Cremesso data protection regulations

  1. What Is this Privacy Policy about?
  2. Who Are We?
  3. What Is "Personal Data" and What Does "Processing" Mean?
  4. For Whom and for What Purpose Is this Privacy Policy Intended?
  5. Which Personal Data Do We Process and for What Purposes?
  6. To Whom Do We Disclose Personal Data?
  7. When Do We Transfer Your Personal Data Abroad?
  8. Do We Conduct Profiling and Use Automated Decision-Making?
  9. How Do We Protect Your Personal Data?
  10. For How Long Do We Store Your Personal Data?
  11. What Rights Do You Have in Connection with the Processing of Your Personal Data?
  12. What Else Do You Need to Bear in Mind?
  13. Changes to this Privacy Policy
  14. Reasons for data collection; scope, purpose and obligation to provide data; legal basis for processing

 

State: May 25th, 2018

The protection of data is a matter of trust and your trust is important to us. It is for this reason that we have published this Privacy Policy. With a view to the new European General Data Protection Regulation ("GDPR"), it specifies which personal data we process, how we process this data, and for what purposes. In addition, companies outside of the European Union are required to comply with the GDPR in certain circumstances. However, we want to ensure that the high level of protection established by the GDPR is afforded to all individuals whose personal data we process. For this reason, we have decided to align this Privacy Policy, in general, with the GDPR. You can view the GDPR here.

We are committed to providing comprehensive information on the processing of your personal data. This Privacy Policy therefore explains how and why we collect, process, and use your personal data. It is important to us that you understand:

  • what personal data about you we collect and process;
  • when we collect your personal data;
  • the purposes for which we use your personal data;
  • how long we store your personal data;
  • who has access to your personal data; and
  • what rights you have with respect to your personal data.

We provide information and guidance on all of these matters below. If you have any questions, please do not hesitate to contact us. Our contact details are included in section 2.

2. Who are we?

For each data processing activity, a particular company is responsible for ensuring compliance with data protection provisions. In each case, this is the company that defines whether a certain processing activity (e.g. processing in connection with a service or the use of a website) should take place, for what purposes it is performed, and the general principles that should apply (where such decisions are made jointly by more than one company, the companies may also be jointly responsible). The following company ("we" or "us") is generally responsible for the data processing activities covered by this Privacy Policy:

Delica AG
Hafenstrasse 120
CH-4127 Birsfelden
Switzerland

Tel: +41 61 315 77 88
Mail: info@delica.ch

We have appointed a Data Protection Officer who may be contacted as follows:

Datenschutz Cremesso
datenschutz-cremesso@delica.com
+ 41 61 315 77 88

We have also appointed the following company as a representative in the EU and/or the European Economic Area:

M-Industry Germany
Rudolf-Diesel-Strasse 24
D-64625 Bensheim
datenschutz-cremesso@delica.com

In certain cases, responsibility does not lie with us, but rather with a different company:

  • If you contact another company (e.g. in contacting Customer Services), this company will be responsible for the relevant data processing activity – unless this Privacy Policy states otherwise in relation to the processing activity concerned.
  • In certain circumstances, we may disclose your personal data to another company or to an external party in order to enable these recipients to process personal data for their own purposes (i.e. not on our behalf). Such parties may also include the authorities. In such cases, the recipient concerned is deemed to be the data controller. Information on such data controllers is provided in the relevant privacy policy of the recipient, which will generally be available on its website.

3. What Is "Personal Data" and What Does "Processing" Mean?

The rules governing the processing of personal data are laid down in data protection legislation. Personal data (or "personal information") means any information relating to an identifiable natural person, i.e. an individual. This may, for example, include the following information:

  • Contact details, for example name, mailing address, email address, telephone number
  • Other personal details, for example gender, date of birth and age, marital status, nationality
  • Professional details, for example occupation, title, role, training, former employers, skills and experience, approvals and licenses, and memberships
  • Shopping information, for example purchase information, orders, shopping history, preferred shopping locations and -times, shopping baskets, preferences and preference for certain product categories
  • Financial details, for example credit card number, account details, credit rating, assets, and income
  • Image, sound, and video recordings
  • Records of your visits to websites and your use of apps.

Information relating to a particular legal entity (e.g. details about a contract with a company) also constitutes personal data.

Certain personal data are afforded special protection under the legislation, including "sensitive personal" (also referred to as "special categories of personal data").  Such data may include information that discloses an individual's race or ethnic origin, political views, religious or philosophical beliefs, or trade union membership as well as genetic data, biometric data allowing the unique identification of an individual, health data and data concerning an individual's sex life or sexual orientation, as well as data concerning criminal convictions and offenses and, in certain circumstances, data relating to social security matters.

We generally collect your personal data directly from you, for example when you perform certain actions. This may include instances in which you communicate with us, visit a website, or avail yourself of an offer online or via an app or when you shop with us in an online shop and/or use a customer loyalty card. Personal data may, however, also be collected indirectly, for example when goods are delivered to a different person (e.g. as a gift), other people are mentioned in any communication with us, or through the procurement of additional data from third-party sources (e.g. from social media or mailing list brokers).

