The Data We Collect About You
Personal data, or personal information, means any information about an individual (eg. you) from which that person (in that example that should be you) can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store, and transfer different kinds of personal data about you which we have grouped together as follows:
-
Identity Data - click on it to open includes first name, last name, username or similar identifier, title.
Definition Identity Data
- First and Last Names: These are obvious identifiers and are often part of an individual’s profile.
- Username or Similar Identifier: Any unique identifier used for account access or communication.
- Title: This includes honorifics such as “Mr.,” “Mrs.,” or professional titles like “Dr.”
Data Collection and Purpose
We collect and process Identity Data for specific purposes:
- Account creation and management
- Communication with users
- Personalization of services
Legal Basis
Our legal basis for processing Identity Data includes:
- Consent: Users provide consent during registration.
- Contractual Necessity: Processing is necessary for service delivery.
- Legitimate Interest: We process data to enhance user experience.
-
Contact Data - click on it to open includes billing address, delivery address, email address, and telephone numbers.
Definition of Contact Data
- Billing Address: The address used for invoicing and financial transactions.
- Delivery Address: The address where goods or services are physically delivered.
- Email Address: A unique identifier for electronic communication.
- Telephone Numbers: Contact numbers for voice communication.
Data Collection and Purpose
We collect and process Contact Data for the following purposes:
- Billing and Invoicing: To facilitate financial transactions.
- Delivery: To ensure accurate delivery of goods or services.
- Communication: For correspondence via email or telephone.
Legal Basis
Our legal basis for processing Contact Data includes:
- Contractual Necessity: Processing is necessary for fulfilling agreements.
- Legitimate Interest: We process data to provide efficient services.
-
Financial Data - click on it to open includes bank account and payment card details.
Based on German privacy protection laws, “Financial Data” refers to sensitive information related to financial transactions and accounts. Specifically, it includes details such as bank account numbers, payment card information (like credit or debit card numbers), and other financial identifiers.
Collection and Use of Financial Data
- We collect and process financial data solely for the purpose of providing our services and fulfilling contractual obligations. This includes processing payments, managing accounts, and ensuring the security of financial transactions.
- Financial data collected may include bank account numbers, payment card details, and related information.
Legal Basis for Processing
- Our legal basis for processing financial data is primarily based on contractual necessity (e.g., to process payments) and compliance with legal obligations.
- We do not use financial data for any other purposes without explicit consent.
-
Transaction Data - click on it to open includes details about payments to and from you and other details of products and services you have purchased from us.
Based on German privacy protection laws, “Transaction Data” refers to information related to financial transactions, including payments made to and from an individual. This encompasses details about purchases, sales, invoices, receipts, and any other monetary exchanges. Specifically, it includes data such as:
Payment Details:
- Information about the payment method used (e.g., credit card, bank transfer, PayPal).
- Transaction amounts.
- Dates and times of transactions.
- Parties involved (sender and recipient).
Product and Service Details:
- Descriptions of the products or services purchased.
- Quantity, price, and any applicable taxes.
- Order numbers or references.
Personal Identifiers:
- Names of individuals involved in the transaction.
- Addresses (billing and shipping).
- Email addresses or other contact information.
Financial Institutions:
- Bank account numbers.
- IBANs (International Bank Account Numbers).
- BICs (Bank Identifier Codes).
-
Technical Data - click on it to open includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Based on German privacy protection laws, “Technical Data” encompasses various information related to the technology and systems used to access a website. Here are the key components covered under this category:
Internet Protocol (IP) Address:
- The unique numerical address assigned to your device when connecting to the internet.
- Used for routing data packets and identifying network devices.
Login Data:
- Details related to user authentication, such as login credentials (username/password).
- Timestamps of login events.
Browser Information:
- Browser type (e.g., Chrome, Firefox, Safari).
- Browser version (e.g., Chrome 98, Firefox 100).
- Time zone settings and location (based on browser settings).
