A. Privacy Stetement
I. Name and Address of the controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:
Company name: MUSSLER COSMETIC PRODUCTION GMBH & CO. KG
Represented by: Mr Florian Mußler
II. Name and address of the data protection officer
Contact details of the data protection officer:
Name: Thorsten Franz, company FranzX Organisation & IT
Address: Panoramastr. 20
74336 Brackenheim (Germany)
Phone: +49 (0) 7135-990901-0
III. General information regarding data processing
Scope of the processing of personal data
In general, we process the personal data of our users only as required for the provision of a functional website, our content and services.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
Each time our website is accessed, our system automatically records data and information about the computer system of the accessing computer.
The following data are collected in the process:
(1) Information regarding the browser type and version used
(2) The user's operating system
(3) The internet service provider of the user
(4) The user's IP address
(5) Date and time of access
(6) Websites, from which the user's system reached our website
(7) Websites, which are accessed by the user's system via our website
The data are saved in the log files of our system. These data are only required to analyse any disturbances and erased no later than within 30 days. The IP address must be temporarily stored by the system in order to enable the provision of the website to the user's computer. For this purpose, the user's IP address must be saved for the duration of the session. The IP address is saved in log files in order to ensure that the website is functional. Furthermore, the data help us to optimise the website and ensure the security of our IT systems. Data are not analysed for marketing purposes in this context nor are any conclusions drawn about your person. Our webservers are hosted in the computing centre of our hosting provider in Germany.
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 (1)(f) GDPR.
3. Purpose of data processing
The IP address must be temporarily stored by the system in order to enable the provision of the website to the user's computer. For this, the IP address of the user must remain saved for the duration of the session.
Storage in log files occurs in order to ensure the functionality of the website. Furthermore, the data help us to optimise the website and to ensure the security of our IT systems. Data are not analysed for marketing purposes in this context nor are any conclusions drawn about your person.
These purposes form the basis for our legitimate interest in data processing in accordance with Art. 6 (1)(f) GDPR.
4. Duration of storage
The data are erased as soon as they are no longer required to achieve the purpose for which they were collected. If data are collected for the provision of the website, this is the case if the respective session has ended.
If the data are saved in log files, this is the case after no later than 30 days.
5. Right to object and right to rectification
The collection of data for the provision of the website and the storage of data in log files is imperative for the operation of the website.
a) Description and scope of data processing
The following data are stored and transferred in the cookies:
(1) Session ID
b) legal basis for data processing
The legal basis for the processing of personal data using cookies is Art. 6 (1)(f) GDPR.
c) Purpose of data processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Without cookies, some of the functions of our website may not be available. In order for these functions to work, the browser also needs to be recognised after changing pages. We require cookies for the following applications:
(1) Operation of the website system
The user data collected using technically necessary cookies will not be used to create user profiles. These purposes also form the basis for our legitimate interest in processing personal data in accordance with Art. 6 (1)(f) GDPR.
d) Duration of storage, right to object and right of rectification
VI. Contact form and email contact
1. Description and scope of data processing
A contact form is provided on our website, which can be used to contact us electronically. If a user takes advantage of this possibility in this respect, the data in the input mask will be transferred to us and stored.
These data are:
- Email address
- Nature of the inquiry (if marked)
- Your message
The following data will also be stored at the time the message is sent:
(1) The IP Address of the user
Alternatively, contact can occur using the email address provided. In this case, the user's personal data transferred via email will be saved.
The data will not be shared with third parties in this respect. The data will only be used to process the conversation.
2. Legal basis for data processing
The legal basis for the processing of data transferred in connection with the submission of the contact form or email is Art. 6 (1)(f) GDPR. If the purpose of contact is to conclude a contract, the additional legal basis for processing shall also be Art. 6 (1)(b) GDPR.
3. Purpose of data processing
We use the personal data from the input mask solely for processing the contact. This also forms the basis for the necessary legitimate interest in the processing of data.
The other personal data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our IT systems.
4. Duration of storage
The data are erased as soon as they are no longer required to achieve the purpose for which they were collected. For personal data from the input mask of the contact form and data sent via email, this is the case if the respective conversation with the user has ended. The conversation has ended if it can be concluded, based on the circumstances, that the respective matter has been clarified in its entirety.
The personal data additionally collected during the submission process, will be erased no later than within a period of 30 days.
