Privacy policy

Data protection policy

Protection of your personal data is important to us.

In the following, we would like to inform you that we ask for personal data from you and store it electronically. Your data will be stored and processed in accordance with the applicable provisions of the national data protection laws, as well as the General Data Protection Regulation (GDPR).

Controller within the provision of aforementioned regulations is:

Phototherm GmbH
Altenkesseler Str. 17 C1
66115 Saarbrücken

Phone: +49 681 – 97 62 300
Fax: +49 681 – 97 62 302

E-mail: info@phototherm.de
Website https://www.phototherm.de

I. General provisions

1.  Definitions

In order to improve the legibility and comprehensibility of our privacy policy, we would like to inform you about the general provisions used by the GDRP.

Personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject
The data subject is an identified or identifiable natural person, whose personal data is processed by the person responsible.

Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Pseudonymization
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Controller
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Type and extent of data collection

Data is collected and processed when you access our website or retrieve a file stored on our website. As a rule, this does not take place unless it’s necessary to provide a functional website or its contents and services. Furthermore, personal data is regularly collected and used only after appropriate consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by legal provisions.

a.  Legal basis for the processing of personal data

If personal data is processed for fulfilling the contracts entered into with us, Art. 6 Para 1 lit. b GDRP serves as a legal basis. This also applies to processing operations, which are necessary to carry out pre-contractual actions.

If we obtain consent of the concerned person for processing operations of personal data, Art. 6 Para 1 lit. a GDRP serves as a legal basis.

If processing of personal data is required to fulfill a legal obligation, which our company is subject to, Art. 6 Para 1 lit. c GDRP serves as a legal basis.

In case vital interests of the concerned person or any other natural person require the processing of personal data, Art. 6 Para 1 lit. d GDRP serves as a legal basis.

If processing of data is required to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the concerned person do not outweigh the above-mentioned interest, then Art. 6 Para 1 lit. f GDRP serves as a legal basis for the processing.

b.  Data deletion and duration of storage

The personal data collected by us is deleted as soon as the purpose for storing the data ends.

Data is stored if there is a law, a Union regulation or other provisions authorizing such storage.

Furthermore, data is deleted when the retention period prescribed by the norms mentioned expires, unless there is a necessity for storing data further for concluding a contract or for the fulfillment of a contract.

II. Data collection at the website

1.  Logfiles
a.  Description and scope of data processing

When you access our website

  • Browser type/-version
  • Operating system used
  • Referrer URL (website visited previously), as well as pages retrieved on our website
  • IP address
  • Date and time of the server request
  • Internet Service Provider

are logged.

b.  Legal basis of data processing

Legal basis for storing data and the log files is Art. 6 Para 1 lit. f GDRP.

c.  Purpose of data processing

Storing data in log files ensures that our website is functioning properly. It further helps in optimization and security of our systems. Therein also lies our legitimate interest in the processing of data according to Art. 6 Para 1 lit. f GDRP. In accordance with this use, we do not evaluate data for marketing purposes.

d.  Duration of storage

The data stored by us is deleted as soon as we do not need it anymore for achieving the purpose for which it was collected. This happens at the latest after seven days. Storing data longer than that is possible. In this case, the users’ IP addresses are deleted or anonymized, in order to make identifying the user impossible.

e.  Possibility of opting out and elimination

Recording the data mentioned is absolutely necessary for the operation of the website. As a result, there is no option for the user to object to it.

2.  Cookies
a.  Description and scope of data processing

Our website uses cookies. Cookies are text files that are saved on the user’s computer system when retrieving our website. Cookies contain a string, which enables identification of the visitor’s browser when our website is retrieved again. We use technically necessary cookies, which help in making our services more user-friendly, more effective and more secure.
The following data, for example, is stored and transmitted in the cookies:

  • Items in the shopping cart
  • Login information
  • Language settings

The data obtained from this is pseudonymized by us. Therefore, it is not possible to link data back to the visitor. Furthermore, this data is not stored together with other personal data.
You can set your browser in such a way that you are informed about the setting of cookies and individually decide on their acceptance or refuse the acceptance of cookies for specific cases or in general. If you do not accept cookies, the functionality of our website may be limited.

Over and above that, we use cookies, which allow us to analyze the surfing habits of visitors to our website (so-called analysis cookies). The following data, for example, is stored and transmitted in the analysis cookies:

  • Page visits
  • Use of the website functions
  • Language settings

When retrieving our website, the user is informed about the use of cookies and the user’s consent is obtained for processing the personal data used.

b.    Legal basis of data processing

The legal basis for the processing of personal data by using cookies is Art. 6 Para 1 lit. f GDRP. The legal basis for the processing of personal data by using cookies for analysis purposes is Art. 6 Para 1 lit. a GDRP if the user has consented to using cookies.

c.    Purpose of data processing

Technically necessary cookies serve to simplify the use of websites. Some functions of the website or the online shop cannot be provided without the use of cookies. For these functions it is necessary that a browser returning to our website can be correctly identified. The user data collected by technically necessary cookies is not used for creating user profiles. Analysis cookies are used for improving the quality of our website and its contents. Through the analysis cookies we learn how our website is used and they enable us to continuously improve our services.

d.  Duration of storage, opt-out option and elimination

Cookies are saved on the user’s computer and are transmitted by it. That is why users also have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your Internet browser. Cookies that are already saved can be deleted at any time. This can also happen automatically. Deactivating cookies for our website may result in the loss of some of the functions of our website.

