Privacy policy

Dear customers and visitors of our website, we thank you for your trust and appreciate your visit! The protection of your data, your personal rights and the observance of your right to informational self-determination in the collection, processing and use of your personal data is of great importance to us. Our data protection complies with the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG).

1. Use / Collection of your data

In order to be able to process your order, the data required for the transaction, such as your name, address and email, are stored in our web shop system. These can be found in your order confirmation; If you do not receive these, please check your spam filter and / or send us an email. We will gladly send you a copy of your order.

The transfer of your personal data to unauthorized third parties outside our company is generally excluded.

- If you want to pay by bank transfer, you will receive our bank details with the order confirmation. We will execute your order after receipt of your payment.

- If our parcel service providers offer delivery options for parcel delivery, we would also like to offer you this service. So that our parcel service providers can give you a specific time frame for the delivery of your parcel and enable you to postpone parcel delivery, personal data, namely your address data, including your e-mail address and - if specified - your telephone number will be forwarded to the parcel service provider to be commissioned passed. If necessary, you will receive an e-mail or an SMS from the appointed parcel delivery agent, which allows you to adjust the time and / or place of delivery according to your wishes or to be informed about the delivery period. This transmission is an integral part of the contractual relationship. A contradiction is not possible. More information can be found in the terms and conditions. In addition, our national consignor may commission transport companies outside the European Economic Area (EEA) to assist us with parcel delivery. These parcel service providers have access to personal customer data such as address and email, as they need them to perform their duties. We ensure that the transmission of customer data to these companies is in accordance with this privacy policy and the German data protection laws. In doing so, the "Standard Contract II" of the European Union applies. These are standard contractual clauses for the transfer of personal data from the European Community to third countries, which are set by the European Commission, in order to ensure an adequate level of data protection.

2. Confidence thanks to high safety standards

For data transfer, we use the so-called SSL (Secure Socket Layer) security system in conjunction with 128-bit encryption. This technology offers maximum security and is therefore also used by banks for data protection in online banking, for example. The payment methods offered by us are comprehensively protected by named security standards. The fact that your data is transmitted in encrypted form is indicated by the closed representation of a key or lock symbol in the status bar of your browser.

3. Safety

Specifically, our security guarantee looks like this:

Our Shopware, which uses the Secure Socket Layer (SSL) as the default, encrypts your personal information such as name, address, bank details and credit card number when placing an order. SSL is supported by most browsers. Your data reaches our server in a code that is not readable by unauthorized persons.

To date, no damage has been caused to any of our customers that could be attributed to the illegal use of credit card or bank information. If there is a case of misuse during a purchase on our website, most credit card issuers are liable in the event of damage for all amounts exceeding the own contribution of EUR 50.00. If your bank obligates you to pay this own share, we will take over the default. However, this requires that you inform your bank or credit card company immediately in case of misuse.

4. Use of cookies and other technologies

Cookies are alphanumeric identifiers that we transmit to your computer's hard drive using your web browser. Many processes in e-commerce can not be realized without this technology. So z. B. when shopping online the virtual shopping cart usually realized with cookies. When using external banner ads and links, you will also be assigned certain IDs for these promotions and, where applicable, coupon codes using cookies. The permanent cookies themselves contain no personal data. Name, e-mail or IP address etc. are not stored in them. There is no profile about your usage behavior.

You can disable the storage of cookies in your browser, restrict them to certain websites or set your browser to notify you when a cookie is sent. You can also delete cookies from your PC's hard drive at any time. Please note, however, that use is not or partially impossible if certain cookies are declined. For more information on how to set your browser on the subject of cookies, see the help bar in your browser.

5. Social Media Plugins

This website called social media plugins (or will these grooves) of the following social networks:

Facebook, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.

Google Plus, which is operated by Google Inc., 1600 Amphitheater Parkway Mountain, CA 94043, USA.

Pinterest, which is operated by Pinterest Inc., 635 High Street, Palo Alto, CA, USA.

Twitter, which is operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA.

