Skin Advisor

Data privacy


I. Name and address of controller 

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States as well as other data protection regulations is the company: 

Dr. Spiller Ges.mbH
Katzmoosstraße 26
5161 Elixhausen
Österreich
Telefon: 0043 662 825387-0
E-Mail: info.at@dr-spiller.com
Website: www.dr-spiller.com

II. Name and address of data protection officer

The data protection officer of the controller is:

Lukas W. Mempel

LS-IP Loth & Spuhler Intellectual Property Law
Partnerschaft von Rechtsanwälten mbB
Garmischer Straße 35
81373 München
Germany
Telephon: +49 89 48 90 250
Fax: +49 89 48 90 2510
E-Mail: info@ls-ip.com
Website: www.ls-ip.com

III. General information on data processing 

1. Extent of processing of personal data 

We collect, store and use personal data of visitors to our website (users) and customers only to the extent necessary to provide a functional website as well as our contents and services. The collection and use of personal data of our users, customers and business partners takes place regularly only after their respective consent. An exception applies in those cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal provisions. If you have given us your explicit consent, your personal data will be stored beyond the business transaction and used for personal information about our products or campaigns as well as for internal evaluations and analyses (internal evaluation of order processes, mailing of advertising).  

2. RLegal basis for the processing of personal data 

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) lit. a GDPR serves as the legal basis for the processing of personal data. 

In the processing of personal data necessary for the performance of a contract to which the data subject is a contracting party, Art. 6 (1) lit. b GDPR serves as legal basis. This also applies to processing operations that are necessary in order to carry out pre-contractual measures.  

Insofar as the processing of personal data is necessary for the compliance with a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as legal basis.  

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) lit. d GDPR serves as legal basis. If the processing is necessary for the protection of a legitimate interest pursued by our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the interest mentioned first, Art. 6 (1) lit. f GDPR serves as legal basis for the processing. 

3. Data deletion and storage period 

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned legal provisions expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.  

4. SSL encryption 

Our website uses SSL encryption for security reasons and to protect the transmission of confidential contents, such as orders or requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.  

When the SSL encryption is activated, the data that you transmit to us cannot be read by third parties.  

IV. Provision of the website and creation of log files 

1. Description and extent of data processing 

Every time you access our website, our system automatically collects data and information from the computer system of the accessing computer. The following data are collected: 

  • IP address of the user 
  • date and time of access

The data are also stored in the log files of our system. These data are not stored together with other personal data of the user.  

We use carefully selected external service providers (host provider, system administration) for the provision of our website and the associated processing of your personal data. These service providers may process the personal data exclusively on our instructions for the purposes specified by us on the basis of an agreement on commissioned data processing pursuant to Art. 28 GDPR and have been obliged to comply with the applicable data protection regulations.  

Any other use of the data is not permitted. The data will be processed exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in a Contracting State to the Agreement on the European Economic Area.  

2. Legal basis for data processing  

The legal basis for the temporary storage of the data and log files is Art. 6 (1) lit. f GDPR. 

3. Purpose of data processing 

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this purpose, the IP address of the user must remain stored for the duration of the session.  

The data are stored in log files to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. The data are not analysed for marketing purposes in this context.  

Our legitimate interest in the data processing pursuant to Art. 6 (1) lit. f GDPR also resides in these purposes.  

4. Storage period 

The data will be deleted as soon as they are no longer needed to achieve the purpose for which they were collected. If the data are collected for the provision of the website, this is the case when the respective session has ended.  

If the data are stored in log files, this is the case after one month at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the accessing client is no longer possible.  

5. Possibility of objection and removal 

The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.  

V. Use of cookies 

1. Description and extent of data processing 

If you have explicitly consented to the use of cookies, cookies will be used on our website. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic character string that allows a clear identification of the browser when the website is accessed again.  

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a change of page.  

The following data are stored and transmitted in the cookies: 

  • general browser identification  
  • IP address 

When accessing our website, the user is informed about the use of cookies and his or her consent to the processing of the personal data used in this context is obtained. In this context, reference is also made to the present Data Privacy Statement.  

2. Legal basis for data processing  

The legal basis for the processing of personal data by using technically necessary cookies is Art. 6 (1) lit. f GDPR. 

