In accordance with the statutory requirements - in particular the EU General Data Protection Regulation (GDPR, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679&qid=1527152699969) - we will provide you with information concerning our company’s processing of personal data below.
Contents:
I. General Information
1. Key Terms
2. Scope
3. Data Controller
4. Data Protection Officer
II. Details concerning data processing operations
1. General information about data processing operations
2. Accessing our services
3. Customer Feedback
4. Tracking
5. Social Media Plug-ins
III. Rights of data subjects
1. Right to object
2. Right to information
3. Right to rectification
4. Right to erasure ("Right to be forgotten")
5. Right to restrict processing
6. Right to data portability
7. Right to withdraw consent
8. Right to lodge a complaint with a supervisory authority
I. General Information
In this section of the privacy policy, you will find information about the privacy policy’s scope, the data controller, its data protection officer and data security. We also explain in advance the meaning of key terms used in the Privacy Policy.
Browser: Computer program for displaying web pages (e.g., Chrome, Firefox, Safari)
Cookies: Text files that the accessed web server places on the user's computer through the browser used. The stored cookie information may comprise both a cookie identifier which is used for recognition, as well as content information such as registration status or information about visited websites. During every subsequent new visit to this page, the browser will send the cookie information to the web server again with every request. Most browsers accept cookies automatically. You can manage cookies using the browser functions (usually under "Options" or "Settings"). In this way, the storage of cookies can be deactivated, made dependent on your consent in individual cases or otherwise restricted. You can also delete cookies at any time.
Third countries: Countries outside the European Union (EU)
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Council Directive 95/46/EC (General Data Protection Regulation), available at http://eur- lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L.2016.119.01.0001.01.eng
Personal data: All information relating to an identified or identifiable natural person. A natural person is deemed identifiable, directly or indirectly, if they can be identified by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special features expressing that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.
Profiling: Any automated processing of personal data consisting of the use of this personal data to evaluate certain personal aspects relating to a natural person, and particularly to analyse or predict aspects concerning this natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, residence or change of location.
Services: Our offers to which this privacy policy applies (see scope of application).
Tracking: The collection of data and its evaluation with regard to the behaviour of visitors to our services.
Tracking technologies: Tracking can be done both by using the log files stored on our web servers or by collecting data from your end device via pixels, cookies and similar tracking technologies.
Processing: Any operation or sequence of operations carried out with or without the aid of automated procedures in connection with personal data, such as the collection, recording, organization, ordering, storage, adaptation or modification, sorting, retrieval, use, disclosure by transmission, dissemination or any other form of provision, matching or linking, restriction, erasure or destruction.
Pixel: Pixels are also called tracking pixels, web beacons or web bugs. These are small, invisible graphics in HTML e-mails or on websites. When a document is opened, these small images will be loaded from a server on the internet, where the download is registered. This will allow the server operator to see if and when an e-mail has been opened or a website visited. This function is usually executed by calling a small program (JavaScript). This will enable certain types of information on your computer system to be recognized and passed on, such as the content of cookies, the time and date of page views and a description of the page on which the pixel code is located.
This privacy policy applies to the following offers:
● our “Freedreams GmbH” online offer (website), which can be accessed in particular at freedreams.de/de and daydreams .com
● whenever reference is made to this privacy policy from one of our offers (e.g. websites, sub-domains,
mobile applications, web services or integration into third party sites) irrespective of how you access
or use it.
All these offers will also be referred to collectively as “Services”.
The legal entity responsible for data processing - i.e. the entity which decides on the purposes and means of processing personal data - in connection with the services is:
Freedreams GmbH
Kalkarer Str. 81
47533, Kleve, (NRW),
Germany
Telephone: +49 2821 7530 00
E-Mail: datenschutz@freedreams.de
You can contact our data protection officer by post using the contact data mentioned in Section 3, and marking the letter for the attention of the Data Protection Unit, or through freedreams@datenschutzanfrage.de .
II. Details concerning data processing operations
In this section of the privacy policy, we will inform you in detail about the processing of personal data within the scope of our services. For the sake of clarity, we will structure this information according to specific functionalities of our services. During the normal use of the services, different functionalities and thus different processes also can come into play sequentially or simultaneously.
1. General information about data processing operations
Unless otherwise stated, the following applies to all processing operations described below:
a) No obligation to provide & consequences of failure to provide
The provision of personal data is not legally or contractually required and you are not required to provide data. During the input process, we will inform you if personal data is required for the respective service (e.g. by designating it an “obligatory field”). Failure to provide the required data will result in the non-provision of the respective service. Otherwise, failure to provide data may mean that we are unable to provide our services in the same form and quality.
b) Consent
In various situations, you will also have the option of giving us your consent (possibly for part of the data) to further processing in connection with the processing operations described below. In this case, and in connection with the issuance of the respective declaration of consent, we will provide you with information separately concerning all modalities and the scope of the consent and about the interests which we pursue with these processing operations. The processing operations based on your consent will therefore not be itemised here again (Article 13(4) of the GDPR).
c) Transfer of personal data to third countries
If we transfer data to third countries, i.e. countries outside the European Union, the transfer will be carried out exclusively in compliance with the statutorily regulated admissibility requirements.