We do not necessarily process all the categories of personal data mentioned in this section. Specific information about the personal data processed by us can be found in section 5 and in the table in section 14 at the end of this Privacy Policy. Depending on the type of processing involved, we will provide additional information by way of a separate privacy policy or notification, especially if a certain data processing activity is not self-explanatory.

"Processing" (or "use") therefore refers to any use of your personal data. This may include the following actions:

  • Collection and storage
  • Organization and administration
  • Adaptation and alteration
  • Retrieval and storage;
  • Disposal and usage
  • Transfer and disclosure;
  • Combining
  • Restriction
  • Erasure and destruction.

4. For Whom and for What Purpose Is this Privacy Policy Intended?

This Privacy Policy applies to our personal data processing activities in all of our business areas. It applies to the processing of personal data that has already been collected and personal data that will be collected in future. Additional data protection provisions may also apply to certain services.

Our data processing activities may affect, in particular, the following individuals (so-called "data subjects"):

  • Individuals who write to us or contact us in some other way;
  • Visitors to our offices;
  • Customers in online shops;
  • Users of online offers and apps;
  • Individuals who use our services or come into contact with our services;
  • Visitors to our website;
  • Recipients of information and marketing communications;
  • Participants in competitions, prize draws and customer events;
  • Participants in market research and opinion surveys;
  • Contacts at our suppliers, outlets, and other business partners;
  • Job applicants.

Further information on data processing activities relating to specific offers may be included in general terms and conditions, terms of participation, and similar provisions.

5. Which Personal Data Do We Process and for What Purposes?

We process a wide range of personal data for different reasons and purposes. Further information is provided in this section and in the table in the section 14 at the end of this Privacy Policy and, in many instances, in the applicable general terms and conditions, conditions of participation, and additional privacy policies. For example, we process personal data, which may include sensitive personal data, in the following situations for the following purposes:

  • Communications: We process personal data if you contact us or we contact you, for example when you contact Customer Services, if you write to us, or if you call us. As a general rule, information such as your name and contact details as well as the content and time of the messages in question will be sufficient for us. We use this data to ensure that we can provide you with information or notifications, deal with your concerns, and communicate with you, as well as for quality assurance and training purposes.
  • Visiting websites: When you visit our website, we will process personal data based on the offer and functionality involved. This includes technical data, e.g. information on the time you accessed our website, the duration of the visit, the pages accessed, and the device used (e.g. tablet, PC or smartphone; "end device"). We use such data for the purposes of providing the website, for reasons of IT security, and to improve the user-friendliness of the website. We also use "cookies", i.e. files that are stored on the end device when you visit our website. In many cases, cookies are required for the functionality of the website and are deleted automatically following the visit. Other cookies are used to personalize the offering and are saved for a set duration (e.g. two years). We also use analysis services such as Google Analytics. This involves the collection of detailed information regarding patterns of behavior on the relevant website. We may also integrate functions from providers such as Facebook, which may lead to the provider in question obtaining data about you. In most cases, however, we do not know the names of website visitors.
  • Information and direct marketing: We process personal data in order to send information and advertising messages. For example, if you register for a newsletter, we will process your contact data. In the case of emails, we will also process information regarding your use of the messages (e.g. whether you opened an email and downloaded any images embedded therein). We do so in order to get to know you better, to gear our offers more precisely towards your needs, and to improve such offers in general. If you do not agree to the processing of usage data, you may block such processing in your email program.
  • Competitions, prize draws, and similar events: We now and again organize competitions, prize draws, and similar events. In such cases, we will process your contact information and details about your participation for the purposes of conducting the competitions and prize draws. Further information in this regard can be found in the relevant terms of participation.
  • Customer events: We will also process personal data in relation to any customer events held by us (e.g. advertising events, sponsorship events, cultural and sporting events). This includes the participants' or interested parties' names and mailing or email addresses as well as any further information that may be required, for example your date of birth or your phone number. We will process this data for the purpose of holding customer events, but also to allow us to contact you directly and get to know you better. Further information in this regard can be found in the relevant terms of participation.
  • Business partners: We work with various companies and business partners, for example with suppliers, commercial purchasers of goods and services, cooperation partners, and service providers (e.g. IT service providers). For purposes relating to contract initiation and performance, planning, and accounting, as well as for other purposes associated with the respective contract, we may also process personal data pertaining to contacts at the relevant companies, for example their name, role, title and communications with us. Depending on the area of activity, we are also required to check the company in question and its employees in more detail, for example by performing a security check. In this case, we will collect and process additional information. We may also process personal data to improve our customer focus, levels of customer satisfaction, and customer retention (customer/supplier relationship management).
  • Administration: We process personal data for our own and intra-Group administration. For example, we may process personal data for the purposes of invoice management, address management, etc. We also process personal data for accounting and archiving purposes and, in general, with a view to reviewing and improving internal processes.
  • Corporate transactions: We may also process personal data for the purposes of undertaking preparatory work and undertaking corporate takeovers and ‑sales as well as purchases and sales of assets.  The subject matter and scope of any data collected or transmitted will depend on the stage and object of the transaction.
  • Job applications: We will also process personal data if you apply for a position with us. Generally speaking, we will require the usual information and documents specified in the job advertisement.
  • Compliance with legal requirements: We process personal data in order to comply with legal requirements. This includes, for example, the acceptance and processing of complaints and other notifications, internal investigations, and the disclosure of documents to an authority if we have good reason or are legally obliged to do so.
  • Safeguarding of rights: We may process personal data in various forms in order to safeguard our rights, for example to enforce our rights both in or out of court and before national or foreign authorities or to defend against any claims. For example, we may seek clarification as to the prospects of success in relation to legal proceedings or submit documents to an authority. In doing so, we may process your personal data or disclose your data to third parties, either at home or abroad, to the extent required and permitted.