3. Purpose of data processing 

The purpose of the use of cookies is to facilitate the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these it is necessary that the browser is recognized even after a change of page.  

The user data collected through cookies are not used for the creation of user profiles.

Our legitimate interest in the processing of the personal data pursuant to Art. 6 (1) lit. f GDPR also resides in these purposes.  

4. Storage period, possibility of objection and removal 

You can avoid the use of cookies by not consenting to the use of cookies.  

Cookies are stored on the user’s computer and transmitted by the latter to our website. Therefore, you as user have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that are already stored can be deleted at any time. This can also take place automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.  

In addition, you can prevent cookies from being stored by means of an appropriate setting in your browser software; however, please note that if you do this you may not be able to use all functions of this website in their entirety. You can also prevent the collection and transmission of the data generated by the cookie and relating to your use of the website (including your IP address) to Google as well as the processing of these data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de. 

VI. Registration 

1. Description and extent of data processing  

On our website we offer the possibility to register as a customer by providing personal data. The data are entered into an input mask and are transmitted to us and stored.  

Alternatively hereto, you have the possibility to register as a business customer by filling in the Masterfile form. The personal data provided by you in this Masterfile form are stored by us.

a. Registration as business customer 

In the case of registration as a business customer, the following data are collected in the course of the registration process:

  • surname, first name 
  • Customer Number 
  • Company 
  • Address 
  • Phone number 
  • E-mail address 
  • VAT identification number 
  • date of birth 
  • date of birth of contact person (if applicable) 
  • website (if applicable)

At the time of registration, the following data are stored additionally: 

  • IP address 
  • date and time of registration 

In the course of the registration process, the consent of the business customer to the processing of these data is obtained. In addition to that, we allocate an individual customer number to each customer. This individual customer number will also be stored. 

b. Registration as a private customer 

When registering as a private customer, the following data is collected as part of the registration process:

  • Last name, first name 
  • Address 
  • Email address

At the time of registration, the following data is also stored:

  • IP address 
  • Date and time of registration

As part of the registration process, the private customer's consent to the processing of this data is obtained. In addition, we assign each customer an individual customer number, which is also stored. 

c. Registration as a guest customer 

When registering as a guest customer, the following data is collected as part of the registration process:

  • Last name, first name 
  • Address 
  • Email address

At the time of registration, the following data is also stored:

  • IP address 
  • Date and time of registration

As part of the registration process, the guest customer's consent to the processing of this data is obtained. The data of the guest customer is only stored on an order-related basis. The data is not stored in the form of a user account. 

b. Transmission of personal data 

In the context of the registration process and the associated processing of your personal data, we use carefully selected external service providers. (host provider, ERP system, system administration). These service providers may process the personal data exclusively on our instructions for the purposes specified by us on the basis of an agreement on commissioned data processing pursuant to Art. 28 GDPR and have been obliged to comply with the applicable data protection regulations. 

Any other use of the data is not permitted. The data will be processed exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in a Contracting State to the Agreement on the European Economic Area.  

If we receive an inquiry regarding sales outlets of Dr. Spiller products, you agree that we may pass on the following data to the person making the inquiry: 

  • surname, first name 
  • address 
  • Phone number 
  • e-mail address

2. Legal basis for data processing  

The legal basis for the processing of the data is Art. 6 (1) lit. a GDPR if the customer has given his or her consent.  

3. Purpose of data processing 

Registration as a private customer primarily serves the use of the online shop, as well as the creation of a customer account. A registration of the business customer serves in addition the authentication as a Dr. Spiller customer. After the successful verification, additional contents and services (advertising media, trainings, etc.) are made available to the business customer on our website.  

A registration of the customer is necessary for the performance of a contract with the customer or in order to carry out pre-contractual measures.  

DRegarding business customers, the collection of the VAT identification number pursuant to Section 14a (1) UStG [Value Added Tax Act] is required. The date of birth or the date of birth of the contact person respectively are collected in order to check the legal age as well as in order to send birthday wishes. The provision of the date of birth of the contact person is optional. 

4. Storage period 

The data collected in the course of the registration process are deleted when the registration on our website is removed or changed.  