Browser Plug-ins:
- Information about installed browser extensions or add-ons.
- Versions of these plug-ins.
Operating System and Platform:
- The type of operating system (e.g., Windows, macOS, Linux).
- Specific version (e.g., Windows 10, macOS Monterey).
- Device platform (e.g., desktop, mobile, tablet).
Other Technology Details:
- Any additional technical information relevant to accessing the website.
- Examples include screen resolution, device identifiers, and language settings.
-
Profile Data - click on it to open includes your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.
Based on German privacy protection laws, “Profile information” refers to personal data that can identify an individual. This includes details such as first and last names, email addresses, location data, and online identifiers
Data Collection and Purpose
We collect and process profile information for the following purposes:
- Account management
- Communication with users
- Service delivery
Legal Basis
Our legal basis for processing profile information includes:
- Consent: Users provide consent during registration.
- Contractual Necessity: Processing is necessary to fulfill our services.
- Legitimate Interest: We process data to improve user experience.
-
Usage Data - click on it to open includes information about how you use our website, products, and services.
Based on German privacy protection laws, “Usage Data” refers to information related to how individuals interact with a website, products, or services. Here are the key components covered under this category:
Website Usage Data:
- Internet Protocol (IP) Address: The unique numerical address assigned to a user’s device when accessing the website.
- Browsing Behavior: Details about pages visited, time spent on each page, and interactions (clicks, form submissions).
- Referral Sources: Where the user came from (e.g., search engines, social media, direct link).
- Device Information: Browser type, version, operating system, and platform.
Product and Service Usage Data:
- Feature Usage: Which features or functionalities of the product or service were utilized.
- Frequency: How often the product or service was accessed.
- Duration: Time spent using the product or service.
- Errors or Issues: Any encountered errors, crashes, or issues.
Consent and Preferences:
- Cookie Consent: Whether the user has provided consent for cookies or similar tracking technologies.
- Opt-In/Opt-Out Choices: Preferences related to data collection, personalized content, and marketing communications.
Analytics and Monitoring:
- Analytics Tools: Use of tools like Google Analytics to track user behavior.
- Performance Metrics: Metrics related to website speed, responsiveness, and availability.
-
Marketing and Communications Data - click on it to open includes your preferences in receiving marketing from us and our third parties and your communication preferences.
Based on German privacy protection laws, “Marketing and Communications Data” encompasses information related to an individual’s preferences regarding marketing communications. “Messages” or “conversation content” refers to any communication exchanged between individuals, whether written, spoken, or transmitted electronically. This includes emails, chat messages, voice calls, and other forms of communication. Here are the key components covered under this category:
Consent for Marketing:
- Whether the individual has explicitly consented to receive marketing materials from your organization.
- Specific channels (email, SMS, phone calls) for which consent was given.
- Opt-in preferences for third-party marketing.
Communication Preferences:
- How the individual prefers to be contacted (e.g., email, postal mail, phone).
- Frequency preferences (e.g., weekly newsletters, monthly updates).
- Opt-out preferences (ability to unsubscribe or modify preferences).
Third-Party Marketing:
- Whether the individual allows their data to be shared with third parties for marketing purposes.
- Details about third-party marketing partners and their purposes.
Legal Basis for Processing
Our legal basis for processing communication data is typically one of the following:
- Consent: When users explicitly agree to share their data during interactions.
- Contractual Necessity: To fulfill our contractual obligations (e.g., responding to inquiries, providing support).
- Legitimate Interests: For legitimate business purposes (e.g., improving our services).
Data Security
- We implement robust security measures to protect your financial data from unauthorized access, loss, or misuse.
- Our systems comply with industry standards and legal requirements.
Contact Information
- If you have any questions or wish to exercise your rights, please contact our Data Protection Officer (DPO) at data-protection@mboss.us.