The plugins can be recognized by the Facebook, Twitter, "Pin-it" and "+1" logo. When you visit our pages, the plugins make direct connections between your browser and the servers of the services. These will receive the information that you have visited our site with your IP address. If you click on one of the buttons while logged in to one of the services, the information that you have visited our site can be assigned to your user account at the respective service. If you are a member of one of these services and do not want the service providers to collect data about you via our website and link them to your membership data, you must log out of our services before visiting our website. We point out that we as a provider This website is not aware of the contents of the transmitted data and their use by the individual services. For more information on which data is collected by calling the social plug-ins in the respective services and how these data are used, please refer to the privacy policy of each service provider. These can be found at: http://www.facebook.com/policy.php, http://twitter.com/privacy, http://pinterest.com/about/privacy/ and https://www.google. com / intl / en / + / policy /.

6. Insight into your personal information

You can view, edit and delete your own data at any time in your personal area using your e-mail address and your password. Once you have forgotten your password, you can request a new one. Please enter your known e-mail address and send the form. We will then send you a replacement password to your e-mail address. This procedure is also risk-free if a third person tries to gain access to your data. Because: The dispatch takes place in each case to your E-Mail address, to which only you have access.

7. Duration of data storage

Your personal data will only be kept for as long as necessary for the provision of our services. Further data storage due to legal or legal obligations may be required.

8. Your right to information and cancellation

You are entitled to request free written information about which personal data is stored about you. After the information has been provided, we will promptly make any necessary corrections, blockages or deletions, if permitted by law. You may revoke your consent (s) for the use of your personal information at any time with future effect. For questions about data protection and the exercise of your rights, please write us via mail via our contact form.

9. Operational Privacy

As a family business, we are personally responsible for protecting your data and for the sole purpose of processing your order. There is no other use.

 

AVV details: Agreement for order processing

According to Art. 28 para. 3 General Data Protection Regulation (GDPR).

Version 3.0 between

Frank, Gorish
Ophoffstr. 43
45768 Marl

as a client
- hereinafter client -

and

STRATO AG
Pascal Street 10
10587 Berlin

as a contractor
- subsequently contractor -


1. Subject and duration of processing
1.1. The subject matter of the agreement is the rights and obligations of the parties in the context of the provision of services in accordance with the contract, service description and general terms and conditions (hereinafter referred to as the main contract), insofar as processing of personal data by the contractor as processor for the client in accordance with Art. 28 DSGVO. This includes all activities that the contractor performs to fulfill the contract and that represent a processing of orders. This also applies if the order does not explicitly refer to this order processing agreement.
1.2. The duration of the processing corresponds to the term agreed in the order.

2. Nature and purpose of the processing
2.1. The type of processing includes all types of processing as defined by the GDPR to fulfill the contract.
2.2. Purposes of processing are all purposes required to provide the contracted services in terms of cloud services, hosting, Software as a Service (SaaS) and IT support.

3. Type of personal data and categories of data subjects
3.1. The type of processed data is determined by the client by the product selection, the configuration, the use of the services and the transmission of data.
3.2. The categories of data subjects determine the client by the product selection, the configuration, the use of the services and the transmission of data.

4. Responsibility and processing on documented instructions
4.1. Within the scope of this contract, the client is solely responsible for complying with the statutory provisions of data protection laws, in particular for the lawfulness of data transmission to the contractor and for the lawfulness of data processing (»controller« within the meaning of Art. 4 No. 7 DSGVO). This also applies to the purposes and means of processing set out in this Agreement.
4.2. The instructions are initially determined by the main contract and can then be changed by the client in writing or in an electronic format (text form) by individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. Instructions that are not provided for in the contract are treated as a request for a change in performance. In the event of proposed changes, the contractor will inform the client of the effects that will have on the agreed services, in particular the possibility of providing services, deadlines and remuneration. If the implementation of the instruction is not reasonable for the contractor, the contractor is entitled to terminate the processing. Unacceptability exists in particular if the services are provided in an infrastructure that is used by several clients / clients of the contractor (shared services), and a change in processing is not possible or unreasonable for individual clients.
4.3. The contractually agreed data processing takes place exclusively in a member state of the European Union or in another Contracting State of the Agreement on the European Economic Area, unless otherwise agreed, e.g. about the product description of the commissioned service.
4.4. If an integral part of the contract is the registration of domains with registration offices located in a third country (outside the European Union and the European Economic Area), it is also agreed that the contractor will transfer personal data to these registries in compliance with the mandatory regulations.
4.5. The parties further agree that the contractor is entitled to transfer personal data - in compliance with the mandatory provisions for the provision of services in a third country. This is particularly the case if the subject of the contract is the service of a third party providing this service wholly or partly in a third country.