5. Possibility of objection and removal 

As a customer you have the possibility to cancel the registration at any time. You can change the data stored about you at any time in the “My Account” section, or delete your account. With the confirmation of your e-mail address and password your account on our website will be deleted. If the data are required for the performance of a contract or in order to carry out pre-contractual measures, advance deletion of the data is only possible to the extent that contractual or statutory obligations do not prevent deletion.  

VII. Newsletter 

1. Description and extent of data processing  

If you register on our website as a customer and provide your email address, we may subsequently use this address for the mailing of a newsletter. In such a case, only direct advertising for similar goods or services of our company will be sent through the newsletter.  

In the course of the registration process, your consent will be obtained for the processing of the data and reference will be made to this Data Privacy Statement.  

In connection with the data processing for the mailing of newsletters, the following persons and/or companies have access to the data: newsletter provider, system administration, ERP-system. The data are only used for the mailing of the newsletter.

2. Legal basis for data processing  

The legal basis for the processing of the data after registration for the newsletter by the customer is Art. 6 (1) lit. a GDPR if the customer has given his or her consent. 

3. Purpose of data processing  

The collection of the e-mail address of the customer serves to deliver the newsletter.  

4. Storage period 

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The e-mail address of the customer will therefore be stored for as long as the subscription to the newsletter is active.  

5. Possibility of objection and removal  

The subscription to the newsletter can be terminated by the customer concerned at any time. For this purpose, an appropriate link is provided in each newsletter. You can also unsubscribe in the customer account on the website. 

VIII. Ordering and conclusion of contract after completed registration

1. Description and extent of data processing  

Once you have registered as a customer on our website, it is possible to order and purchase products through our online shop. The following additional data are collected and stored when an order is entered and processed:

  • billing address 
  • delivery address, 
  • method of payment, 
  • products, 
  • price, 
  • order date, 
  • order time, 
  • invoice date, 
  • delivery date, 
  • type of device.

We use carefully selected external service providers for the entering and processing of an order and the associated processing of your personal data (host provider,ERP-Systemm, system administration, Delivery- & Payment service provider). These service providers may process the personal data exclusively on our instructions for the purposes specified by us on the basis of an agreement on commissioned data processing pursuant to Art. 28 GDPR and have been obliged to comply with the applicable data protection regulations.  

Any other use of the data is not permitted. The data will be processed exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in a Contracting State to the Agreement on the European Economic Area.  

2. Legal basis for data processing  

The legal basis for the processing of the data is Art. 6 (1) lit. a GDPR if the customer has given his or her consent.  

If the data are processed for the performance of a contract, with the customer as contracting party, or in order to carry out pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 (1) lit. b GDPR. 

3. Purpose of data processing  

The products are dispatched to the customer after our acceptance of the order. The collection of surname, first name, (company) and address is required to process the respective order.  

The phone number and e-mail address are collected to be able to contact the customer, e.g. for queries or to answer questions of the customer.  

Regarding business customers, the collection of the VAT identification number pursuant to Section 14a (1) UStG [Value Added Tax Act] is required.  

4. Storage period 

The data of a specific order (products, price, order date and order time, invoice date, delivery date) are deleted ten years after full processing of the order. The customer data (surname, first name, (company), address, phone number, email address, (VAT identification number) and all other data stored at the time of order) will be deleted ten years after full processing of the last order.  

IX. Use of Google reCAPTCHA 

1. Description and extent of data processing  

We also use Google reCAPTCHA on our website. The provider of this program is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. 

Google reCAPTCHA is used to check whether the data entry on our website is done by a person or by an automated program. For this purpose, Google reCAPTCHA analyses the behaviour of the visitor to the website on the basis of various characteristics. This analysis starts automatically when the website visitor accesses the website. For analysis purposes, Google reCAPTCHA evaluates various information (e.g. IP address, the time the website visitor stays on the website or the mouse movements made by the user). The data collected in the course of the analysis are transmitted to Google.  

The reCAPTCHA analyses run completely in the background. Visitors to the website are not informed that an analysis is taking place.  

2. Legal basis for data processing  

The data processing takes place on the basis of Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in protecting its websites from abusive automated spying and SPAM. 

3. Purpose of data processing 

The purpose of the data processing is to protect our website from abusive automated spying and SPAM.  

