Data protection
1) Introduction and contact details of the responsible party
1.1 We are pleased that you are visiting our website and thank you for your interest. Below, we inform you about how we handle your personal data when you use our website. Personal data is any data that can be used to personally identify you.
1.2 The data controller for this website within the meaning of the General Data Protection Regulation (GDPR) is Angelique Funke
Sanft & Schön, Novalisstraße 1, 10115 Berlin, Germany, Tel.: +49 176 41519630, Email: info@sanft-schoen.de. The controller responsible for the processing of personal data is the natural or legal person who, alone or jointly with others, decides on the purposes and means of processing personal data.
1.3 This website uses SSL/TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries to the data controller). You can recognize an encrypted connection by the "https://" prefix and the padlock symbol in your browser's address bar.
2) Data collection when visiting our website
When you simply use our website for informational purposes, i.e., if you do not register or otherwise provide us with information, we only collect data that your browser transmits to our server (so-called "server log files"). When you access our website, we collect the following data, which is technically necessary for us to display the website to you:
- Our visited website
- Date and time of access
- Amount of data sent in bytes
- Source/referrer from which you accessed this page
- Browser used
- Operating system used
- IP address used (possibly in anonymized form)
The processing is carried out in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data will not be disclosed or used for any other purpose. However, we reserve the right to subsequently review the server log files should there be concrete indications of unlawful use.
3) Cookies
To make your visit to our website more enjoyable and to enable the use of certain features, we use cookies, which are small text files that are stored on your device. Some of these cookies are automatically deleted after you close your browser (so-called "session cookies"), while others remain on your device for a longer period and allow us to save your website settings (so-called "persistent cookies"). In the latter case, you can find information about the storage duration in your web browser's cookie settings.
If any of the cookies we use process personal data, this processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR either for the performance of the contract, in accordance with Art. 6 para. 1 lit. a GDPR in the case of consent given, or in accordance with Art. 6 para. 1 lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the website visit.
You can configure your browser to notify you when cookies are set and allow you to decide whether to accept them individually, or to exclude the acceptance of cookies in certain cases or entirely.
Please note that if you do not accept cookies, the functionality of our website may be limited.
4) Making contact
When you contact us (e.g., via contact form or email), we process your personal data solely for the purpose of handling and responding to your inquiry and only to the extent necessary. The legal basis for processing this data is our legitimate interest in responding to your inquiry, pursuant to Article 6(1)(f) GDPR. If your contact relates to a contract, the additional legal basis for processing is Article 6(1)(b) GDPR. Your data will be deleted when it is clear from the circumstances that the matter has been resolved and provided that no statutory retention obligations apply.
5) Data processing when opening a customer account
In accordance with Article 6(1)(b) GDPR, personal data will continue to be collected and processed to the extent necessary if you provide it to us when opening a customer account. The data required for account opening is indicated in the input fields of the corresponding form on our website. You can delete your customer account at any time by sending a message to the data controller's address provided above. After your customer account is deleted, your data will be deleted provided that all contracts concluded through it have been fully processed, no statutory retention periods apply, and we have no legitimate interest in continuing to store the data.
6) Use of customer data for direct marketing
Subscribe to our email newsletter
When you subscribe to our email newsletter, we will regularly send you information about our offers. The only mandatory information required to send you the newsletter is your email address. Providing any further information is voluntary and is used to personalize our communications with you. We use the double opt-in procedure for newsletter distribution, which ensures that you only receive newsletters after you have explicitly confirmed your consent to receive them by clicking a verification link sent to the email address you provided
By activating the confirmation link, you give us your consent to use your personal data in accordance with Article 6 Paragraph 1 Letter a of the GDPR. We store your IP address, which is registered by your Internet Service Provider (ISP), as well as the date and time of registration, in order to be able to trace any potential misuse of your email address at a later date. The data we collect when you subscribe to the newsletter is used strictly for the intended purpose. You can unsubscribe from the newsletter at any time via the unsubscribe link provided in the newsletter or by sending a corresponding message to the data controller named above. After you unsubscribe, your email address will be immediately deleted from our newsletter mailing list, unless you have expressly consented to further use of your data or we reserve the right to use your data for other purposes permitted by law, about which we inform you in this privacy policy.
7) Data processing for order processing
7.1 Insofar as necessary for the processing of the contract for delivery and payment purposes, the personal data we collect will be passed on to the commissioned transport company and the commissioned credit institution in accordance with Art. 6 para. 1 lit. b GDPR.