5. Rights of the client, obligations of the contractor
5.1. The contractor may process data of affected persons only within the framework of the order and the documented instructions of the client, unless there is an exceptional case within the meaning of Article 28 paragraph 3 a) GDPR (obligation under the law of the European Union or a member state). The contractor shall inform the client without delay if he considers that a directive violates applicable laws. The contractor may suspend the implementation of the instruction until it has been confirmed or modified by the client.
5.2. In the light of the nature of the processing, the contractor shall, as far as possible, assist the client with appropriate technical and organizational measures in order to fulfill the claims of the persons concerned in accordance with Chapter III of the GDPR. The contractor is entitled to demand appropriate compensation from the client for these services.
5.3. The contractor shall assist the contracting authority, having regard to the nature of the processing and the information at its disposal, in complying with the obligations set out in Articles 32 to 36 of the GDPR. The contractor is entitled to demand appropriate compensation from the client for these services.
5.4. The contractor warrants that the employees involved in the processing of the data of the client and other persons acting on behalf of the contractor are prohibited from processing the data outside the directive. Furthermore, the contractor guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal secrecy obligation. The same applies to the secrecy of telecommunications according to § 88 TKG and - in knowledge of criminal liability - for the preservation of secrets of professional secrecy according to § 203 StGB. The obligation of confidentiality / secrecy persists even after the order has been completed.
5.5. The contractor informs the client immediately if he or she becomes aware of violations of the protection of personal data of the client. The contractor shall take the necessary measures to safeguard the data and to mitigate possible adverse consequences for the persons concerned.
5.6. The contractor guarantees the written appointment of a data protection officer who carries out his activity in accordance with Art. 38 and 39 GDPR. A contact option will be published on the website of the contractor.
5.7. Upon completion of the provision of the processing services, the contractor will, at the choice of the contracting authority, either delete or return the personal data, unless there is an obligation under Union or national law to retain the personal data or under any contractual arrangements something else results. If the client does not exercise this option, the cancellation is deemed agreed. If the client chooses the return, the contractor can demand a reasonable compensation.
5.8. If the data subject asserts claims for damages according to Art. 82 DSGVO, the contractor supports the client in defending the claims within the scope of his possibilities. The contractor may demand an appropriate remuneration for this.

6. Obligations of the client
6.1. The client must immediately and completely inform the contractor if he or she identifies errors or irregularities with regard to data protection regulations when carrying out the order.
6.2. In the event of termination, the client undertakes to delete personal data before the termination of the contract, which he has stored in the services.
6.3. At the request of the contractor, the client appoints a contact person in data protection matters.

7. Measures for the safety of processing according to Art. 32 DSGVO
7.1. The contractor will take appropriate technical and organizational measures in his area of ​​responsibility to ensure that processing takes place in accordance with the requirements of the GDPR and ensures the protection of the rights and freedoms of the data subject. In accordance with Art. 32 GDPR, the contractor takes appropriate technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the processing systems and services in the long term.
7.2. The current technical and organizational measures are listed in Annex 2.
7.3. The contractor operates a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of processing in accordance with Art. 32 (1) lit. d) GDPR.
7.4. The contractor will adapt the measures taken over time to developments in the state of the art and the risk situation. A change in the technical and organizational measures taken is reserved to the contractor, provided that the level of protection under Art. 32 DSGVO is not exceeded.