4. Further information 

Further information on Google reCAPTCHA and the privacy statement of Google can be found under the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html. 

X. Use of Google Tag Manager 

1. Description and extent of data processing  

If you have explicitly consented to the use of Google Tag Manager, this website uses functions of the web analysis service Google Tag Manager. This service is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. 

Google Tag Manager uses text files, known as "cookies", which are stored on your computer and allow an analysis of your use of the website. The information generated by the cookie concerning your use of this website is, as a rule, transmitted to a Google server in the United State and stored there.  

We have activated the IP anonymisation function on this website. This will cause your IP address to be shortened by Google within Member States of the European Union or in other Contracting States to the Agreement on the European Economic Area before being transmitted to the USA. The full IP address will only be transmitted to a Google server in the USA and stored there in exceptional cases. Upon request of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on the website activities and to provide further services related to the use of the website and Internet in relation to the website operator. The IP address transmitted by your browser in the context of Google Tag Manager will not be collated with other Google data. 

More information on the handling of user data at Google Tag Manager can be found in the privacy statement of Google: https://support.google.com/tagmanager/answer/9323295?hl=de.

We concluded an agreement on commissioned data processing with Google and fully implement the strict requirements of the German data protection authorities in connection with the use of Google Tag Manager. 

2. Legal basis for data processing  

Google Tag Manager cookies are stored with your consent on the basis of Art. 6 (1) lit. a GDPR. 

3. Purpose of data processing  

The purpose of data processing is to optimize both our website and our advertising.  

4. Possibility of objection and removal  

You can avoid the use of Google Tag Manager by not giving your consent to the use of Google Analytics. In addition, you can prevent cookies from being stored by means of an appropriate setting in your browser software; however, please note that if you do this you may not be able to use all functions of this website in their entirety. You can also prevent the collection and transmission of the data generated by the cookie and relating to your use of the website (including your IP address) to Google as well as the processing of these data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

XI. Use of Google Web Fonts 

Description and extent of data processing  

Our website uses so-called Web Fonts provided by Google to uniformly display fonts. When you access a page, your browser loads the required Web Fonts into your browser cache to display texts and fonts correctly.  

For this purpose, the browser you are using must establish a connection to the servers of Google. As a result, Google becomes aware that our website has been accessed via your IP address.  

If your browser does not support Web Fonts, a default font is used by your computer.  

2. Legal basis for data processing  

The use of Google Web Fonts takes place in the interest of a uniform and appealing presentation of our online offers. This constitutes a justified interest within the meaning of Art. 6 (1) lit. f GDPR. 

3. Purpose of data processing 

The purpose of data processing is to present our online offers in a uniform and appealing manner. 4. Further information Further information on Google Web Fonts can be found under https://developers.google.com/fonts/faq and in the privacy statement of Google: https://www.google.com/policies/privacy/.

XII. Use of Social Media Plugins 

1. Description and extent of data processing  

If you have in each case explicitly consented to their use, our website uses the following plugins:

  • YouTube; operator of the website is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. In order to integrate third-party content, data (IP address, time of visit, device and browser information) is collected via the YouTube Video Plugin in the extended data protection mode we use, transmitted to Google and then processed by Google, only when you play a video.  
  • Meta Platforms Inc., operator of the Facebook and Instagram pages is Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025; 
  • Pinterest, operator of the website is Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland; 
  • XING, operator of the website is XING SE, Dammtorstraße 30, 20354 Hamburg, Germany;
  • LinkedIn, operator of the website is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

When you visit our website and explicitly consent to the transmission of your personal data, a connection is established to the servers of the aforementioned websites. The respective server is informed which of our web pages you have visited.  

When you are logged into your respective YouTube, Facebook, Instagram, Pinterest, XING and/or LinkedIn Account, you enable the operator of the respective website to assign your surfing behaviour directly to your personal profile. 

2. Legal basis for data processing  

The use of YouTube, Facebook, Instagram, Pinterest, XING and LinkedIn takes place with your consent on the basis of Art. 6 (1) lit. a GDPR. 

3. Purpose of data processing 

The use of YouTube, Facebook, Instagram, Pinterest, XING and LinkedIn takes place in the interest of an appealing presentation of our online offers.  