5. Right to object and right of rectification
Users have the right, at any time, to withdraw their consent to the processing of their personal data. If the user contacts us via email, he or she can object to the storage of his or her personal data at any time. In such a case, the conversation cannot be continued.
We recommend exercising this right in a phone call. This way, no additional personal data will be saved.
In such a case, all personal data saved when contacting us will be erased.
VII. Social Media
As operators of Facebook/Instagram (company) profiles, we use the technical platform and services of Meta Platforms Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland ("Meta") for the information services offered here. We would like to point out that you use this Facebook/Instagram page and its functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g. comment, share, rate, follow).
(1) Data processing
When you visit our Facebook/Instagram page, the provider collects, among other things, your IP address and other information that is present on your PC in the form of cookies. This information is used to provide us, as the operator of the pages, with statistical information, so-called insights, about the use of the Facebook/Instagram page.
Facebook provides more detailed information on this under the following link: http://de-de.facebook.com/help/pages/insights.
The data collected about you in this context is processed by Meta and may be transferred to countries outside the European Union. Meta describes in general terms what information it receives and how it is used in its data usage guidelines. There you will also find information on how to contact Meta and on the settings for advertisements.
The data usage guidelines are available at the following link: http://de-de.facebook.com/about/privacy.
Information on data processing when using Instagram can be found here: https://www.facebook.com/help/instagram/155833707900388
Detailed information about the type of processing for its own purposes, the exact allocation of user activities to individual users, the storage period and the transfer of data to third parties are not clearly stated by Meta and are therefore not known to us.
When accessing a Facebook/Instagram page, the IP address assigned to your end device is transmitted to Meta. According to information from Meta, this IP address is anonymized (for "German" IP addresses) and deleted after 90 days. Meta also stores information about the end devices of its users (e.g. as part of the "login notification" function). If necessary, Meta is thus able to assign IP addresses to individual users.
If you are currently logged in to Facebook/Instagram as a user, a cookie with your Facebook ID is located on your end device. This enables Meta to track that you have visited this page and how you have used it. This also applies to all other Facebook pages. Via Facebook buttons embedded in websites, it is possible for Meta to record your visits to these website pages and assign them to your Facebook/Instagram profile. Based on this data, content or advertising can be offered tailored to you. If you want to avoid this, you should log out of Facebook/Instagram or disable the "stay logged in" feature, delete the cookies present on your device, and exit and restart your browser. In this way, Facebook information through which you can be directly identified will be deleted. This will allow you to use our Facebook/Instagram page without revealing your Facebook identifier.
When you access interactive features of the site (Like, Comment, Share, Message, Follow, etc.), a Facebook/Instagram login screen will appear. After any login, you will again be recognizable to Facebook as a specific user. Information on how to manage or delete information about you can be found on the following Facebook support pages: www.facebook.com/privacy/policy/
We also only collect and process statistical data from your use of this service.
The legal basis for this processing, insofar as personal data is processed by us, is Art. 6 para. 1 lit. f). Our legitimate interest for the use of so-called "Insights" data is the continuous optimization of our Facebook page.
VIII. Rights of the data subject
The following list covers all rights of the data subject under the GDPR.
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the data controller:
1. Right of access
You can request that we confirm whether or not we process personal data concerning you.
If we do indeed process personal data concerning you, you may request the following information from us:
(1) the purposes of the processing of your data;
(2) the categories of personal data processed;
(3) the recipients and/or categories of recipients, to whom the personal data concerning you has been or will be disclosed;
(4) the planned duration of storage of personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage duration;
(5) the existence of a right to the rectification or erasure of personal data concerning you, a right to the restriction of processing by the controller or a right to object to such processing;
(6) the existence of a right of appeal with a supervisory authority;
(7) all available information regarding the origin of the data if the personal data is not collected from the data subject;
2. Right to rectification
Vis-à-vis the controller, you have the right to rectification and/or to have data completed insofar the processed personal data concerning you are incorrect or incomplete. The controller must immediately rectify the data.
3. Right to the restriction of processing
You can request the restriction of the personal data concerning you under the following circumstances:
(1) if you object to the accuracy of the personal data concerning you for a period of time, which allows the controller to evaluate the accuracy of the personal data;
(2) the processing is unlawful and you refuse the erasure of the personal data and instead request the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of processing, however, it needs the data for the establishment, exercise or defence of legal claims, or
(4) if you have objected to processing as per Art. 21 (1) GDPR and it is not certain whether the legitimate reasons of the controller outweigh your reasons.