How Is Your Personal Data Collected
We use different methods to collect data from and about you including through:
-
Direct Interactions - click on it to open
We collect Personal Data from the following sources:
From You. You may give us your Account Information, Payment Information, Financial Information, Demographic Data, Purchase Information, Content, Feedback, Product Information, by filling in forms, using our products or services, entering information online or by corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide, for example:- Account Registration/ Subscription: When you create an account on our websites or apps, apply for our products or services, use our products or services, create content through our products or services, express interest in our products or services, download software and/ or our mobile application, request marketing to be sent to you, subscribe to our services or publications, you provide data such as your name, email address, physical address, phone number and payment method.
- Purchases: When you make a purchase, we collect information about what you bought, how much you spent, and your payment method.
- Customer Service: If you contact customer service, we may keep a record of the interaction to help solve any issues you might be experiencing.
- Surveys and Feedback: We collect data directly from you through competition, promotion, surveys and feedback forms.
- Social Media, Platforms or Marketplaces: If you contact us on third services we may not be able to delete every visible thread, reply and/ or message. Same is guilty when you log in to our website via a third service.
-
Automated Technologies or Interactions - click on it to open
Automated technologies or interactions: As you interact with our website, we may automatically collect the following types of data (all as described above): Device Data about your equipment, Usage Data about your browsing actions and patterns, and Contact Data where tasks carried out via our website remain uncompleted, such as incomplete orders or abandoned baskets. We collect this data by using cookies, server logs and other similar technologies. Please see our Cookie section (below) for further details.
We collect this personal data by using cookies, server logs, and other similar technologies, such as:
Device and Usage Data
Cookies are small files placed on your device that track your activity and preferences. Information in this file is typically shared with the owner of the site in addition to potential partners and third parties to that business. The collection of this information may be used in the function of the site and/or to improve your experience. They help merchants understand how you interact with their website.
We do not use cookies.
When you visit a
MBOSS.US website and/or mobile application, we automatically collect and store information about your visit using browser cookies (files which are sent by us to your computer), or similar technology. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. The Help Feature on most browsers will provide information on how to accept cookies, disable cookies or to notify you when receiving a new cookie. If you do not accept cookies, you may not be able to use some features of our Service and we recommend that you leave them turned on.Server Logs
These track details about your browser type, IP address, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the website.
- Web Beacons: These are electronic files used to record information about how you navigate the website.
- Digital Fingerprinting: This is a technique used to identify individual devices based on the device’s unique configuration.
- Analytics Tools: Google Analytics or similar tools can be used to gather statistical data about website usage.
-
Third parties - click on it to open
We may receive your Personal Data from third parties such as companies subscribing to MBOSS.US services, partners and other sources. This Personal Data is not collected by us but by a third party and is subject to the relevant third party’s own separate privacy and data collection policies. We do not have any control or input on how your Personal Data is handled by third parties. As always, you have the right to review and rectify this information. If you have any questions you should first contact the relevant third party for further information about your Personal Data. Where that third party is unresponsive to your rights, you may contact the Data Protection Officer at MBOSS.US e.K. (contact details below).
Our websites and services may contain links to other websites, applications and services maintained by third parties. The information practices of such other services, or of social media networks that host our branded social media pages, are governed by third parties’ privacy statements, which you should review to better understand those third parties’ privacy practices.Such Personal Data from third parties could be for example:
- Account Information and Payment Information from another individual when they purchase a gift for you on our website;
- Device and Usage Data from third parties, including analytics providers such as Google;
- Account Information and Payment Data from social media platforms when you log in to our website using such social media platforms;
- Content from communication services, including email providers and social networks, when you give us permission to access your data on such third-party services or networks;
- Account Information and Payment Data from third parties, including organizations (such as law enforcement agencies), associations and groups, who share data for the purposes of fraud prevention and detection and credit risk reduction; and
- Account Information, Payment Data, and Financial Data from providers of technical, payment and delivery services.
Sharing and Disclosure: We will share your Personal Data with third parties only in the ways set out in this Policy or set out at the point when the Personal Data is collected.
