We are very pleased about your interest in our products offered in the UMCH Shop.

We take the protection of your personal data very seriously and operate our systems in accordance with the respective rules and laws on data protection and data security. With this declaration on data protection we want to underline our commitment to protecting your privacy.

In accordance with Article 13 of the General Data Protection Regulation (hereinafter referred to as “GDPR”), this data protection declaration informs you about the nature, scope and purpose of the processing of your personal data by CPE Europe GmbH.

In the following, you will be informed which information we may collect and how we handle it.

I. Terms

Our data protection declaration is based on the terms used by the European legislature when the GDPR was issued. Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To this end, we would first like to explain the terms used.

  1. Personal data

Personal data within the meaning of Article 4 No. 1 GDPR is any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  1. Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  1. Pseudonymization

Pseudonymization is understood as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

  1. Controller

Controller within the meaning of GDPR means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  1. Processor

Processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

  1. Recipient

The recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. The recipients of the personal data that we collect from you when you use our website are generally located in a member state of the European Union. Disclosure to recipients located in third countries will only take place in the cases expressly stated in this policy.

  1. Third party

According to the GDPR, a third party is defined as a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

  1. Consent

Consent is defined as any freely given specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

II. Name and address of the Controller

The responsible body in terms of the GDPR and other national data protection laws of the member states as well as other data protection regulations is

CPE Europe GmbH

Albert Einstein Ring 11-15

22761 Hamburg

Germany

 

represented by the managing director Dipl.-Kfm. Matthias Musmann

 

Email:   info@edu.umch.de

Tel..:    +49 (0) 40-209348500

Fax: +49 (0) 40-209348509

 

III. Data protection officer

We have appointed an external data protection officer for our company. He can be reached at the following contact details:

CPE Europe GmbH

Der Datenschutzbeauftragte

Albert Einstein Ring 11-15

22761 Hamburg

email: mail@planit.legal

 

IV. General information about data processing

 

  1. Scope of data processing

We collect and use personal data of our users only to the extent necessary to provide a functional website and to conclude, implement or terminate a contract for the purchase of goods via the UMCH Shop.

 

  1. Data erasure and storage duration

Your personal data will be erased or blocked as soon as the purpose for which it was stored no longer applies. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU ordinances, laws, or other regulations to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by the above-mentioned standards expires unless further storage of the data is necessary for the conclusion or fulfilment of a contract.

 

  1. Provision of personal data statutorily or contractually required; necessary requirement to enter into a contract; obligation of the data subject to provide the personal data; possible consequences of failure to provide such data

We would like to inform you that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual regulations (e.g. information on the contractual partner). Sometimes it may be necessary for a contract to be concluded that a data subject provides us with personal data, which must subsequently be processed by us. For example, the person concerned is obliged to provide us with personal data if our company concludes a contract with them. Failure to provide the personal data would mean that the contract with the person concerned could not be concluded. Before the person concerned makes personal data available, the person concerned must contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what the consequences would be if the personal data were not provided.

 

  1. No existence of automated decision making

Automated decision-making including profiling is expressly waived.

 

V. Accessing our website and creating log files

When you visit our website https://shop.edu.umch.de/, the browser used on your end device automatically sends information to the server of our website and temporarily stores it in a so-called log file. We have no influence on this. The following information is also recorded without your intervention and stored until it is automatically deleted:

  • the IP address of the requesting internet-enabled device (whereby the last two digits of the IP address are shortened, e.g. IP 11.22.33.44 then becomes 11.22.0.0.),
  • the date and time of access,
  • the name and URL of the retrieved file,
  • the website/application from which the access was made (referrer URL),
  • the browser you use and,
  • if applicable, the operating system of your internet-enabled computer and the name of your access provider.

The legal basis for the temporary storage of data and the creation of log files is Article 6 paragraph 1, subparagraph 1 letter f GDPR.

Our legitimate interest is based on the following list of data collection purposes:

  • Guarantee of a smooth connection establishment,
  • ensuring a comfortable use of our website/application,
  • evaluation of system security and stability.