3.  Contact form and email
a.  Description and scope of data processing

Visitors to our website are provided with a contact form for fast, electronic contact. The data entered in the input screen is transmitted to and stored by us. In addition, the IP address of the user as well as the date and time of transmission are stored at the time of sending. Alternatively, contact is possible via the email address provided. In this case, the user’s personal data transmitted via email is stored. Data is never transferred to third parties. The data is only used for processing the request.

b.  Legal basis of data processing

The legal basis for processing the data, if the user has consented to it, is Art. 6 Para 1 lit. a GDRP.
The legal basis for processing the data, which is transmitted while sending an email, is Art. 6 Para 1 lit. f GDRP. If contact via email aims to conclude a contract, then additional legal basis for the processing is Art. 6 Para 1 lit. b GDRP.

c.  Purpose of data processing

Processing of personal data serves the sole purpose of processing contact. In case of contact via email, this also includes the required legitimate interest in the processing of the data. Other personal data processed in the sending process serves the purpose of preventing misuse of the contact form and to ensure the security of our information technology systems.

d.  Duration of storage

The data is deleted as soon as we do not need it for achieving the purpose for which it was collected. For personal data from the input screen of the contact form and that which has been sent via email, this is the case when the respective conversation with the user has ended. The conversation ends when it is clear from the circumstances that the relevant facts have been finally clarified.
The additional personal data collected during the sending process is deleted at the latest after a period of seven days.

e.  Option to revoke consent and elimination

At any given time, the user has the option to revoke his consent to the processing of personal data. For this purpose, the user can contact the person responsible via the contact options provided on the website. If the user contacts us by email, then he/she may object to the storage of his personal data at any time. The conversation cannot continue in such a case.

4. Limit Log In Attempts Reloaded
a. Description and scope of data processing

To protect our website from brute force attacks, we use the Limit Log In Attempts service. The service stores the IP addresses logged when our website is called up in an encrypted form in the WordPress database.

b. Legal basis for data processing

The legal basis for the processing of users’ personal data is Art. 6 para. 1 lit. f DSGVO.

c. Purpose of the data processing

The legitimate purpose of using the service is to protect the website from unauthorised access. This is also the legitimate interest.

d. Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.

e. Possibility of objection and removal

The user has the rights listed in the section “Rights of data subjects”.

 

III. Transfer of data to third parties for the purpose of fulfilling the contract

1. General
a.Description and scope of data processing

When you place an order, we collect and use your personal data only to the extent necessary to fulfil and process your order and to deal with your enquiries. The data entered by you during the ordering process will be passed on to service partners that we require to process the contractual relationship or to service providers that we use as part of order processing, insofar as this is necessary for the fulfilment of the contract or if you have given your consent.

In addition to the recipients named in the respective clauses of this data protection declaration, these are, for example, recipients of the following categories:

Shipping service providers, payment service providers, merchandise management service providers, service providers for order processing, web hosts, IT service providers and dropshipping merchants.

b.  Legal basis of the data processing

The processing described above serves to fulfil a contract to which the user is a party. The legal basis for the processing of the data Art. 6 para. 1 lit. b DSGVO.

c.   Purpose of the data processing

The transfer serves the fulfilment of our contractual obligations.

d.  Duration of storage 

Your data will be deleted when it is no longer required for the performance of the contract, unless there are contractual or statutory retention obligations to the contrary.

e.  Possibility of objection and removal 

The user has the possibility at any time to revoke the consent given to the person responsible or the provider. A revocation with regard to the processing of data that is absolutely necessary for the fulfilment of the contract is not possible.

 

IV. Data collection for analysis purposes

1. Two-click solution for integrating YouTube

We have integrated components from YouTube on our website. YouTube is an Internet video portal that enables video publishers to post video clips free of charge and other users to view, rate and comment on them free of charge. YouTube allows the publication of all types of videos, which is why complete film and television programs, as well as music videos, trailers or videos made by users themselves can be accessed via the Internet portal.

The service on YouTube is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The website does not embed YouTube videos directly in the website. Profiling by third parties is therefore excluded.

In order to still be able to view our videos, users must first click on the preview image. The video can only be viewed after clicking away the message or logging in. Only at this point will data be transferred.

You can find more information on this at http://www.youtube.com/t/privacy_guidelines and under the data protection provisions published by YouTube, which can be accessed at https://www.google.de/intl/de/policies/privacy/. These provide information about the collection, processing and use of personal data by Google.

After clicking away the note, the legal basis is Art. 6 Para. 1 lit. a GDPR.

V. Rights of the data subjects

1. Information and access to personal data

Data subjects have the right to be provided with a confirmation if personal data is processed by a controller.

If personal data is collected, data subjects shall be provided with the following information:

  • purposes of the processing
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in
  • third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
    where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the access to data processed can be restricted

2. Right to rectification

The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning him or her. The controller has to inform the data subject without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the right to rectification can be restricted

3.  Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDRP
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) GDRP, or point (a) of Article 9(2) GDRP, and there is no other legal ground for the processing;

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the right to restriction of processing can be restricted

4.Right to erasure (“right to be forgotten”)
A.Obligation to erasure

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
B.Information to third parties

Where the controller has made the personal data public and is obliged to erase personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

C.Exceptions

The right to erase shall not apply, if the processing is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDRP
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph a is likely to render impossible or seriously impair the achievement of the objectives of that processing
  • for the establishment, exercise or defense of legal claims.
5. Notification obligation

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1) and 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

6.  Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  • the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.  Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8.  Right to withdraw the data subjects consent

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9.  Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This shall not apply if the decision

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  • is based on the data subject’s explicit consent.

In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Decisions shall not be based on special categories of personal data referred to in Article 9(1), unless suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

40 years of Phototherm!

This impressive span of time not only marks four decades of our existence, but also the continuous development and ongoing success that we have achieved together.
Anniversary