8. Verification and verification
8.1. The contractor shall provide the principal with all the information necessary to prove compliance with the obligations laid down in Art. 28 GDPR and shall facilitate and contribute to inspections, including inspections, carried out by the contracting entity or another inspector appointed by the contracting authority. The contractor is entitled to demand a declaration of confidentiality from the client and its appointed auditor. The contractor agrees to the designation of an independent external auditor by the client, if the client provides the contractor with a copy of the audit report. Competitors of the client or persons working for competitors of the client may refuse the contractor as examiner.
8.2. As evidence of compliance with the obligations set out in Art. 28 DSGVO, the client is required to obtain this ISO 27001 certification. The current certificate is provided by the contractor on its website.
8.3. The client's inspection right has the objective of verifying compliance with the obligations incumbent on a processor in accordance with the GDPR and this contract. Proof of compliance with these obligations is provided by the certification referred to in the previous paragraph. Insofar as the customer asserts legitimate doubts on the basis of factual indications that these certifications are sufficient or correct, or if special incidents within the meaning of Art. 33 para. 1 DSGVO in connection with the execution of the order processing justify this for the client, he may Perform site controls. These can be carried out during normal business hours without disruption to the operation after registration, taking into account a reasonable lead time.
8.4. The contractor may request reasonable remuneration for information and assistance. The cost for the contractor through an inspection is always limited to one day per calendar year.
8.5. If a data protection supervisory authority or another state or church supervisory authority of the client carries out an inspection, the above rules apply accordingly. A signing of a confidentiality obligation is not required if this supervisory authority is subject to a professional or legal secrecy, in which a violation under the Criminal Code is punishable.

9. Subcontractors (other processors)
9.1. The client grants the contractor the general permission to use other processors within the meaning of Art. 28 DSGVO for the fulfillment of the contract.
9.2. The currently used additional processors are listed in Annex 1. The client agrees to their use.
9.3. The contractor shall inform the contracting entity if he intends to change the consultation or replacement of other processors. The client may object to such changes.
9.4. The objection to the proposed change can only be raised against the Contractor for a material data protection right within a reasonable time after receipt of the information about the change. In the event of an objection, the contractor may choose to provide the service without the intended change or, if the performance of the service without the intended change is not reasonable for the contractor, the service affected by the change to the client within a reasonable time after receipt of the objection.
9.5. If the contractor places orders with other processors, it is the contractor's responsibility to transfer his data protection obligations under this contract to the other processor.
9.6. Additional processors within the meaning of this regulation are only those subcontractors who provide services directly related to the provision of the main service. It does not cover ancillary services related to telecommunications, printing / postal / transport services, maintenance and servicing, user services or the disposal of data media and other measures to ensure the confidentiality, availability, integrity and resilience of personal data, networks, services, Data processing systems and other IT systems. However, in order to ensure data protection and data security with respect to the data of the client, the contractor is obliged to take appropriate and legally compliant contractual agreements as well as control measures for such ancillary services.

10. Liability and damages
10.1. In the case of assertion of a claim for damages by a data subject pursuant to Art. 82 DSGVO, the parties undertake to support each other and to contribute to the clarification of the underlying facts.
10.2. The liability regulation agreed between the parties in the main contract for the provision of services also applies to claims arising from this agreement for the processing of orders and in the internal relationship between the parties for claims of third parties under Art. 82 DSGVO, unless expressly agreed otherwise.

11. Contract period, other
11.1. The agreement begins with the conclusion by the customer. It ends at the end of the last contract under the o.g. Customer number. If a order processing still takes place after termination of this contract, the regulations of these agreements are valid until the actual end of the processing.
11.2. STRATO may change the Agreement at its reasonable discretion with reasonable notice. It applies number 1.4 Terms and Conditions.
11.3. In addition, the terms and conditions of the contractor, available at https://www.strato.de/agb/. In the event of any contradictions, the provisions of this agreement for order processing shall apply to the provisions of the main contract. Should individual parts of this agreement be ineffective, this does not affect the validity of the remaining agreements.
11.4. The exclusive place of jurisdiction for all disputes arising from and in connection with this contract is Berlin. This is subject to any exclusive legal jurisdiction. This contract is subject to the statutory provisions of the Federal Republic of Germany.
11.5. If the data of the client are endangered by attachment or seizure, by a bankruptcy or settlement procedure or by other events or measures of third parties, the contractor shall inform the client immediately. The contractor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data are exclusively with the client as "responsible person" within the meaning of the GDPR.