If we owe you updates for goods with digital elements or for digital products based on a corresponding contract, we process the contact details you provided during the ordering process (name, address, email address) in order to personally inform you about upcoming updates within the legally prescribed period, in accordance with our legal information obligations pursuant to Art. 6 para. 1 lit. c GDPR, via a suitable communication channel (e.g., by post or email). Your contact details will be used strictly for the purpose of notifying you about updates we owe you and will only be processed by us to the extent necessary for the respective information.
To process your order, we also work with the following service provider(s), who support us in whole or in part in fulfilling concluded contracts. Certain personal data will be transmitted to these service providers in accordance with the following information.
7.2 Use of payment service providers (payment services)
– Paypal
When paying via PayPal, credit card via PayPal, direct debit via PayPal, or – if offered – “purchase on account” or “installment payment” via PayPal, we forward your payment data to PayPal (Europe) Sarl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”) for payment processing. This transfer is carried out in accordance with Art. 6 para. 1 lit. b GDPR and only to the extent necessary for payment processing.
For the payment methods credit card via PayPal, direct debit via PayPal, or – if offered – "purchase on account" or "installment payment" via PayPal, PayPal reserves the right to conduct a credit check. For this purpose, your payment data may be transferred to credit agencies in accordance with Art. 6 Para. 1 lit. f GDPR based on PayPal's legitimate interest in determining your creditworthiness. PayPal uses the result of the credit check regarding the statistical probability of payment default to decide whether to offer the respective payment method. The credit check may contain probability values (so-called score values). If score values are included in the result of the credit check, they are based on a scientifically recognized mathematical-statistical procedure. Address data is among the data used, but not the only data, in the calculation of the score values. For further information on data protection, including the credit agencies used, please refer to PayPal's Privacy Statement https://www.paypal.com
You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for the contractual processing of payments.
– Stripe
If you choose a payment method offered by the payment service provider Stripe, payment processing will be handled by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we will transfer the information you provided during the ordering process, along with information about your order (name, address, account number, bank code, possibly credit card number, invoice amount, currency, and transaction number) in accordance with Article 6(1)(b) GDPR. Further information on Stripe's data protection practices can be found at the following URL: https://stripe.com
Stripe reserves the right to conduct a credit check based on mathematical-statistical methods to protect its legitimate interest in determining the user's creditworthiness. Stripe may transmit the personal data necessary for a credit check and obtained during payment processing to selected credit agencies, which Stripe will disclose to users upon request. The credit report may contain probability values (so-called score values). If score values are included in the credit report, they are based on a scientifically recognized mathematical-statistical method. Address data is among the data used, but not the only data, in calculating the score values. Stripe uses the result of the credit check regarding the statistical probability of payment default to decide on the eligibility to use the selected payment method.
You can object to this processing of your data at any time by sending a message to Stripe or the commissioned credit reference agencies.
However, Stripe may still be entitled to process your personal data if this is necessary for the contractual processing of payments.
8) Online Marketing
Facebook Pixel for creating Custom Audiences (with Cookie Consent Tool)
Within our online service, we use the so-called “Facebook pixel” of the social network Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”).
When a user clicks on one of our ads displayed on Facebook, Facebook Pixel adds a parameter to the URL of our linked page. If our page allows data sharing with Facebook via Pixel, this URL parameter is stored in the user's browser via a cookie set by our linked page itself. Facebook Pixel then reads this cookie and enables the data to be transmitted to Facebook.
With the help of the Facebook pixel, Facebook can identify visitors to our website as a target audience for displaying advertisements (so-called "Facebook Ads"). Accordingly, we use the Facebook pixel to show the Facebook Ads we place only to Facebook users who have shown an interest in our website or who exhibit certain characteristics (e.g., interests in specific topics or products, determined based on the websites they visit) that we transmit to Facebook (so-called "Custom Audiences"). We also use the Facebook pixel to ensure that our Facebook Ads correspond to the potential interests of users and are not perceived as intrusive. Furthermore, we can evaluate the effectiveness of Facebook ads for statistical and market research purposes by tracking whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion").
The data collected is anonymous for us, meaning it does not allow us to draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook, so a connection to the respective user profile is possible, and Facebook uses the data for its own advertising purposes, in accordance with the Facebook Data Policy (https://www.facebook.com
The data processing associated with the use of the Facebook Pixel only takes place with your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by deactivating this service in the "Cookie Consent Tool" provided on the website.