The table in section 14 at the end of this Privacy Policy provides a more detailed description of the kinds of personal data about you that we collect and process, how this data is used, for what purposes, and on what legal grounds. It also provides information on whether you are obliged to supply your personal data to us.

6. To Whom Do We Disclose Personal Data?

Our employees have access to your personal data to the extent required for the purposes defined and for the performance of the activities of the employees in question. Our employees act in accordance with our instructions and are bound by confidentiality and non-disclosure obligations in handling your personal data.

We may transfer your personal data to third parties if we wish to use their services ("contract data processors"). This primarily concerns services in the following areas:

  • Corporate management services, for example accounting or asset management
  • Advisory services, for example the services of tax advisors, lawyers, and management consultants, as well as the services of advisors in the fields of personnel recruitment and placement
  • IT services, for example in the areas of hosting, cloud services, the delivery of email newsletters, and data analysis and enhancement

In selecting contract data processors and by entering into appropriate agreements, we ensure that privacy is safeguarded throughout the processing of your personal data, including when data are processed by third parties.  Our contract data processors are under an obligation to process personal data solely on our behalf and in accordance with our instructions.

Furthermore, personal data may be transferred to other companies which may (also) use such data for their own purposes. In such cases, the data recipient is legally responsible as the controller of the data. This would apply in the following circumstances, for example:

  • If we are required to transfer personal data to another company in relation to transactions contemplated or carried out by us, including company mergers or the acquisition or sale of individual parts of a company or its assets. In such cases, we will inform you as early as possible and endeavor to process as little personal data as possible.
  • We may disclose your personal data to third parties if this is required by law. We also reserve the right to process your personal data in order to satisfy a court order or for the purpose of enforcing or defending legal rights or claims or if we consider such processing to be necessary on any other legal grounds.
  • We may disclose personal data about you to former employers if you apply for a position with us (references) or to future employers if you wish to apply for a new job. However, we will not do so in the absence of any request to this effect from you or without your consent.
  • If we transfer claims against you to other companies, such as collection agencies.

7. When Do We Transfer Your Personal Data Abroad?

The recipients of your personal data (section 6) may be located abroad – including outside of the EU or EEA. The countries in question may not have laws in place that afford your personal data the same level of protection as provided in Switzerland or in the EU or the EEA. In transferring your personal data to such a country, we are required to ensure the protection of your personal data in a suitable manner (Articles 46 and 47 of the GDPR). One means of doing so is to conclude data transfer agreements with the recipients of your personal data in third countries that ensure the required level of data protection. These include agreements that have been approved, issued, or adopted by the European Commission and the Federal Data Protection and Information Commissioner, referred to as standard contractual clauses (legal basis set out in Article 46(2) of the GDPR). Data may also lawfully be transferred to recipients that are subject to the US Privacy Shield Program. Please contact us if you would like a copy of our data transfer agreements (cf. section 2 ). Examples of the types of agreement generally used can be found here. In exceptional circumstances, the transfer of personal data to countries without appropriate protection is also permitted in other cases, for example on the basis of explicit consent (Article 49(1)(a) of the GDPR), for the performance of a contract with the data subject or the handling of his or her contract application (Article 49(1)(b) of the GDPR), for the conclusion or performance of a contract with somebody else in the interests of the data subject (Article 49(1)(c) of the GDPR), or for the establishment, exercise, or defense of legal claims (Article 49(1)(e) of the GDPR).

Do We Conduct Profiling and Use Automated Decision-Making?

"Profiling" refers to a procedure during which personal data is processed on an automated basis in order to assess, analyze, or predict personal aspects, for example an individual's personal preferences, interests, behavior or location. We often conduct profiling, for example in analyzing shopping behavior, etc.

"Automated decision-making" refers to any decision that is made on an automated basis, i.e. with no relevant human influences, and may have negative legal implications or other similar adverse consequences for you. We will provide separate information on any automated decision-making deployed by us in specific cases, insofar as such information is legally required.

9. How Do We Protect Your Personal Data?

We take appropriate technical measures (e.g. encryption, pseudonymization, record keeping, access restrictions, data backups) and organizational measures (e.g. instructions issued to employees, confidentiality agreements, audits) in order to safeguard your personal data, protect you against unauthorized or unlawful processing activities, and to address the risk of loss, unintentional changes, inadvertent disclosure, or unauthorized access. In general, however, security risks cannot be completely ruled out; certain residual risks are unavoidable in most cases.