Annex 1 to the Order Processing Agreement - Approved Subcontractors / Additional Processors
Stand 20180321

Subcontractor Country Address Short description of the service
Content Management AG Germany Im Medienpark 6, 50670 Cologne Development, maintenance and care of the modular building kit
ePages GmbH Germany Pilatuspool 2, 20355 Hamburg Development, maintenance and care of the webshops
Open-Xchange GmbH Germany Martinstraße 41, 57462 Olpe Development, maintenance and care of the communicator
1 & 1 Internet SE Germany Elgendorfer Straße 7, 56410 Montabaur Development and operation of STRATO Online Accounting
Seven IT GmbH Germany SevenIT, Hauptstraße 40, 77652 Offenburg Operation and support of STRATO Online Buchhaltung
Annex 2 to the contract processing agreement - Technical and organizational security measures according to Art. 32 DSGVO
Version 1.0

1. Confidentiality (Article 32 (1) (b) GDPR)
 1.1 Access control
Unauthorized persons should be denied access to rooms containing data processing equipment.
Definition of security areas
• Realization of an effective access protection
• Logging of the access
• Definition of persons with access rights
• Management of personal access authorizations
• Accompaniment of external personnel
• Monitoring the rooms

 1.2 Access control
It must be prevented that data processing systems are used by unauthorized persons.
• Definition of the protection requirement
• Access protection
• Implementation of secure access procedures, strong authentication
• Implementation of simple authentication via username password
• Logging of access
• Monitoring critical IT systems
• Secure (encrypted) transmission of authentication secrets
• Disabling / Inactivity Blocking and Reset Access Blocking Process
• Prohibited memory function for passwords and / or form input (server / clients)
• Designation of authorized persons
• Management and documentation of personal authentication media and access permissions
• Automatic access lock and manual access lock

 1.3 Access Control
Only the data for which access is authorized can be accessed. Data can not be read, copied, altered or removed without authorization during processing, use and after storage.
• Create an authorization concept
• Implementation of access restrictions
• Assigning minimal authorizations
• Administration and documentation of personal access rights
• Avoidance of concentration of functions

 1.4 Usage control
It must be ensured that data collected for different purposes can be processed separately.
• Data saving in handling personal data
• Separate processing of different data sets
• Regular use inspection and deletion
• Separation of test and development environment

 1.5 privacy-friendly presets
• If data is not required to achieve the intended purpose, the technical default settings will be set in such a way that data will only be collected, processed, passed on or published by an action of the person concerned.

2. Integrity (Article 32 (1) (b) GDPR)
 2.1 Transfer Control
The aim of the transfer control is to ensure that personal data can not be read, copied, altered or removed during electronic transmission or during its transport or storage on data carriers, and that it is possible to check and determine to which places a transmission personal data by means of data transmission.
• Definition of receiving / transferring instances / persons
• Examination of the lawfulness of the transfer abroad
• Logging of transmissions according to logging concept
• Secure data transfer between server and client
• Backup of the transmission in the backend
• Secure transmission to external systems
• Risk minimization through network separation
• Implementation of security gateways at the network transfer points
• Hardening of the backend systems
• Description of the interfaces
• Implementation of machine-machine authentication
• Secure storage of data, including backups
• Secure storage on mobile media
• Introduction of a disk management process
• Process for collection and disposal
• Privacy-friendly extinguishing and destruction procedures
• Management of deletion protocols

 2.2 Input control
The purpose of the input control is to ensure that it can be subsequently verified and ascertained whether and by whom personal data has been entered, changed or removed in data processing systems.
• Logging of the entries
• Documentation of the input permissions

3. Availability, resilience, disaster recovery
 3.1 Availability and resilience (Article 32 (1) (b) GDPR)
• Fire protection
• Redundancy of the primary technology
• Redundancy of the power supply
• Redundancy of the communication connections
• Monitoring
• Resource planning and deployment
• Defense against systemic abuse
• Data backup concepts and implementation
• Regular check of emergency facilities

 3.2 Disaster Recovery - Rapid recovery after incident Incident (Article 32 (1) (c) GDPR)
• Emergency plan
• Data backup concepts and implementation

4. Privacy Organization
• Definition of responsibilities
• Implementation and control of suitable processes
• Reporting and approval process
• Implementation of training measures
• Commitment to confidentiality
• Regulations for the internal distribution of tasks
• Consideration of function separation and assignment
• Introduction of a suitable representative regulation

5. Order control
The purpose of order control is to ensure that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the client.
• Selecting other contractors for suitable warranties
• Conclusion of a contract processing agreement with other contractors
• Conclusion of an order processing agreement with STRATO

6. Procedure for regular review, evaluation and evaluation (Article 32 (1) (d) of the GDPR, Article 25 (1) GDPR)
• Information security management according to ISO 27001
• Process for the evaluation of technical and organizational measures
• Process Security incident management
• Conducting technical reviews