4. Further information 

Further information on the handling of user data can be found in the following privacy statements:

  • YouTube: https://policies.google.com/privacy?hl=de&gl=de Data privacy from Google 
  • Facebook: https://www.facebook.com/privacy/explanation 
  • Instagram: https://help.instagram.com/519522125107875?helpref=page_content
  • Pinterest: https://policy.pinterest.com/de/privacy-policy 
  • XING: https://privacy.xing.com/de/datenschutzerklaerung 
  • LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=de_DE

5. Purpose of data processing 

The purpose of data processing is to optimize both our website and our advertising. 

6. Possibility of objection and removal  

You can prevent that the respective operator of the aforementioned websites assigns your surfing behaviour directly to your personal profile by not consenting to the transmission of these data. When you are logged into your respective YouTube, Facebook, Instagram, Pinterest, XING and/or LinkedIn Account, you enable the operator of the respective website to assign your surfing behaviour directly to your personal profile. You can also prevent this by logging out of your respective YouTube, Facebook, Instagram, Pinterest, XING and/or LinkedIn Account.  

XIII. Contacting, ordering and/or other initiation of business by e-mail, letter or telephone 

1. Description and extent of data processing 

As an alternative to registering on our website, you can also contact us and/or place an order by e-mail, letter or telephone. In this case, your personal data transmitted by e-mail, letter or telephone will be stored. The same applies in the event that we obtain goods and/or services from you.  

We use carefully selected external service providers for the entering and handling of an order and a contract with which we obtain goods and/or services from you and the associated processing of your personal data (host provider, ERP-System, system administration, Delivery- & Payment service provider). These service providers may process the personal data exclusively on our instructions for the purposes specified by us on the basis of an agreement on commissioned data processing pursuant to Art. 28 GDPR and have been obliged to comply with the applicable data protection regulations. 

Any other use of the data is not permitted. The data will be processed exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in a Contracting State to the Agreement on the European Economic Area.  

2. Legal basis for data processing 

The legal basis for the processing of the data is Art. 6 (1) lit. a GDPR if the data subject has given his or her consent.  

The legal basis for the processing of the data transmitted by e-mail, letter or telephone in the course of establishing contact is Art. 6 (1) lit. f GDPR. If an order is concerned or the e-mail, letter or telephone call aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR. 

3. Purpose of data processing  

The processing of the personal data from the e-mail, the letter or the telephone call serves us solely to process the establishment of contact. This constitutes also the necessary legitimate interest in the processing of the data. If an order is placed, it is necessary to collect surname, first name, (company) and address to process the order in question.  

The collection of phone number, fax number and e-mail address is necessary to be able to contact you, e.g. for queries or to answer questions.  

Regarding business customers, the collection of the VAT identification number pursuant to Section 14a (1) UStG is required.  

The collection of the birthday takes place for the clear determination of the respective person and for making an inquiry about the legal capacity. In addition, the birthday is collected in order to be able to send birthday wishes to the respective person. We collect the date of birth in order to definitely individualize the respective person and to check the legal competence. In addition to that, we collect the date of birth in order to send birthday wishes. 

4. Storage period 

The data collected in case of a pure contacting (without order) will be deleted when the respective conversation is terminated. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.  

The data of a specific order (products, price, order date and order time, invoice date, delivery date) are deleted ten years after full processing of the order. The customer data (surname, first name, company, address, phone number, fax number, e-mail address, VAT identification number and all other data stored at the time of registration) will be deleted ten years after full processing of the last order. 

The business partner data (surname, first name, company, address, phone number, fax number, e-mail address, VAT identification number and all other data stored at the time of registration) will be deleted ten years after full processing of the last order.

5. Possibility of objection and removal

You have the possibility to revoke your consent to the processing of personal data at any time. If you have contacted us by e-mail, letter or telephone, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued. 

The revocation of the consent and the objection to storage can be addressed by e-mail, letter or telephone to the contact details indicated under item I. of the present Data Privacy Statement 

All personal data stored in the course of contacting and/or ordering will be deleted in this case.  

XIV. Use of the messenger service Threema Work 

1. Description and extent of data processing 

In order to communicate with our business partners, we use inter alia the messenger service Threema Work. The provider of this messenger service is the company Threema GmbH, Churerstraße 82, 8808 Pfäffikon SZ, Switzerland. By consenting to the present Data Privacy Statement, you consent to the use of the messenger service Threema Work and the processing of personal data as described below.  