10. For How Long Do We Store Your Personal Data?

We store your personal data in a personalized form for as long as it is required for the specific purpose for which it was collected. In the case of contracts, personal data is stored for at least the duration of the contractual relationship. We also store personal data if we have a legitimate interest in storing it. This may apply, for example, if we require personal data for the purpose of enforcing rights or defending against claims, for archiving purposes, to ensure IT security, or if limitation periods apply in respect of any contractual or non-contractual claims. In many case, a limitation period of ten years will apply, for example, while in other cases a five-year or one-year limitation period may apply. We also store your personal data if it is subject to a statutory retention requirement. For example, a ten-year retention period applies to certain data. Shorter retention periods apply for other data, for example for recordings from CCTV or for recordings of certain online processes (log data). In certain cases, we will also ask for your consent if we want to store your personal data for longer periods (e.g. for job applications that we wish to keep on file). At the end of the periods specified, we will erase or anonymize your personal data.

11. What Rights Do You Have in Connection with the Processing of Your Personal Data?

You may object to the processing of your personal data at any time and are generally free to withdraw your consent to any data processing activity. A right to object exists, in particular, with respect to data processing relating to direct advertising (e.g. advertising emails).

You also have the following rights:

Right to information

You have the right to transparent, easy-to-understand, and comprehensive information with respect to how we process your personal data and what rights you have with regard to the processing of your personal data. We meet this obligation by providing this Privacy Policy. If you would like further information, please do not hesitate to contact us (cf. section 2).

Right to information

You have the right to request access to any personal data stored and processed by us at any time free of charge. You therefore have the opportunity to check what personal data about you we process and that we use this data in accordance with the applicable data protection provisions.

In certain cases, the right of access may be restricted or excluded, in particular:

  • if we have any doubts concerning your identity and are unable to identify you;
  • to protect other individuals (e.g. to comply with confidentiality obligations or safeguard the data protection rights of third parties);
  • in the event that the right of access is exercised excessively (alternatively, we may request payment in consideration of providing access in such instances); or
  • if the providing full access would involve disproportionate effort.

Right to rectification

You have the right to have inaccurate or incomplete personal data rectified and to be informed about such rectification. In such cases, we will inform the recipients of the affected data about the changes, unless this is impracticable or involves disproportionate effort.

You have the right to have your personal data erased. You can request the erasure of your personal data if:

  • the personal data is no longer required for the intended purposes;
  • you have effectively withdrawn your consent or have effectively objected to the processing of your data; or
  • the personal data is being processed unlawfully.

In such cases, we will inform the recipients of the affected data about the erasure, unless this is impracticable or involves disproportionate effort.

In certain cases, the right to have personal data erased may be excluded, especially if the processing activity is required:

  • to exercise the right of freedom of expression;
  • to comply with a legal obligation or is in the public interest; or
  • to enforce legal claims.

Right to restriction of processing

Under certain conditions, you have the right to request that the processing of your personal data is restricted. This may mean, for example, the personal data is (temporarily) no longer processed or that published personal data is (temporarily) removed from a website. In such cases, we will inform the recipients of the affected data about the changes, unless this is impracticable or involves disproportionate effort.

Right to data portability

You have the right to receive personal data that you have provided to us in a readable format, free of charge, if

  • the specific data processing activity is based on your consent or is required for the performance of a contract; and
  • the processing is performed with the assistance of automated processes.

Depending on the circumstances, your personal data may be transferred to you personally or directly to the third-party provider.

Right to lodge a complaint

You have the right to lodge a complaint to a competent supervisory authority with respect to the manner in which your personal data is processed.

Right to withdraw consent

In principle, you have the right to withdraw consent previously given at any time. Data processing activities performed in the past on the basis of your consent will, however, not become unlawful due to you withdrawing consent.

12. What Else Do You Need to Bear in Mind?

The GDPR requires that the applicable legal basis for data processing activities is specified. The processing of personal data is allowed, in particular, if:

  • this is required for the performance of a contract with the data subjects or for pre-contractual measures requested by the data subjects (e.g. reviewing their application to enter into contract – legal basis set out in Article 6(1)(b) of the GDPR); or
  • this is required for legitimate interests, provided that the interests or fundamental rights and freedoms of the data subject are not overriding (legal basis set out in Article 6(1)(f) of the GDPR). These legitimate interests include our own interests and third-party interests. These interests are very diverse and include, for example interests in connection with the supply of products and services to third parties (e.g. recipients); interests in connection with good customer support, maintaining contact and other communications with customers, including outside the framework of a contract; interests in performing advertising and marketing activities; our interest in getting to know our customers and other individuals better; our interest in improving existing products and services and developing new ones; our interest in facilitating intra-Group management and intra-Group communication, which is necessary with a Group that requires cooperation between parties; our interest in combating fraud, for example in online shops, and in the prevention and investigation of offenses; our interest in protecting customers, employees, and other individuals and data, as well as secrets and assets; our interest in ensuring IT security, especially in connection with the use of websites, apps and other IT infrastructure; our interest in safeguarding and organizing business operations, including the running and further development of websites and other systems; our interest in ensuring corporate management and development; any interest in selling or purchasing companies, parts of companies, or other assets; any interest in the enforcement or defense of legal rights and claims; and our interest in complying with Swiss law and internal rules and regulations;
  • this is based on effective consent that has not been withdrawn (legal basis set out in Article 4(11) and Articles 7 and 8 of the GDPR); or
this is required for compliance with legal obligations (legal basis set out in Article 6(1)(c) of the GDPR).