Legal Requirement: We may use or disclose your Personal Data in order to comply with a legal obligation, in connection with a request from a public or government authority, or in connection with court or tribunal proceedings, to prevent loss of life or injury, or to protect our rights or property. Where possible and practical to do so, we will tell you in advance of such disclosure.
Third Party Tools: We use these third party tools to store your information:
- Shopify: Our online store is powered by Shopify. You can read more about how Shopify uses your Personal Data here: https://www.shopify.com/legal/privacy
- International Data Transfer and Storage: Where possible, we store and process data on servers within the general geographical region where you reside (note: this may not be within the country in which you reside). Your Personal Data may also be transferred to, and maintained on, servers residing outside of your state, province, country or other governmental jurisdiction where the data laws may differ from those in your jurisdiction. We will take appropriate steps to ensure that your Personal Data is treated securely and in accordance with this Policy as well as applicable data protection law. More information about these clauses can be found here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32021D0914
- Service Providers and Other Third Parties: We may use a third party service provider, independent contractors, agencies, or consultants to deliver and help us improve our products and services. We may share your Personal Data with marketing agencies, database service providers, backup and disaster recovery service providers, email service providers and others but only to maintain and improve our products and services. For further information on the recipients of your Personal Data, please contact us by using the information in the "Contacting us" section below.
Purpose and Legal Basis: for the Processing of Personal Data
We collect and use your Personal Data with your consent to provide, maintain, and develop our products and services and understand how to improve them.
Where we process your Personal Data to provide a product or service, we do so because it is necessary to perform contractual obligations. All of the above processing is necessary in our legitimate interests to provide products and services and to maintain our relationship with you and to protect our business for example against fraud. Consent will be required to initiate services with you. New consent will be required if any changes are made to the type of data collected. Within our contract, if you fail to provide consent, some services may not be available to you.
Data relating to other individuals: If you provide us, or our service providers, with any Personal Data relating to other individuals, you represent that you have the authority to do so and acknowledge that it will be used in accordance with this Policy. If you believe that your Personal Data has been provided to us improperly, or to otherwise exercise your rights relating to your Personal Data, please contact us by using the information set out in the "Contact us" section below.
How We Use Your Personal Data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
3. DATE SECURITY AND LEGAL RIGHTS
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
-
Our General Data Protection Guidelines (GDPR) - click on it to open
- Consent: We explicit ask for your consent before collecting your personal data. You give the consent freely, specific, informed, and unambiguous.
- Data Minimization: We only collect data if it is necessary for realizing and optimizing our offered indiviualized products and services for you.
- Transparency: You have the right to be informed about how your data is being used, who it is being shared with, where it is being stored, and how long we will keep it.
- Right to Access: You have the right to access you personal data and to know how it is being processed.
- Right to Rectification: You have the right to have inaccurate personal data corrected or completed if it is incomplete.
- Right to Erasure (Right to be Forgotten): In certain circumstances, you can request the deletion or removal of personal data.
- Data Portability: You can obtain and reuse you personal data for your own purposes across different services.
- Data Protection Officers: We have appointed a Data Protection Officer (DPO) to oversee data security strategy and GDPR compliance.
- Breach Notification: In the event of a data breach, we are required to notify the appropriate supervisory authority and potentially if you are affected also you within 72 hours of becoming aware of the breach.
-
Our data breach response plan - click on it to open
- We Review Risks and Potential Vulnerabilities: Understand the specific risks and vulnerabilities in your business data. This includes identifying the types of data you hold, where it’s stored, and how it’s protected.
- We Establish a Response Team: Assemble a team responsible for responding to a data breach. This team should include members from different departments such as IT, legal, public relations, and human resources.
- We Implement Tools, Services, and Policies: Use appropriate security tools and services to protect your data. Also, establish policies for data access, storage, and transfer.
- Define Workflows for Identification, Containment, and Eradication: Develop procedures for identifying a breach, containing it, and eradicating the threat.