We collect and store the e-mail address and the Threema ID of the business customer for the communication via the messenger service Threema Work. In addition, the personal data of the business customer transmitted in the course of this communication are stored. In the context of this communication, Threema Work is granted access to the data that are the subject of the communication.  

2. Legal basis for data processing 

The legal basis for the processing of personal data within the scope of the communication with our business customers via the messenger service Threema Work is Art. 6 (1) lit. a GDPR if the business customer has given his or her consent.  

3. Purpose of data processingg 

The processing of personal data serves us solely to establish contact with you or to answer your questions.  

4. Storage period 

The personal data transmitted in the course of a communication will be deleted when the respective conversation with the business customer is terminated. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified. The e-mail address and the Threema ID of the business customer will be deleted ten years after full processing of the last order.  

5. Further information 

  • https://work.threema.ch/de/nutzungsbedingungen
  • https://work.threema.ch/de/datenschutzerklaerung 

6. Possibility of objection and removal 

As a business customer you have the possibility to revoke the consent to the use of Threema Work and the associated processing of personal data at any time. The revocation of the consent can be addressed via Threema Work, e-mail, letter or telephone to the contact details indicated under item I. of the present Data Privacy Statement. All personal data stored in the course of the communication via Threema Work will be deleted by us in this case.  

XV. Rights of the data subject 

If your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to the controller: 

1. Right of access 

You shall have the right to obtain from the controller confirmation as to whether personal data relating to you are being processed by us. If this is the case, you shall have the right to obtain from the controller access to the following information: 

(1) the purposes for which the personal data are processed; 

(2) the categories of personal data that are processed; 

(3) the recipients or categories of recipient to whom the personal data relating to you have been or will be disclosed;  

(4) the envisaged period for which the personal data relating to you will be stored, or, if specific information is not possible, the criteria used to determine that period;

(5) the existence of the right to rectification or erasure of the personal data relating to you, the right to restriction of processing by the controller or the right to object to such processing;  

(6) the right to lodge a complaint with a supervisory authority; 

(7) any available information as to the source of the data where the personal data are not collected from the data subject; 

(8) the existence of automated decision-making, including profiling, according to Art. 22 (1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.  

You shall have the right to obtain information as to whether the personal data concerning you are transferred to a third country or to an international organisation. In this context you can request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.  

2. Right to rectification  

You shall have the right to obtain from the controller rectification and/or completion if the processed personal data concerning you are inaccurate or incomplete. The controller has to make the rectification without undue delay. 3. Right to restriction of processing Under the following conditions, you may request that the processing of personal data relating to you be restricted: 

(1) you contest the accuracy of the personal data relating to you for a period enabling the controller to verify the accuracy of the personal data; 

(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of the use of the personal data instead; 

(3) the controller no longer needs the personal data for the purposes of processing, but they are required by you for the establishment, exercise or defence of legal claims, or  

(4) you have objected to processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds. 

In case the processing of the personal data relating to you has been restricted, such data may – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the processing was restricted according to the aforementioned conditions, you will be informed by the controller before the restriction of processing is lifted.  

4. Right to erasure 

a. Obligation to erase 

You shall have the right to request from the controller the erasure of personal data relating to you without undue delay and the controller has the obligation to erase such data without undue delay if one of the following grounds applies: 

(1) the personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed;  

(2) you withdraw consent on which the processing is based according to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR and there is no other legal ground for the processing;  

 (3) you object to the processing according to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing according to Art. 21 (2) GDPR;  

(4) the personal data relating to you have been unlawfully processed;

(5) the personal data relating to you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;  

(6) the personal data relating to you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR. 

b. Information an Dritte 

Hat der Verantwortliche die Sie betreffenden personenbezogenen Daten öffentlich gemacht und ist er gem. Art. 17 Abs. 1 DSGVO zu deren Löschung verpflichtet, so trifft er unter Berücksichtigung der verfügbaren Technologie und der Implementierungskosten angemessene Maßnahmen, auch technischer Art, um für die Datenverarbeitung Verantwortliche, die die personenbezogenen Daten verarbeiten, darüber zu informieren, dass Sie als betroffene Person von ihnen die Löschung aller Links zu diesen personenbezogenen Daten oder von Kopien oder Replikationen dieser personenbezogenen Daten verlangt haben. 