The processing of sensitive personal data (see section 3 is subject to more stringent restrictions. Such processing is, for example, permitted:

  • on the basis of effective and explicit consent that has not been withdrawn (legal basis set out in Article 9(2)(a) of the GDPR);
  • if the processing activity relates to personal data that the data subject has manifestly made public (legal basis set out in Article 9(2)(e) of the GDPR);
  • if this is required for the safeguarding of rights (legal grounds stipulated by Article 9 (2)(f) of the GDPR); or
  • if this is required in order to ensure compliance with certain legal provisions (legal basis set out in Article 9(2)(a) of the GDPR).

The transfer of data abroad is also only permitted under certain conditions. Information in this regard can be found in section  7.

In the table under section  14 at the end of this Privacy Policy, you can find further information with respect to the legal basis typically applying to the relevant data processing activities. However, due to the complexity of many data processing activities, it cannot be ruled out that in certain circumstances other legal grounds may also apply.

The GDPR also requires that you are provided with information on whether you are obliged to supply personal data or whether this is necessary for the conclusion of a contract and what the consequences of not providing this data would be. Generally speaking, there is no obligation to disclose personal data to us unless you have entered into a contractual relationship with us that establishes such an obligation. We will, however, be required to collect and process any personal data that is necessary or legally prescribed for the purposes of commencing and performing a contractual relationship and meeting related obligations. Otherwise, it will not be possible for us to conclude or continue the contract in question. The processing of certain data is also mandatory in relation to the use of websites. Although you can prevent cookies from being saved (further information in this regard can be found in this Privacy Policy), the recording of certain data, although generally not of a personal nature, such as your IP address, cannot be prevented for technical reasons.  

Under certain circumstances, you may wish or be required to transfer personal data of third parties to us.  Please note that in such cases you are required to inform the data subjects about the transfer of this data and about this Privacy Policy and to ensure that the personal data in question is accurate.

13. Changes to this Privacy Policy

This Privacy Policy may be updated over time, especially if we change our data processing activities or if new legal provisions become applicable. We will actively inform individuals whose contact details are registered with us of any material changes, provided that we can do this without disproportionate effort. Generally speaking, however, the version of the Privacy Policy in effect at the time at which the data processing activity in question commences is applicable.

14. Reasons for data collection; scope, purpose and obligation to provide data; legal basis for processing

14.1 Communication
14.2 Visits to our website
14.3 Information and direct marketing
14.4 Participation in competitions, prize draws, and similar events
14.5 Participation in customer events
14.6 Promotion programs
14.7 Contact with our company as a business partner
14.8 Administration
14.9 Job applications
14.10 Compliance with legal requirements
14.11 Safeguarding rights

In this table, you can find detailed information on the individual processing purposes, the personal data processed to this end, the applicable legal basis, and any obligation to disclose relevant personal data to us. Please note that in many cases it is not possible to provide an exhaustive list.

14.1 Reason for data collection: Communication

Processed personal data

We collect and process personal data if you contact us or we contact you in writing, electronically, or by phone, for example if you contact Customer Services and if you send us an email or letter or call us [, but also e.g. if you leave a comment on our website]. In such cases, we process contact and communication details. This includes, in particular, the following personal data:

  • Name
  • Contact data based on the form of communication, for example your mailing address, email address or telephone number
  • Details about third parties who are mentioned in the communication, as applicable
  • The content and time of the communication

The exact scope of the personal data is largely dependent on the content of the communication. If you transfer sensitive personal data to us, we will also process this. Telephone conversations with us may be recorded. In such cases, you will be informed accordingly in advance.

Processing purpose and obligation to provide personal data

In particular, we process personal data in this context for the following purposes:

  • Communication with you
  • Customer services and -care
  • Quality assurance and training
  • All other processing purposes, to the extent that they require communication (e.g. performance of contracts)

in this case, you are generally under no obligation to provide us with specific information. Often, however, we can only respond to you, handle your concerns, and communicate with you if we process certain information as a minimum. If you do not want us to record telephone conversations, you can cut off the telephone call at any time and correspond with our Customer Services in another way (e.g. via email).

Legal basis

If communication is initiated by you, we will deem this to constitute consent to the processing of your personal data (Article 6(1)(a) and, where applicable, Article 9(2)(a) of the GDPR). The processing performed by way of Customer Services and through communication is in many cases also in our legitimate interest (Article 6(1)(f) of the GDPR), as this allows us to communicate with customers and other individuals, improve the quality of our services, prevent errors in our processes, and achieve a high level of customer satisfaction.

14.2 Reason for data collection: Visits to our website

Processed personal data

Technical data: Each time our website is visited, certain data is automatically collected by us for technical reasons and stored in log files. This includes, for example, the following data:

  • IP address and device-specific details such as the MAC address and device operating system
  • The user's Internet service provider
  • Accessed contents and the date and time of the website visit

Some cookies also originate from third-party companies. This will apply, for example, if we use functions on our website that are provided by third parties. This affects analysis services, which also work with cookies; information in this regard can be found in this table under "Visits to our website (analyses)".