- We Outline a Communication Plan: Prepare a plan for communicating the breach to stakeholders, including employees, customers, and regulatory bodies.
- We Review Data Breach Response Plan Execution: Regularly review and update the plan to ensure it remains effective and relevant.
- We Test the Plan: Conduct regular tests and drills to ensure that your team is prepared to respond effectively in the event of a data breach.
A well-prepared data breach response plan can significantly reduce the impact of a data breach on your organization.
Data Retention
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to request access, correction, erasure, restriction, transfer, to object to processing, to portability of data, and (where the lawful ground of processing is consent) to withdraw consent.
-
Data Subject Requests - click on it to open
We handle requests by following these steps:
- Request Specification: The type of your request could be a request to access, delete, correct, or transfer personal data.
- Requestor’s Identity: Before processing the request, we verify your identity. This could involve sending a link to an email address, asking for account numbers or addresses, or offering additional layers of validation, such as security questions or document uploads.
- Locate the Data: Once the requestor’s identity is verified, locate the requested data within your systems.
- Respond to the Request: Provide the requested data in a structured, commonly used, and machine-readable format. If the request is to correct or delete data, take the necessary actions.
- Communicate the Outcome: Inform the requestor about the actions taken in response to their request.
- Record the Request: Keep a record of the request and your response for compliance purposes.
- Review and Improve Processes: Regularly review and improve your processes for handling data subject requests.
The time frame for responding to a data subject request is usually within one month. However, some details, such as response time, may differ between laws.
-
Your Consent - click on it to open
✅ Data Protection Policy: We always provide an easy-to-find and retrievable data protection policy, which informs you in detail about the circumstances of the collection and any rights, such as the deletion of the collected data.
✅ Cookie Usage: The German Telecommunication and Telemedia Data Protection Act (TTDSG) covers rules regarding data protection on websites and telecommunication services and the use of cookies. Therefore, our privacy policy includes details about the use of cookies, the types of cookies used, and how users can control or opt-out of cookie usage.
✅ Third-Party Data Sharing: It is clearly stated in the privacy policy, if we share data with third parties. This includes information about what data is shared, with whom, and for what purposes.
✅ Data Security Measures: Our privacy policy also informs you about the security measures in place to protect their data.
✅ Contact Information: Our privacy policy provides contact information for the data protection officer or another point of contact where users can direct their questions or concerns.
✅ Updates to the Privacy Policy: The privacy policy informs you about how and when it will be updated, and how you will be informed about changes.
Here are our detailed rules for obtaining your consent:
- Freely Given: Your consent must be given freely, without any undue pressure or influence, and you should have a real choice.
- Specific and Informed: We inform you about the specific purpose of data processing, and we separate consent obtained for different processing activities.
- Unambiguous: Your consent must be unambiguous, which means it requires from you a clear affirmative action, such as ticking a box or clicking a button.
- Documented: We keep records of your consents obtained, including when and how your consent was given, and what you was told at the time of consent.
- Easy to Withdraw: Your consent must be as easy to withdraw as it is to give. We inform you of your right to withdraw consent and how to do so.
- No Tying: Your consent is not a precondition for our services unless necessary for that specific service. We don’t bundle your consent with acceptance of terms or conditions if not necessary for the performance of those services.
- Age Verification: For your children under the age of 16 (or a lower age if provided by the member state law, which cannot be below 13 years), your consent must be given or authorized by the holder of parental responsibility over your child. This is why we don‘t accept children under the age of 16 years to buy in our e-store. You as parent or any third adult person can buy for your children under 16 years and be user of our e-store on behalf of your child.
- Explicit Consent: For processing your sensitive personal data, your explicit consent is required. This means a very clear and specific statement of consent.
- Review and Refresh: We regularly review your consents to check that the relationship, processing, and purposes have not changed.