c. Ausnahmen 

Das Recht auf Löschung besteht nicht, soweit die Verarbeitung erforderlich ist 

(1) zur Ausübung des Rechts auf freie Meinungsäußerung und Information; 

(2) zur Erfüllung einer rechtlichen Verpflichtung, die die Verarbeitung nach dem Recht der Union oder der Mitgliedstaaten, dem der Verantwortliche unterliegt, erfordert, oder zur Wahrnehmung einer Aufgabe, die im öffentlichen Interesse liegt oder in Ausübung öffentlicher Gewalt erfolgt, die dem Verantwortlichen übertragen wurde; 

(3) aus Gründen des öffentlichen Interesses im Bereich der öffentlichen Gesundheit gemäß Art. 9 Abs. 2 lit. h und i sowie Art. 9 Abs. 3 DSGVO; 

(4) für im öffentlichen Interesse liegende Archivzwecke, wissenschaftliche oder historische Forschungszwecke oder für statistische Zwecke gem. Art. 89 Abs. 1 DSGVO, soweit das unter Abschnitt a) genannte Recht voraussichtlich die Verwirklichung der Ziele dieser Verarbeitung unmöglich macht oder ernsthaft beeinträchtigt, oder 

(5) zur Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen.

5. Recht auf Unterrichtung 

Haben Sie das Recht auf Berichtigung, Löschung oder Einschränkung der Verarbeitung gegenüber dem Verantwortlichen geltend gemacht, ist dieser verpflichtet, allen Empfängern, denen die Sie betreffenden personenbezogenen Daten offengelegt wurden, diese Berichtigung oder Löschung der Daten oder Einschränkung der Verarbeitung mitzuteilen, es sei denn, dies erweist sich als unmöglich oder ist mit einem unverhältnismäßigen Aufwand verbunden. Ihnen steht gegenüber dem Verantwortlichen das Recht zu, über diese Empfänger unterrichtet zu werden. 

6. Recht auf Datenübertragbarkeit 

Sie haben das Recht, die Sie betreffenden personenbezogenen Daten, die Sie dem Verantwortlichen bereitgestellt haben, in einem strukturierten, gängigen und maschinenlesbaren Format zu erhalten. Außerdem haben Sie das Recht diese Daten einem anderen Verantwortlichen ohne Behinderung durch den Verantwortlichen, dem die personenbezogenen Daten bereitgestellt wurden, zu übermitteln, sofern 

(1) die Verarbeitung auf einer Einwilligung gem. Art. 6 Abs. 1 lit. a DSGVO oder Art. 9 Abs. 2 lit. a DSGVO oder auf einem Vertrag gem. Art. 6 Abs. 1 lit. b DSGVO beruht und 

(2) die Verarbeitung mithilfe automatisierter Verfahren erfolgt. 

In Ausübung dieses Rechts haben Sie ferner das Recht, zu erwirken, dass die Sie betreffenden personenbezogenen Daten direkt von einem Verantwortlichen einem anderen Verantwortlichen übermittelt werden, soweit dies technisch machbar ist. Freiheiten und Rechte anderer Personen dürfen hierdurch nicht beeinträchtigt werden. Das Recht auf Datenübertragbarkeit gilt nicht für eine Verarbeitung personenbezogener Daten, die für die Wahrnehmung einer Aufgabe erforderlich ist, die im öffentlichen Interesse liegt oder in Ausübung öffentlicher Gewalt erfolgt, die dem Verantwortlichen übertragen wurde. 

7. Widerspruchsrecht 

Sie haben das Recht, aus Gründen, die sich aus Ihrer besonderen Situation ergeben, jederzeit gegen die Verarbeitung der Sie betreffenden personenbezogenen Daten, die aufgrund von Art. 6 Abs. 1 lit. e oder f DSGVO erfolgt, Widerspruch einzulegen; dies gilt auch für ein auf diese Bestimmungen gestütztes Profiling. 