Technical data and cookies often do not contain any personal data. It is often not possible for us to assign the information collected in this way to a particular person.

Analysis of user behavior: On our website, we use Google Analytics, an analysis service of Google, Inc. in the US. Google Analytics uses cookies that enable analysis of website usage. This means that information about your behavior on our website and the end device (tablet, PC, smartphone, etc.) used for this purpose will be saved. This includes, for example, the following usage data:

  • Browser type and version
  • The address (URL) of the website from which you accessed our website
  • Provider name
  • IP address of end device
  • Date and time our website was accessed
  • Visited pages and length of stay.

This information is saved on a Google server in the US. Provided you have activated the IP anonymization function, your IP address will, however, be abbreviated in the EU or EEA. The full IP address is only transmitted to the US in exceptional circumstances. In the US, Google is bound by the US Privacy Shield Program. Google Analytics also makes it possible to assign dates, sessions and interactions across several end devices to a pseudonym user ID, allowing the activities of an unnamed user on different devices to be analyzed. Further information can be found under the Terms of Service or the Privacy Policy of Google.

We use similar services of other providers. Such providers often do not receive any personal data, but they may record the usage of the relevant website by the user, for example through the use of cookies and other technologies. These records may be combined with similar information from other websites. The behavior of a particular user can thus be recorded across several websites and several end devices. The provider concerned may also use this data for its own purposes, for instance for personalized promotions on its own website and other websites that it provides with advertisements. If a user is registered with the provider, the provider may be able to attribute usage data to the individual concerned. It will generally obtain the consent of the data subject for such purpose and allow him or her to withdraw such consent in accordance with its requirements. Such personal data is processed by the provider under its own responsibility and in accordance with its own data protection provisions.

Processing purpose and obligation to provide personal data

We process your personal data in this context for the following purposes:

  • Provision of the website: The recording of certain log files and cookies is essential for the provision of the website and its functions for technical reasons. Other cookies help us to provide and safeguard the various functions and offers available on our website.
  • Personalization of website: Some cookies are used to adjust our online offers in line with your needs (e.g. by saving your chosen language).
  • Website management: The saving and processing of log files and cookies helps us with maintenance and troubleshooting, in safeguarding the security of our website, and in combating fraud.
  • Third-party cookies allow the companies in question to provide services to us or to display advertisements to you that you may actually be interested in.

Collecting the data specified is not mandatory but is required in many cases for the purpose of using the website and certain functions. However, you can configure your end device to display a message before a new cookie is created. This means you can also reject cookies. Furthermore, you can delete cookies from your end device. You also have the option to prevent the recording of data created by the cookie (incl. your IP address) and the processing of this data by downloading and installing an appropriate browser add-on. The rejection or deactivation of cookies may, however, mean that you are unable to use all of the website's functions.

This information is used, in particular, in order to better understand the use of our website and to improve its content, functionality, and retrievability. For example, this data allows us to see the sites from which most of our users access our website, which pages are visited the most, and on which page most visitors leave our website.

We may also evaluate this personal data and combine this with other personal data, for example to non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services.

You can prevent the use of Google Analytics by installing a browser add-on. [You can also set an opt-out cookie by clicking here]. An opt-out cookie prevents any future recording. However, it only applies for the browser in question. In order to prevent recording across several end devices, you need to implement the opt-out on all devices and browsers used. If you delete your cookies in a browser, the opt-out cookie will also be removed.

You also have the option to withdraw any consent issued to providers (information in this regard can be found in the left-hand column) or to object to their processing activities, for example those performed by Google via https://adssettings.google.com.

Legal basis

The processing of log files and cookies for the stated purposes is in our legitimate interest (Article 6(1)(f) of the GDPR). Some cookies are required, for example, in order to save individual settings or provide shopping baskets. Such customization is also in the interests of visitors to our websites. The analysis of the use of our websites also represents a legitimate interest.

The processing purposes specified are in our legitimate interest (Article 6(1)(f) of the GDPR). Our webpages are a very important tool for us in terms of customer communication and -acquisition. It is key for us that we keep our websites functional, attractive, and personal.

14.3 Reason for data collection: Information and direct marketing

Processed personal data

If you register for an electronic newsletter and other electronic notifications, we will process, in particular, the following personal data:

  • Your name
  • Your email address and/or your cell phone number
  • Information as to whether you have consented to or objected to receiving such notifications

We can also process data about your use and response to such notifications.

  • Delivery of notification
  • Opening and possible forwarding of notification
  • Links clicked (objective, date, and time).

We may also evaluate your personal data and combine this with other personal data, for example to non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services.

Processing purpose and obligation to provide personal data

We process your personal data so that we can send you electronic notifications, including messages of a promotional nature. We process personal data with respect to your use of and response to the notifications in order to get to know you better and to enable us to gear our offers to your needs in a more targeted manner.