- Third-Party Consents: If consent is managed by a third party, we ensure that the third party acts in compliance with the GDPR and that the consent meets the GDPR’s requirements.
- Data as Currency: Under new consumer laws, your personal data can be considered a form of “currency”. If you provide personal data in exchange for digital content or services, we let you clearly state and consent to.
- Auto-Renewal and Subscriptions: The Fair Consumer Contracts Act (FCCA) limits the permissibility of auto-renewal of subscriptions. Subscriptions don‘t bind you for more than two years, and auto-renewals can only extend the subscriptions indefinitely with a notice period of one month for you.
These rules are designed to protect you and ensure that your personal data is processed lawfully, fairly, and transparently. We are seated in Germany and comply with that best practises in order to be trustworthy and have your back regarding the data we get from you.
4. GLOSSARY AND SALVATION CLAUSE
GLOSSARY
-
LAWFUL BASIS - click on it to open
- Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
- Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
- Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
-
DEFINITIONS - click on it to open
Based on the article from the International Comparative Legal Guides (ICLG) regarding German Data Protection laws:
Sure, here are some of the key terms defined in the German Data Protection laws:
- Public and non-public bodies: Section 2 of the BDSG defines public and non-public bodies. Public bodies are typically government agencies or institutions that carry out public administration tasks. This includes federal, state, and local government bodies, as well as other institutions under public law. Non-public bodies, on the other hand, are typically private sector organizations, such as businesses, non-profit organizations, and private individuals, when they process personal data.
- Personal Data: Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, by reference to identifiers like a name, ID number, location data, or online identifier.
- Data Subject: An identified or identifiable natural person whose personal data is processed by a controller or processor.
- Sensitive Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Processing: Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This includes collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure by transmission, dissemination, or otherwise making available.
- Restriction of Processing: Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
- Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
- Pseudonymisation: Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
- Filing System: Filing system means any structured set of personal data which are accessible according to specific criteria.
- Controller: Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor: Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Recipient: Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
- Third Party: Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- Consent: Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- Personal Data Breach: Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2.
- Genetic Data: Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person.
- Biometric Data: Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person.
- Data Concerning Health: Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
- Digital Content: Data produced and supplied in digital form, such as computer programs, apps, videos, music, digital games, e-books, etc.
- Digital Services: Services that allow the consumer to create, process, store, or access data in digital form, or services that allow sharing of or any interaction with data in digital form uploaded or created by the consumer or other users of the service.
These high-level definitions are essential for understanding the scope and application of data protection laws in Germany within the context of e-commerce and customer privacy. For more detailed definitions and provisions, you can refer to the full text of the Federal Data Protection Act (BDSG). Please note that translations may not be updated at the same time as the German legal provisions displayed on this website.
-
GENERAL PRINCIPLES - click on it to open
- Lawfulness, fairness, and transparency: All processing of personal data must be lawful, fair, and transparent.
- Purpose limitation: Data can only be collected and processed for specific, explicit, and legitimate purposes.
- Data minimization: Only the minimum amount of personal data necessary for the intended purpose can be collected and processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date.
- Storage limitation: Personal data should not be stored for longer than necessary for the purposes for which it was processed.
- Integrity and confidentiality: Appropriate technical and organizational measures must be implemented to protect personal data from unauthorized access, disclosure, alteration, or destruction.
- Accountability: The data controller is responsible for ensuring compliance with the lawfulness of processing principles.
-
GERMANY‘S DATA PRIVACY PROTECTION LAWS - click on it to open
These are the relevant legal basis for data privacy protection in Germany:
- General Data Protection Regulation (GDPR): Adopted by the European Union (EU) in 2018, the GDPR has far-reaching implications for German data protection laws. It sets out more stringent requirements for data controllers and processors, including the requirement for explicit consent for data collection, the right to be forgotten, and enforcement requirements.
- The New Federal Data Protection Act (BDSG-new): The BDSG-new replaced the former BDSG on 25th May 20181. It was designed to bring the German privacy law on par with the GDPR and the EU-Privacy Directive for Policy and Justice (EU-Directive 2016/680)1. It ensures the protection of personal data, whether processed by advanced technology or more traditional methods.
- Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG): This is another important piece of legislation that merchants need to comply with.
- Rights of Data Subjects: The BDSG-new recognizes the rights of data subjects and outlines how data subjects can enforce their data privacy rights.
- Cookie Compliance: Merchants must also comply with specific rules regarding the use of cookies.
- Data Breach Notification: Under the GDPR, there are specific guidelines on personal data breach notification.
- Certification as a Tool for Transfers: There are guidelines on certification as a tool for transfers.
Salvation Clause
If any provision of these named rules is found to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired thereby.
5. USERS FROM THRID COUNTRIES OUTSIDE THE EU
For all other countries we refer on external Guides
-
OneTrust-DataGuidance Global Privacy Laws Tool - click on it to open
The OneTrust DataGuidance Global Privacy Laws tool is a comprehensive resource designed to help organizations navigate the complex and evolving landscape of global privacy and data protection laws. This portal serves as a one-stop-shop for organizations to understand their global privacy compliance requirements and to adapt their privacy programs to meet new regulatory challenges. It also offers the option to request a demo to explore the platform's resources further.
Here's a summary of its key functions:
- Interactive World Map: Features a detailed interactive map that highlights the existence of privacy laws in various countries.
- Comparing Privacy Laws Tool: Allows for an in-depth comparison of privacy laws across over 100 jurisdictions, covering aspects like definitions, legal bases, and individuals' rights.
- News & Insights: Provides up-to-date news stories and insightful articles related to privacy laws from around the world, authored by a network of over 800 contributors.
- Upcoming Privacy Laws: Offers information on draft privacy laws currently in the legislative process, helping organizations stay ahead of future developments.
- Regulatory Research Resources: Includes a wealth of resources for regulatory research within the OneTrust DataGuidance platform.
-
CMS Expert Guide tool - click on it to open
Very helpful for the matter of Transparency and Knowing your Rights, no matter where you are globally located, is the CMS Expert Guides tool is designed to provide easy access to legal advice and research relevant to various jurisdictions. This tool is particularly useful for professionals seeking in-depth legal research and insights across different legal areas and jurisdictions. It's tailored to be a comprehensive resource for legal information that's both accessible and user-friendly. If you need more detailed information or specific guidance, the tool also allows for direct communication with legal experts.
Here's a summary of its functions:
- Wide Range of Topics: Covers a broad spectrum of legal topics, from data protection and GDPR to corporate law and dispute resolution.
- Expert Legal Content: Offers a collection of expert legal content written by CMS lawyers from different jurisdictions.
- Interactive Navigation: Features interactive elements like clickable maps to help users navigate to the content that interests them most.
- Offline Access: Provides options to create and download PDF versions of the guides for offline reading.
-
Legal Acceptance to refer on external Guides - click on it to open
The reference on external guides is legally acceptable, because or these important considerations:
- Accuracy and Relevance: Both external guides are accurate, up-to-date, and relevant to the international privacy protection laws you are addressing. This helps maintain the credibility and reliability of your privacy notice.
- Attribution: The sources of the external guides are properly attributed. This includes giving credit to the original authors and providing clear citations.
- Consistency with our Policies: The information in the external guides is consistent with our own privacy policies and practices. Any discrepancies could lead to confusion or legal issues.
- Transparency: We clearly explain why we are referencing external guides and how they relate to our privacy practices. This helps build trust with our users and ensures transparency.
- Legal Compliance: We verified that referencing external guides complies with the legal requirements of the jurisdictions you operate in. Different countries may have different regulations regarding the use of external sources in legal documents.
- User Understanding: The references to both external guides are easy to understand. We avoid overly technical language and provide clear explanations where necessary.
We can responsibly reference these two external guides in our privacy notice while ensuring legal compliance and maintaining trust.