If the transfer of data to a third country does not serve to fulfil our contract with you, if we do not have your consent or if the transfer is not necessary for asserting, exercising or defending legal claims and no other exception under Article 49 of the GDPR applies either, we will only transfer your data to a third country if there is an adequacy decision according to Article 45 of the GDPR or appropriate safeguards in accordance with Article 46 of the GDPR.
One of these adequacy decisions is the Commission's implementing decision (EU) 2016/1250 of 12th July 2016 on the so-called “EU-US Privacy Shield” for the USA. The data protection level for transfers to companies certified in accordance with the EU-US Privacy Shield is generally considered appropriate within the meaning of Article 45 of the GDPR.
Alternatively or additionally, the conclusion the EU standard data protection clauses issued by the European Commission with the receiving body, creates appropriate safeguards according to Article 46 (2)(c) of the GDPR as well as an appropriate level of data protection. Copies of the EU standard data protection clauses can be found on the European Commission’s website at https://ec.europa.eu/info/law/law-topic/data/ pred resection/data-transfer-outside-EU/model contracts-personal-data-third-countries_de.
d) Hosting with external service providers
Our data processing is largely carried out with the involvement of so-called hosting service providers, who provide us with storage space and processing capacities in their data centres and also process personal data on our behalf in accordance with our instructions. Personal data may be transferred to hosting service providers for all of the following functionalities. These service providers process data either exclusively in the EU or we have guaranteed an adequate level of data protection through the EU standard data protection clauses (see c.).
e) Transmission to public authorities
We will transfer personal data to public authorities (including law enforcement agencies) if this is necessary to comply with a legal obligation to which we are subject (legal basis: Article 6 (1)(c) of the GDPR) or if this is necessary to assert, exercise or defend legal claims (legal basis Article 6 (1)(f) of the GDPR).
f) Retention period
The section titled “Retention period” indicates how long we will use the data for the respective processing purpose in each case. After this period, we will no longer process the data, and it will instead be erased at regular intervals, unless continuous processing and storage has been stipulated by law (especially because it is necessary to fulfil a legal obligation or to assert, exercise or defend legal claims) or you grant us consent going beyond this.
g) Designations of data categories
The following summarizing category names will be used for specific data types in the next sections:
● Account information: Login/user ID and password;
● Personal master data: Title, salutation/gender, first name, surname, date of birth;
● Address data: Street, house number, any address supplements, ZIP code, city, country;
● Contact details: Telephone number(s), fax number(s), email address(es);
● Credentials: Information about the service through which you have logged in; dates and technical information
concerning login, confirmation and logoff; data you provided when you log in;
● Order information: Ordered products, prices, payment and delivery information;
● Payment information: Account information, credit card information, information to other payment services such as
PayPal;
● Press distribution list usage data: Accreditation topic, date of accreditation, approval of limitation of use/declaration of
consent, downloads of press materials;
● Newsletter use profile data: Opening of the newsletter (date and time), contents, selected links, as well as the following
information concerning the accessing computer system: internet protocol address used (IP address), browser
type and version, device type, operating system and similar technical information.
● Access information: Date and time of the visit to our service; the page from which the accessing system accessed our
site; pages accessed during use; session identification data (session ID); as well as the following information
concerning the accessing computer system: internet protocol address used (IP address), browser type and version,
device type, operating system and similar technical information.
2. Accessing our services
We will describe below how your personal data is processed when you access our services (e.g. loading and viewing the website, opening and navigating within the mobile device app).
We would particularly like to state that the transmission of access data to external content providers (see b.) is unavoidable due to the mode of operation of information transmission on the internet. The third parties themselves are responsible for the data protection-compliant operation of the IT systems they use. The service providers will decide how long the data will be stored.
a) Purpose of data processing and legal basis as well as any legitimate interests, retention period
Data category:
Access data
Purpose:
Establishing a connection; presentation of the contents of the service; detection of attacks on our site based on unusual activities; diagnostics;
Legal basis:
Article 6(1)(f) of the GDPR
Legitimate interest:
proper functioning of services; security of data and business processes; prevention of misuse; prevention of damage through interference in information systems
Retention period: 4 weeks
b) Recipient of the personal data
Recipient category:
External content providers who supply the content (such as images, videos, embedded postings from social networks, advertising banners, fonts, update information) that are required to display the service;
Affected data: Access data
Legal basis: Article 6(1)(f) of the GDPR
Legitimate interest: proper functioning of the services; (accelerated) presentation of content
Recipient category: IT security service providers
Affected data: Access data
Legal basis: Article 6(1)(f) of the GDPR
Legitimate interest: Prevention of attacks by exploiting security gaps / vulnerabilities
3. Customer Feedback
We will describe below how your personal data is processed when you contact our customer service.