Such data processing is optional for you. However, if you do not provide us with your personal data and, in particular, your email address, we will not be able to offer you this service. You can withdraw your consent for electronic newsletters at any time by deregistering from this service. This is possible via a link in every electronic newsletter or by sending an email to info@cremesso-newsletter.de.

Legal basis

We deem your registration for an electronic newsletter to represent consent to the processing of the named personal data for the specified purposes (Article 6(1)(a) of the GDPR). We also have a legitimate interest in advertising directly and analyzing your response to such advertisements. Both are important to us so that we can be successful on the market.

14.4 Reason for data collection: Participation in competitions, prize draws, and similar events

Processed personal data

We collect and process personal data if you participate in competitions, prize draws, and similar events (each referred to as an "event"). The scope of the processed personal data may vary from event to event. This information includes, in particular, the following personal data:

  • Your name
  • Your date of birth
  • Your contact details
  • The fact that you are participating
  • The outcome of your participation
  • Correspondence about the event, as applicable.

Further information in this regard can be found in the relevant terms of participation.

We may also evaluate your personal data and combine this with other personal data, for example with non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services.

Processing purpose and obligation to provide personal data

We will process your personal data in connection with events in order to conduct the relevant event and to enable us to notify the winner. We may also use your name and contact details for advertising purposes. Participation in such events is voluntary but is not possible without the processing of personal data.

Legal basis

By taking part in an event, you provide consent to the processing of your personal data for this purpose (Article 6(1)(a) of the GDPR). The processing also serves legitimate interests (Article 6(1)(f) of the GDPR). This allows us to gear our services towards your needs and interests in a more precise and targeted manner and also expand and improve our offers. This is important to us, as it enables us to compete successfully in the market.

14.5 Reason for data collection: Participation in customer events

Processed personal data

We will process personal data if we invite you to a customer event (e.g. advertising events, sponsorship events, cultural and sporting events). This includes, in particular, the following personal data, which may be sensitive:

  • Your name
  • Your contact details
  • Your participation or non-participation
  • Other data appropriate to the customer event, such as your date of birth.

We may also evaluate your personal data and combine this with other personal data, for example with non-personalized statistical data and other personal data that we have collected about you in order to extrapolate information about your preferences and interest in certain products or services.

Processing purpose and obligation to provide personal data

In particular, we process your personal data so that we can invite you to our events and also to find out which customer events may be of interest to you.  This allows us to draw your attention to customer events that we hope may be of interest to you in a targeted manner. Participation in such events is voluntary but is not possible without the processing of personal data.

Legal basis

We process your personal data after you have provided us with your consent (Article 6(1)(a) of the GDPR) in order to inform you about relevant customer events or if you have registered for one of our customer events.

The processing activities specified are in our legitimate interest (Article 6(1)(f) of the GDPR), as they allow us to contact you personally and get to know you better.  This allows us to gear our services towards your needs and interests in a more precise and targeted manner and also expand and improve our offers. This is important to us, as it enables us to compete successfully in the market.

14.6 Reason for data collection: Contact with our company as a business partner

Processed personal data

If you work for a company that supplies goods or services to us, purchases goods or services from us, or cooperates with us in some other way, we may, for example, process the following personal data about you:

  • Your name
  • Your title, position, area of activity, and relationship to the company concerned;
  • Positions held during your career
  • Your interactions with us

We will process other personal data, which may include sensitive data, when reviewing whether we want or are able to work with your company (e.g. in the course of performing security checks). If you work at our premises, we will also process other contact details, e.g. the following information:

  • Your nationality and residency status
  • Copies of passport and identification documents
  • Previous convictions and any criminal enforcement measures
  • Data pertaining to user accounts and the use of such accounts
  • Badge number and -use
  • Your use of our IT infrastructure
  • Video recordings (if you access areas monitored by CCTV).

We will generally inform you separately about such processing activities or request your consent.

Processing purpose and obligation to provide personal data

In particular, the processing of personal data serves the following purposes:

  • To check whether we supply or purchase goods or services to or from your company or whether we want and are able to work with your company (e.g. as part of suitability checks, checks for conflicts of interest)
  • To check whether your company provides the required level of security, for example in the event that it processes personal data on our behalf
  • To communicate with you and your company, for example as part of the performance of a contract
  • To plan staff deployment and, where applicable, your deployment and the deployment of your company's employees
  • For training purposes
  • For monitoring and performance assessment purposes
  • To prepare and undertake corporate takeovers and sales as well as similar transactions
  • For customer and supplier relationship management in order to get to know you and your company better, improve our customer focus, and increase levels of customer satisfaction and retention (customer relationship management, "CRM")
  • For accounting purposes
  • For the administration and management of our IT and other resources
  • To exchange personal data within the Group.

You are under no obligation to disclose the personal data specified to us. If you do not wish to provide the required personal data to us, we may be unable to work with you. In exceptional circumstances, we may even be legally required to process such personal data.

Legal basis

The processing specified is in our legitimate interest (Article 6(1)(f) of the GDPR), as it allows us to use and sell goods and services. We also have a legitimate interest in preventing abuse and ensuring an adequate level of security. The provision of customer care is also in our legitimate interest. If we have a contract directly with you or you wish to conclude a contract directly with us, we will process your personal data for the purpose of concluding and performing the contract concerned (Article 6(1)(b) of the GDPR).