To achieve these purposes the data will be forwarded to our web provider ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, D-02742 Friedersdorf. This also takes place based on Article 6 paragraph 1, subparagraph 1 letter f GDPR.

The data will be deleted as soon as they are no longer necessary for the purpose of their collection. The data is stored for 90 days in the log files of our system. Backups are kept for a maximum of 61 days.

VI. Conclusion, performance, or termination of a contract

For the conclusion, performance or termination of a contract for the purchase of goods through our online store, we collect, process and use personal data only to the extent that they are necessary for the establishment, content or modification of the legal relationship.

We process the following data for the conclusion, performance, or termination of a contract with you:

  • first name, last name
  • invoice and delivery address
  • e-mail address
  • invoice and payment data, if applicable
  • date of birth, if applicable
  • phone number if necessary

The legal basis for this is Article 6 paragraph 1, subparagraph 1 letter b GDPR.

We are also obliged to process your e-mail address due to the requirement of the German Civil Code (BGB) to send an electronic order confirmation (cf. sect. 312i para. 1 no. 3 BGB). This constitutes a legal obligation within the meaning of Article 6 paragraph 1, subparagraph 1 letter c GDPR.

We store the data collected for the processing of the contract until the expiry of the statutory or possible contractual warranty and guarantee rights. After this period, we retain the information of the contractual relationship required under commercial and tax law for the legally specified periods on the basis of Article 6 paragraph 1 subparagraph 1 letter c GDPR in a blocked form. For this period (usually six or ten years after the end of the year in which the contract was concluded), the data will be reprocessed solely in the event of a review by the tax authorities.

VII. Transmission of your data to third parties for processing purposes

We only transfer personal data to third parties if this is necessary for the execution of the contract, for example to the companies entrusted with the delivery of the goods or the credit institution commissioned with the handling of payments. A further transmission of the data is not carried out or only if you have expressly agreed to the transmission. Your data will not be passed on to third parties without your express consent, for example for advertising purposes.

The basis for data processing is Article 6 paragraph 1, subparagraph 1 letter b GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures.

  1. PayPal

If you use the payment method “PayPal”, we pass on the following data to the payment service provider. PayPal allows online payments to be made to third parties. The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.

If you choose PayPal as your payment method, your data required for the payment process will be automatically transmitted to PayPal. This regularly involves the following data:

  • first and last name
  • invoice address
  • delivery address
  • (company if applicable)
  • e-mail address
  • phone and mobile number
  • IP address

The data transmitted to PayPal may be transmitted by PayPal to credit reporting agencies. The purpose of this transmission is to check identity and creditworthiness. PayPal may also pass on your data to third parties if this is necessary for the fulfilment of contractual obligations or if the data is to be processed on behalf of an order. You can view PayPal’s privacy policy at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

  1. Mollie

All other payment options (SEPA direct mandate, credit card, giropay) are handled by the payment service provider “Mollie” (Mollie B.V. , Keizersgracht 313, 1016 EE Amsterdam, Netherlands).

Except for the IP address, the amount of the fee and our name, we do not forward any other user data to Mollie. The user must enter the other data necessary for the payment transaction directly on Mollie’s web pages. We have no access to this input.

You can view Mollie’s privacy policy at https://www.mollie.com/de/privacy.

  1. Logistics companies

If you decide during the ordering process for the delivery of the goods, we will pass on information about your delivery address to a logistics company commissioned by us for the purpose of processing the sales contract.

If you agree, we will transmit your e-mail address and, if necessary, your telephone number to the logistics company we have commissioned to ensure that the goods can be delivered according to your wishes. The data will be transmitted solely for this purpose and deleted after delivery.

  1. SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as order or payment data that you send to us as in our function as the store operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you send to us cannot be read by third parties.

  1. Data protection and third-party websites

The website may contain hyperlinks to and from third-party websites. If you follow a hyperlink to one of these websites, please note that we cannot accept any responsibility or guarantee for third-party content or data protection conditions. Please check the applicable data protection conditions before you submit personal data to these websites.