Der Verantwortliche verarbeitet die Sie betreffenden personenbezogenen Daten nicht mehr, es sei denn, er kann zwingende schutzwürdige Gründe für die Verarbeitung nachweisen, die Ihre Interessen, Rechte und Freiheiten überwiegen, oder die Verarbeitung dient der Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen. 

Werden die Sie betreffenden personenbezogenen Daten verarbeitet, um Direktwerbung zu betreiben, haben Sie das Recht, jederzeit Widerspruch gegen die Verarbeitung der Sie betreffenden personenbezogenen Daten zum Zwecke derartiger Werbung einzulegen; dies gilt auch für das Profiling, soweit es mit solcher Direktwerbung in Verbindung steht. Widersprechen Sie der Verarbeitung für Zwecke der Direktwerbung, so werden die Sie betreffenden personenbezogenen Daten nicht mehr für diese Zwecke verarbeitet. 

Sie haben die Möglichkeit, im Zusammenhang mit der Nutzung von Diensten der Informationsgesellschaft – ungeachtet der Richtlinie 2002/58/EG – Ihr Widerspruchsrecht mittels automatisierter Verfahren auszuüben, bei denen technische Spezifikationen verwendet werden. 

8. Recht auf Widerruf der datenschutzrechtlichen Einwilligungserklärung 

Sie haben das Recht, Ihre datenschutzrechtliche Einwilligungserklärung jederzeit zu widerrufen. Durch den Widerruf der Einwilligung wird die Rechtmäßigkeit der aufgrund der Einwilligung bis zum Widerruf erfolgten Verarbeitung nicht berührt. 

9. Automatisierte Entscheidung im Einzelfall einschließlich Profiling 

Sie haben das Recht, nicht einer ausschließlich auf einer automatisierten Verarbeitung – einschließlich Profiling – beruhenden Entscheidung unterworfen zu werden, die Ihnen gegenüber rechtliche Wirkung entfaltet oder Sie in ähnlicher Weise erheblich beeinträchtigt. Dies gilt nicht, wenn die Entscheidung 

(1) für den Abschluss oder die Erfüllung eines Vertrags zwischen Ihnen und dem Verantwortlichen erforderlich ist, 

(2) aufgrund von Rechtsvorschriften der Union oder der Mitgliedstaaten, denen der Verantwortliche unterliegt, zulässig ist und diese Rechtsvorschriften angemessene Maßnahmen zur Wahrung Ihrer Rechte und Freiheiten sowie Ihrer berechtigten Interessen enthalten oder 

(3) mit Ihrer ausdrücklichen Einwilligung erfolgt. 

Allerdings dürfen diese Entscheidungen nicht auf besonderen Kategorien personenbezogener Daten nach Art. 9 Abs. 1 DSGVO beruhen, sofern nicht Art. 9 Abs. 2 lit. a oder g DSGVO gilt und angemessene Maßnahmen zum Schutz der Rechte und Freiheiten sowie Ihrer berechtigten Interessen getroffen wurden.

Hinsichtlich der in (1) und (3) genannten Fälle trifft der Verantwortliche angemessene Maßnahmen, um die Rechte und Freiheiten sowie Ihre berechtigten Interessen zu wahren, wozu mindestens das Recht auf Erwirkung des Eingreifens einer Person seitens des Verantwortlichen, auf Darlegung des eigenen Standpunkts und auf Anfechtung der Entscheidung gehört. 

10. Recht auf Beschwerde bei einer Aufsichtsbehörde 

Unbeschadet eines anderweitigen verwaltungsrechtlichen oder gerichtlichen Rechtsbehelfs steht Ihnen das Recht auf Beschwerde bei einer Aufsichtsbehörde, insbesondere in dem Mitgliedstaat ihres Aufenthaltsorts, ihres Arbeitsplatzes oder des Orts des mutmaßlichen Verstoßes, zu, wenn Sie der Ansicht sind, dass die Verarbeitung der Sie betreffenden personenbezogenen Daten gegen die DSGVO verstößt. 

Die Aufsichtsbehörde, bei der die Beschwerde eingereicht wurde, unterrichtet den Beschwerdeführer über den Stand und die Ergebnisse der Beschwerde einschließlich der Möglichkeit eines gerichtlichen Rechtsbehelfs nach Art. 78 DSGVO.