Purpose of data processing and legal basis as well as any legitimate interests, retention period
Data category: Personal master data; contact data; contents of inquiries/complaints
Purpose: Processing of customer requests and user complaints
Legal basis: Article 6(1)(b) and (f) of the GDPR
Legitimate interest: Improvement of our service; customer loyalty
Retention period: Processing of the request
4. Tracking
We will describe below how your personal data is processed using tracking technologies to analyse and optimise our services and for advertising purposes.
The description of the tracking procedures also includes information on how you can prevent or object to data processing. Please note that this so-called “opt-out”, i.e. the refusal to consent to processing, is usually stored via cookies. If you use our services via a new terminal or in another browser or if you have deleted the cookies set by your browser, you must declare your refusal to consent again.
The tracking procedures described only process personal data in pseudonymous form. No connection with a specific, identified natural person, and consequently a combination of the data with information about the bearer of the pseudonym, will be made.
a) Tracking to analyse and optimise our services and their use
1. Purpose of the processing
The analysis of user behaviour via tracking helps us monitor the effectiveness of our services, optimise and adapt them to users’ needs and to correct errors. Furthermore, it serves to statistically determine characteristic values about the use of our services (range, intensity of use, surfing behaviour of users) - on the basis of uniform standard procedures - and thus to obtain market-wide comparable values.
2. Legal basis of the processing
Regarding services we provide in connection with a contract, tracking and the associated analysis of user behaviour are performed in order to fulfil our contractual obligations. The legal basis for this processing of personal data is Article 6(1)(b) of the GDPR. The evaluation of information gained through tracking is necessary to provide you with optimised services according to the contractual purpose and to guarantee you the greatest possible benefit.
Otherwise, i.e. outside a contractual relationship, the legal basis for this processing of personal data is Article 6(1)(f) of the GDPR. With this, we pursue the legitimate interest of providing the most efficient and attractive services possible on the basis of the information gained through tracking and marketing them in the best possible way.
3. Details concerning the tracking procedures used
Description of the service: Google Analytics
Scope(s): all
Mode of operation
This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses so-called “cookies” which are text files stored on your computer to enable an analysis of your use of the website. The information generated by the cookie about your use of this website, namely
● Browser type/version;
● operating system used;
● Referrer URL (previously visited page);
● accessing computer’s host name (IP address);
● Time of the server request;
is usually transferred to a Google server in the USA and stored there. However, due to the activation of IP anonymisation on this website Google will truncate your IP address beforehand within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of this website’s operator, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services relating to the use of the website and the internet. The IP address transmitted by your browser in the context of Google Analytics will not be merged with other Google data. You may refuse the use of cookies by selecting your browser software’s corresponding setting. However, please note that if you do this, you may not be able to use this website’s full functionality. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available at the following link (http://tools.google.com/dlpage/gaoptout?hl=en ). You can also find out more about the browser add-on by clicking on the above link.
You can find more information about Google Analytics’ privacy here https://policies.google.com/privacy?hl=en/
Option to prevent processing (opt-out)
You can prevent collection by Google Analytics by clicking the following link. An opt-out cookie will be set which prevents the future collection of your data when visiting this website: Deactivate Google Analytics
III. Rights of data subjects
1. Right to object
If we process your personal data for direct marketing purposes, you have the right to object prospectively at any time to the processing of personal data concerning you for the purposes of such advertising. This also applies to profiling, if it is associated with such direct marketing.
You also have the right to object prospectively at any time, for reasons arising from your particular situation, to the processing of personal data concerning you under Article 6(1)(e) or (f) of the GDPR. This also applies to a profiling based on these provisions.
You can exercise the right to object at no cost. You can contact us using the contact details listed under I.3 or by the following means:
By e-mail to: datenschutz@freedreams.de
By telephone: +49 2821 7530 00
2. Right to information
You have the right to request confirmation from us as to whether personal data concerning you is being processed and, if applicable, to request information about this personal data and the other information listed in Article 15 of the GDPR.
3. Right to rectification
You have the right to demand immediate correction of any inaccurate personal data concerning you (Article 16 of the GDPR). Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.
4. Right to erasure ("Right to be forgotten")
You have the right to request us to delete personal data relating to you immediately, provided that one of the reasons stated in Article 17(1) of the GDPR applies and the processing is not necessary for one of the purposes regulated in Article 17 (3) of the GDPR.
You are entitled to demand a restriction on the processing of your personal data if one of the conditions set out in Article 18 (1)(a) to (d) of the GDPR is met.
Under the conditions set out in Article 20(1) of the GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, current and machine-readable format, and the right to transmit this data to another person responsible without our interference. When exercising the right to data portability, you have the right to request that we transfer the personal data directly to another responsible party, insofar as this is technically feasible.
If the processing is based on your consent, you have the right to revoke the consent at any time. This does not affect the legality of the processing carried out on the basis of the consent until the revocation.
You have a right to lodge a complaint with the supervisory authority responsible for our company. The competent supervisory authority for our company is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, https://www.ldi.nrw.de/