VIII. Use of cookies and analysis programs

When you visit our website, your browsing behavior can be statistically evaluated. This is mainly done with cookies and with so-called analysis programs. The analysis of your browsing behavior is usually anonymous; the browsing behavior cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools.

  1. General information

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. If a user calls up a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is visited again.

 

The purpose of using technically necessary cookies is to simplify the use of websites for users, in particular to store the user’s preference for a language or to use the shopping cart function of the online store. There is also a cookie that is used when the user logs in but is deleted as soon as the user disconnects. We do not use tracking cookies outside of Google Analytics.

 

Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested (e.g. shopping basket function) are stored on the basis of Article 6 paragraph 1 subparagraph 1 letter f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of his services.

 

Cookies are stored on the user’s computer and transmitted by the user to our site. Therefore, you as a user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, however, it may not be possible to use all the functions of the website to their full extent.

 

  1. Google Analytics

If you have given your consent, this website uses Google Analytics, a web analysis service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Scope of processing

Google Analytics uses cookies that enable an analysis of your use of our website. The information collected by means of the cookies about your use of this website is usually transferred to a Google server in the USA and stored.

We use the function ‘anonymizeIP’ (so-called IP-Masking): Due to the activation of IP-anonymization on this website, your IP address will be shortened by Google within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transferred to a Google server in the USA and shortened there. The IP address transmitted by your browser within the scope of Google Analytics is not merged with other data from Google.

During your visit to our website, the following data, among others, is collected:

  • the pages you visit, your “click path”
  • achievement of “website goals” (conversions, e.g. newsletter registrations, downloads, purchases)
  • your user behavior (for example clicks, dwell time, bounce rates)
  • your approximate location (region)
  • your IP address (in abbreviated form)
  • technical information about your browser and the end devices you use (e.g. language settings, screen resolution)
  • your internet provider
  • the referrer URL (via which website/advertising medium you came to this website)

Purposes of processing

On behalf of the responsible party, Google will use this information to evaluate your (pseudonymous) use of the website and to compile reports on website activities. The reports provided by Google Analytics serve to analyze the performance of our website.

Recipient

The recipient of the data is

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland

as a processor. For this purpose, we have concluded a contract with Google. Google LLC, headquartered in California, USA, and, if applicable, US authorities can access the data stored at Google.

Transfer to third countries

A transfer of data to the USA cannot be excluded.

Duration of storage

The data sent by us and linked to cookies is automatically deleted after 14 months. Data is automatically deleted once a month as soon as the storage period is reached.

You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by

  • not giving your consent to the setting of the cookie or
  • downloading and installing the browser add-on for deactivating Google Analytics at: https://tools.google.com/dlpage/gaoptout?hl=de

You can also prevent the storage of cookies by adjusting your browser software accordingly. However, if you configure your browser to refuse all cookies, this may result in a limitation of functionality on this and other websites.

Legal basis and right of withdrawal

The legal basis for this data processing is your consent, Article 6 paragraph 1, subparagraph 1 letter a GDPR.

You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there [go to the home page for this purpose (you can also access the home page by clicking on the UMCH Store logo in the upper area of the page) and click on the button “Privacy & Cookie Policy” at the bottom right].

For more information about Google Analytics’ terms of use and Google’s privacy policy, please visit https://marketingplatform.google.com/about/analytics/terms/de/ and https://policies.google.com/?hl=de.

 

  1. Google Fonts

We use Google Fonts from the company Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA) on our website. Google Fonts is used without authentication and no cookies are sent to the Google Fonts API. If you have an account with Google, none of your Google account information is submitted to Google while using Google Fonts. Google only records the use of CSS and the fonts used and stores this information securely. You can find more information about these and other questions at https://developers.google.com/fonts/faq?tid=231549378384.

You can find out which data is collected by Google and what this data is used for at https://www.google.com/intl/de/policies/privacy/.

The legal basis for the processing of users’ personal data is Article 6 paragraph 1 subparagraph 1 letter f GDPR.

The use of Google fonts enables a visually improved presentation of our online presence.

The data is erased as soon as it is no longer needed for recording purposes.

