The legal basis is Art. 6 (1f) GDPR for the purpose of ensuring trouble-free operation. Processing may take place in third countries (USA and Israel). An adequate level of data protection is ensured in the case of the USA by standard data protection clauses and further contractual measures and in the case of Israel by an adequacy decision. For more information, please visit https://www.trustedshops.de/impressum-datenschutz/.
9. Add-ons and tools
In order to ensure that no incorrect address data is stored in our system and to guarantee secure delivery of marketing emails to the recipient, we use the " Address Capture" and "Email Address Validation" services of GB Group PLC, The Foundation, Herons Way, Chester Business Park, Chester, CH4 9GB, United Kingdom ("Loqate") for appropriate data validation. Your address and e-mail address (no other personal data will be processed) are checked for validity directly during entry via the online interface and by Loqate. If an error is detected when entering your address, an alternative address or the correct spelling of your address will be suggested to you. Via the interface, your data will be checked against Loqate's database, which is located in the UK. Once the email address has been validated, the data is deleted immediately, or after 30 days at the latest. The address validation records will be deleted after 30 days at the latest. The processing of your data itself is based on Art. 6 para. 1f GDPR. Our legitimate interest is to ensure that valid data is retained and that the smooth processing of customer enquiries and orders can be guaranteed. For the United Kingdom, the Commission has adopted a corresponding adequacy decision under Article 45 para 1 GDPR, which legitimises the transfer to or processing of your data in the United Kingdom. We have concluded a data processing agreement (DPA based on SCC) with the above-mentioned provider. This is a contract required by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR. If Loqate processes personal data in the USA, this is done on the basis of so-called standard contractual clauses in accordance with Art. 46 para. 2c) GDPR, as well as further measures to protect your data. Further information on data protection at Loqate can be found at: https://www.loqate.com/en-gb/products-services-privacy-notice/.
YouTube with enhanced privacy
This website incorporates videos from YouTube which is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). We use YouTube in enhanced privacy mode which, according to YouTube, means that YouTube does not store any information about visitors to this website before they view the video. However, it does not necessarily prevent the transfer of data to YouTube’s partners. For example, irrespective of whether you view a video or not, YouTube establishes a link to the Google DoubleClick network. As soon as you start a YouTube video on this website, a link is established to YouTube’s servers. The YouTube server is notified which of our pages you have visited. If you have logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out from your YouTube account. When you start a video, YouTube also places cookies on your end device or uses comparable recognition technology (e.g. device fingerprinting). In this way, YouTube acquires information about the visitors to this website. It uses this information to record video statistics, improve user-friendliness and prevent attempted fraud, for example. Starting a YouTube video may also trigger further data processing activities over which we have no influence. We use YouTube in the interest of providing an attractive presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 (1) point (f) GDPR. If the corresponding consent was obtained, processing shall be solely on the basis of Article 6 (1) point (a) GDPR; this consent may be withdrawn at any time. You will find further information about privacy at YouTube at https://policies.google.com/privacy?hl=en.
10. Payment methods on our website
We use the following payment services/payment service providers on this website:
This payment service is provided by Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (henceforth “Mastercard”). Mastercard may transfer personal data to its parent company in the USA. The transfer of data to the USA is based on Mastercard’s Binding Corporate Rules. You will find details at https://www.mastercard.de/de-de/datenschutz.html and https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.
Sofortüberweisung (instant transfer)
This payment service is provided by Sofort GmbH, Theresienhöhe 12, 80339 Munich, Germany (henceforth “Sofort GmbH”). Sofort GmbH provides us with real-time confirmation of payment so we can immediately start fulfilling our obligations. If you choose to use Sofortüberweisung, you transfer the PIN and a valid TAN for your online banking account to Sofort GmbH which, after logging in, automatically checks your account balance and then transfers the amount owed to us using the TAN you have provided. It then sends us confirmation of the transaction. After logging in, Sofortüberweisung also automatically checks the transactions on your account, your overdraft limit and the existence and balance of any other accounts. In addition to your PIN and TAN, your payment and personal data are also transferred to Sofort GmbH. The personal data include your forename and surname, address, phone number(s), e-mail address, IP address and any other data that may be needed to process the payment. It is necessary to transfer these data in order to establish your identity beyond doubt and prevent any attempted fraud. You will find details about payment using Sofortüberweisung at: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.
11. Our social media presence
a) Data processing by social media
b) Legal basis
Our social media offerings are intended to ensure the broadest possible Internet presence. This is a legitimate interest within the meaning of Article 6 (1) point (f) GDPR. The analytical processes initiated by social media networks may be based on deviating legal bases which the operators of these networks must disclose (e.g. consent within the meaning of Article 6 (1) point (a) GDPR).
c) Controller and assertion of rights
When you visit one of our social media offerings (e.g. on Facebook), we and the operator of the social media platform are the joint controllers of the data processing activities triggered by this visit. Generally speaking, you may assert your rights (access, rectification, erasure, restriction of processing, data portability and complaint) against both us and the operator of the social media platform (e.g. Facebook). Please note that, although we and the operator of the social media platform are joint controllers, we cannot fully influence the data processing activities of the social media platform operator. Our options are largely dictated by the policies of the respective service provider.
d) Duration of storage
The data we record directly via our social media presence will be erased from our systems as soon as the purpose for which it was stored no longer exists, you request us to erase this data or you withdraw your consent to storage. The cookies stored on your end device will remain until you erase them. This does not affect statutory provisions, especially those concerning retention periods. We have no influence on the duration of storage of the data stored by the operators of social media for their own purposes. You can obtain details directly from the operators of social media platforms (e.g. in their privacy policies, see below).
e) Details of social media platforms
12. Your rights as a data subject (data subject rights)
Information, restriction/blocking, erasure
Within the framework of the applicable legal provisions, you have the right to obtain free of charge and at any time information about your stored personal data, about the origin and recipients of these data and the purpose of the data processing as well as the right to their rectification, restriction/blocking or erasure of these data, if applicable. With regard to this or other questions concerning personal data you may contact us at any time at the address provided in the imprint.
Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You may withdraw at any time the consent you have already given. To do so, all you need to do is send us an e-mail (no specific form is necessary). The revocation of consent does not affect the lawfulness of data processing that has taken place up until the revocation.
Right to data portability
You have the right to have data which we process in an automated way based on your consent or in the performance of a contract handed over to you or a third party in a standard, machine-readable format. If you request the direct transfer of data to another processor, this will be done only inasmuch as it is technically feasible.
Right to complain to the competent supervisory authority
In case of complaints, suggestions or questions, please contact our Data Protection Officer.
In the event of any breaches of data privacy law, the person affected may submit a complaint to a supervisory authority. The data protection supervisory authority responsible for our company is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Phone: +49 (0) 981 180093-0
You will find a list of the data protection officers and their contact details at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
MAC Mode GmbH & Co. KGaA