If the processing of personal data concerning you was restricted, these data – apart from their storage – may only be processed with your consent or for the establishment, exercise or defence of legal claims or in order to protect the rights of another natural or legal person or for reasons relating to a crucial public interest of the Union or a member state.
If processing has been restricted in accordance with the aforementioned prerequisites, the controller will inform you before restriction.
4. Right to erasure
a) Duty of erasure
You may request that the controller erase, without undue delay, personal data concerning you and the controller is obligated to erase this data without undue delay insofar one of the following reasons applies:
(1) The personal data concerning you are no longer needed for the purposes, for which they were collected or otherwise processed .
(2) You withdraw your consent, which processing is based on in accordance with Art. 6 (1)(a) or Art. 9 (2)(a) GDPR and there exists no other legal basis for processing.
(3) You object to processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate reasons for processing or you object to processing in accordance with Art. 21 (2) GDPR.
(4) The personal data concerning you were unlawfully processed.
(5) The personal data concerning you must be erased in order to fulfil a legal obligation under Union law or the law of the member states, which the controller is subject to.
(6) The personal data concerning you was collected in relation to the offered services of information society in accordance with Art. 8 (1) GDPR.
b) Information to third parties
If the controller has disclosed the personal data concerning you and is obligated to erase them under Art. 17 (1) GDPR, it shall, taking into account available technology and implementation costs, take appropriate measures, also of a technical nature, in order to inform the parties responsible for data processing, who process personal data, that you, as the data subject, have requested that they erase all links to said personal data or erase any copies or reproductions of said personal data.
The right to erasure does not exist to the extent the processing is necessary
(1) to exercise the right to freedom of expression and information;
(2) to fulfil a legal obligation under the law of the Union or the law of the member states, to which the controller is subject or in order to perform a task that is in the public interest or to exercise public authority that has been transferred to the controller;
(3) for public health reasons in accordance with Art. 9 (2)(h) and (i) as well as Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR to the extent that the right specified under section a) foreseeably renders impossible or seriously impairs the achievement of the objectives of processing or
(5) for the establishment, exercise or defence of legal claims.
5. Right to information
If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the controller, said party is obligated to inform all recipients, to whom the personal data concerning you has been disclosed, of said rectification or erasure of the data or restriction of processing unless this proves to be impossible or involves disproportionate effort.
Vis-à-vis the controller, you have the right to be notified of these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format. You also have the right to transfer this data to another controller without being hindered by the controller to whom the personal data was provided insofar
(1) processing is based on consent in accordance with Art. 6 (1)(a) GDPR or Art. 9 (2)(a) GDPR or a contract in accordance with Art. 6 (1)(b) GDPR and
(2) processing is performed by automated means.
In exercising this right, you have furthermore the right to effect that the personal data concerning you is transferred directly from one controller to another to the extent technically possible. This may not infringe upon the freedoms and rights of other persons.
The right to data portability does not apply to processing of personal data, which is required for the performance of a task in the public interest or in exercising public authority transferred to the controller.
7. Right to object
You have the right, for reasons pertaining to your specific situation, to object to the processing of the personal data concerning you, which is carried out on the basis of Art. 6 (1)(e) or (f) GDPR; this shall also apply to profiling based on these provisions.
The controller shall no longer process the personal data concerning you unless it is able to demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or the processing serves the establishment, exercise or defence of legal claims.
If personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing; this shall also apply to profiling to the extent it is connected to such direct advertising.
If you object to processing for the purpose of direct advertising, the personal data concerning you will no longer be processed for these purposes.
You have the possibility, in connection with the use of services of information society – notwithstanding the Directive 2002/58/EC – to exercise your right to object by automatic means using technical specifications.
8. Right to the withdrawal of consent under data protection law
You have the right to withdraw, at any time, your consent under data protection law. The withdrawal of your consent shall be without prejudice to the lawfulness of the processing carried out based on consent before its withdrawal.
9. Automated decision-making in individual cases including profiling
We do not use this kind of processing.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the member state of your place of residence, your workplace or the place of the alleged breach if you believe that the processing of the personal data concerning you violates the GDPR.
The supervisory authority, with which the complaint is lodged, will inform the complainant regarding the status and results of the complaint, including any possible legal remedies in accordance with Art. 78 GDPR.