You can set your browser so that the fonts are not loaded from the Google servers (e.g. by installing add-ons like NoScript or Ghostery for Firefox). If your browser does not support the Google Fonts or if you prevent access to the Google servers, the text will be displayed in the default font of the system.

For information about Google Webfonts’ privacy policy, please visit: https://developers.google.com/fonts/faqPrivacy

 

IX. Rights of data subjects

As a data subject within the meaning of Article 4 No. 1 GDPR, you are entitled to the following rights against the controller:

  1. Right of access by the data subject

You have the right to obtain from the data controller confirmation as to whether personal data concerning you are being processed. If such processing has taken place, you may request information from the data controller on the following:

  • Purposes of the processing,
  • the categories of personal data concerned,
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing,
  • the right to lodge a complaint with a supervisory authority,
  • where the personal data are not collected from the data subject, any available information as to their source,
  • the existence of automated decision-making, including profiling, referred to in Article 22 paragraphs 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • You also have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

A copy of the personal data undergoing processing is provided by the controller free of charge. For any further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs.

  1. Right of rectification

You have the right to ask the data controller to correct and/or complete the data if the personal data processed concerning you is incorrect or incomplete. The data controller must make the correction without undue delay.

  1. Right to erasure (“right to be forgotten”)

As a data subject, you have the right to obtain from the data controller the erasure of personal data concerning you without undue where one of the following grounds applies

 

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • The data subject withdraws consent on which the processing is based according to point (a) of Article 6 paragraph 1, or point (a) of Article 9 paragraph 2 GDPR, and where there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to Article 21 paragraph 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 paragraph 2 GDPR.
  • The personal data were processed unlawfully.
  • The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  • The personal data have been collected in relation to the offer of information society services referred to in Article 8 paragraph 1 GDPR.

Should one of the above reasons apply and you wish to have personal data stored by us deleted, you can contact the controller at any time. He will carry out the erasure process without undue delay. If the data controller has made the personal data concerning you public and is obliged to erase them pursuant to Article 17 paragraph 1 GDPR, he shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The aforementioned right to erasure shall not apply if the processing of personal data concerning you is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 paragraph 2 as well as Article 9 paragraph 3 GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 paragraph 1 GDPR in so far as the aforementioned right is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  • for the establishment, exercise or defence of legal claims.

 

  1. Right to restriction of processing

If one of the following conditions is met, you have the right to obtain from the controller restriction of processing where one of the following applies:

  • if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims, or
  • if you have objected to processing pursuant to Article 21 paragraph 1 GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If the processing of personal data relating to you has been restricted, such personal data, with the exception of storage, shall only be processed only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If you have obtained restriction of the processing, you will be informed by the controller before the restriction of processing is lifted.

  1. Obligation to notify recipients

The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You may request the controller to inform you about those recipients.

  1. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

  • the processing is based on a consent pursuant to Article 6 paragraph 1, subparagraph 1 letter a GDPR or Article 9 paragraph 2 letter a GDPR or on a contract pursuant to Article 6 paragraph 1, subparagraph 1 letter b GDPR and
  • the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, as far as this is technically feasible. This right shall not adversely affect the rights and freedoms of others.

The right to data transferability shall not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  1. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6 paragraph 1 subparagraph 1 letter e) or f) GDPR including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. This also applies to profiling, insofar as it is connected with such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

In addition, you have the right to object to processing of your personal data which is carried out for purposes of scientific or historical research or for statistical purposes in accordance with Article 89 paragraph 1 GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

  1. Withdrawal of consent

You have the right to withdraw your consent to processing your data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

  1. Right of appeal to the competent supervisory authority

If you are of the opinion that the processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint to the competent supervisory authority. The competent supervisory authority in matters of data protection law is the State Data Protection Commissioner of the federal state in which our company is based.

The supervisory authority of the Free and Hanseatic City of Hamburg is “Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit der Freien und Hansestadt Hamburg – Körperschaft des öffentlichen Rechts”.

 

X. Changes to this privacy policy

We reserve the right to change this privacy policy at any time with effect for the future. A current version is available on the website. Please visit the website regularly and inform yourself about the applicable data protection regulations.

 

Status: November 2020