To the extent that we process sensitive personal data for the specified purposes, we will generally do so for the purposes of enforcing, exercising or defending legal rights or on the basis of your explicit consent (Article 9(1)(a) and 9(1)(f) of the GDPR).

14.7 Reason for data collection: Administration

Processed personal data

In the course of performing internal administrative and management operations, we will process personal data, which may include sensitive personal data, about our customers, business partners, and third parties, for example for IT management purposes.

Processing purpose and obligation to provide personal data

We will process such personal data, in particular, for the following purposes:

  • Reviewing and improving our internal processes
  • Accounting
  • Archiving
  • Training
  • Other administrative purposes

These purposes may relate to us or companies affiliated to us.

Legal basis

Processing for the specified purposes may be required for the performance of contracts (Article 6(1)(b) of the GDPR). Such processing may also be required in furtherance of our legitimate interest in corporate and internal Group management (Article 6(1)(f) of the GDPR).

14.8 Reason for data collection: Corporate transactions

Processed personal data

In certain circumstances, we may review transactions or execute transactions involving the sale or purchase of companies, parts of companies, or other assets, or the creation of encumbrances. In this context, the scope of personal data processing will depend on the purpose and stage of the transaction, and may also include sensitive personal data. In certain circumstances, such information may be disclosed to, or collected by, potential contracting partners, to the extent permitted by law. In the event that we sell receivables, we will, for example, transfer information to the purchaser regarding the reason for and amount of the receivable and, where applicable, regarding the credit rating and behavior of the debtor.

Processing purpose and obligation to provide personal data

Data will be processed, in particular, for the purpose of assessing and, where applicable, executing the relevant transactions. It may also be necessary to file reports with the authorities both at home and abroad.

Legal basis

Processing for the specified purposes may be required for the performance of contracts (Article 6(1)(b) of the GDPR). This is in our legitimate interest (Article 6(1)(f) of the GDPR). To the extent that we process sensitive personal data, such processing activities will normally be based on your explicit consent (Article 9(2)(a) of the GDPR).

14.9 Reason for data collection: Job applications

Processed personal data

If you apply for a position with us, we will process your contact details and the information transmitted to us (e.g. the application, family status, résumé, knowledge and skills, interests, references, qualifications, certificates). Such information may include sensitive personal data, such as dates of birth or details of trade union membership. During the job application process, other personal data may also be required depending on the position and job profile.

Processing purpose and obligation to provide personal data

We will process your personal data in order to assess your suitability for the position concerned and talk to you about potential employment, and, where applicable, for the purposes of preparing and concluding a contract. Subject to your consent, we will also, where applicable, keep your application on file if we decide not to recruit you, or you decide not to take a job, in the event that another position becomes vacant at a later date. Although providing the personal data specified is optional we are unable to process an application without the personal data required for this purpose.

Legal basis

If you apply for a position with us, we will process your personal data with a view to a possible contract (Article 6(1)(a) of the GDPR). In submitting your application, you will also be deemed to have consented to such processing activities (Article 6(1)(a) and Article 9(2)(a) of the GDPR).

14.10 Reason for data collection: Compliance with legal requirements

Processed personal data

In certain circumstances, we may be required or wish to process personal data in order to comply with legal obligations. We may, for example, receive and process complaints and reported irregularities, or the authorities may request documents containing your name and contact details or conduct an investigation in relation to us. We may also conduct internal investigations during which your personal data may also be processed.

Processing purpose and obligation to provide personal data

We process this personal data for the following purposes:

  • To ensure compliance with legal obligations, including orders issued by the courts or the authorities
  • Preventive measures to ensure compliance
  • Measures to detect and investigate abuses

Legal basis

Processing for the specified purposes is required for compliance with legal obligations and is in our legitimate interests (Article 6(1)(c) and (f) of the GDPR).

14.11 Reason for data collection: Safeguarding rights

Processed personal data

We will process personal data for the purpose of safeguarding our rights, for example to enforce our rights both in or out of court and before national or foreign authorities or to defend against any claims. For example, we may seek clarification as to the prospects of success in relation to legal proceedings or submit documents to an authority. The authorities may also require us to disclose documents that contain personal data. In addition to the contact details of data subjects, we may process other personal data, depending on the circumstances, such as information on events that led to or could give rise to a dispute. Such information may include sensitive personal data.

Processing purpose and obligation to provide personal data

We will process this personal data for the following purposes:

  • Investigating claims and enforcing rights, which may also include the rights and claims of affiliated companies and other contracting and business partners
  • The defense of claims against us, our employees, any affiliated companies, and any contracting or business partners
  • Seeking clarification as to the prospects of success in relation to legal proceedings and with respect to any other legal, commercial or other matters;
  • Involvement in proceedings before the courts and authorities at home or abroad

Legal basis

Processing for the specified purposes may be required for the performance of contracts (Article 6(1)(b) of the GDPR). Such processing is in our legitimate interest and, where applicable, in the legitimate interests of third parties (Article 6(1)(f) and Article 9(2)(f) of the GDPR).