9) Web analytics services
Google Analytics 4
This website uses Google Analytics 4, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”), which allows us to analyze website usage.
When using Google Analytics 4, so-called "cookies" are used by default. Cookies are text files that are stored on your device and enable an analysis of your use of a website. The information collected by cookies about your use of the website (including the IP address transmitted by your device, shortened by the last digits, see below) is generally transmitted to a Google server, where it is stored and processed. This may also involve the transfer of information to the servers of Google LLC, located in the USA, where the information may be further processed.
When using Google Analytics 4, the IP address transmitted by your device when you use the website is always collected and processed in anonymized form by default, so that the collected information cannot be directly linked to you personally. This automatic anonymization is achieved by Google shortening the IP address transmitted by your device within member states of the European Union (EU) or other contracting states of the Agreement on the European Economic Area (EEA) by removing the last few digits.
On our behalf, Google uses this and other information to evaluate your use of the website, to compile reports on your website activity and usage patterns, and to provide us with other services relating to website activity and internet usage. The IP address transmitted by your device as part of Google Analytics 4.0 and shortened will not be merged with other Google data. The data collected through Google Analytics 4.0 will be stored for two months and then deleted.
Google Analytics 4 offers a special feature called "demographics" that allows for the creation of statistics about the age, gender, and interests of website users. This is based on an analysis of interest-based advertising and the use of third-party information. This enables the identification and differentiation of website user groups for the purpose of targeted marketing efforts. However, the data collected via "demographics" cannot be attributed to any specific individual, including you. This data is stored for two months and then deleted.
All processing described above, in particular the setting of Google Analytics cookies for storing and reading information on the device you use to access the website, will only take place if you have given us your explicit consent in accordance with Article 6(1)(a) GDPR. Without your consent, Google Analytics will not be used while you are using the website. You can withdraw your consent at any time with effect for the future. To exercise your right of withdrawal, please deactivate this service using the "Cookie Consent Tool" provided on the website.
We have concluded a so-called data processing agreement with Google for our use of Google Analytics 4, which obliges Google to protect the data of our website users and not to pass it on to third parties.
To ensure compliance with the European level of data protection, even in the event of the transfer of data from the EU or the EEA to the USA and any further processing there, Google relies on the so-called standard contractual clauses of the European Commission, which we have contractually agreed with Google.
Further legal information regarding Google Analytics 4, including a copy of the aforementioned standard contractual clauses, can be found at https://policies.google.com
10) Page functionalities
Applications for job postings via email
On our website, we list currently vacant positions in a separate section, for which interested parties can apply by email to the provided contact address.
Inclusion in the application process requires that applicants provide us with all personal data necessary for a sound and informed assessment and selection along with their application via email.
The required information includes general personal details (name, address, telephone or email contact information) as well as performance-related documentation demonstrating the qualifications necessary for the position. Health-related information may also be required, as it must be given special consideration under labor and social security law in the interest of the applicant's social protection.
The specific components that an application must contain to be considered, and the form in which these components must be submitted via email, can be found in the respective job posting.
Upon receipt of your application submitted using the provided email address, we will store your application data and evaluate it solely for the purpose of processing your application. For any follow-up questions that may arise during the processing process, we will, at our discretion, use either the email address or telephone number provided by the applicant with their application.
The legal basis for this processing, including contacting you for follow-up questions, is generally Art. 6 para. 1 lit. b GDPR (for processing in Germany in conjunction with § 26 para. 1 BDSG), in which the application process is considered to be the initiation of an employment contract.
Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data such as information about severe disability) are requested from applicants during the application process, the processing is carried out in accordance with Art. 9 para. 2 lit. b GDPR so that we can exercise the rights arising from employment law and the law of social security and social protection and comply with our obligations in this regard.
Alternatively or cumulatively, the processing of special categories of data may also be based on Article 9(1)(h) GDPR if it is carried out for the purposes of preventive or occupational medicine, for the assessment of the applicant's fitness for work, for medical diagnosis, for the provision of health or social care or treatment or for the management of health or social care systems and services.
If the applicant is not selected during the evaluation process described above, or if an applicant withdraws their application prematurely, their data transmitted by email, as well as all electronic correspondence, including the original application email, will be deleted no later than six months after notification. This period is based on our legitimate interest in being able to answer any follow-up questions regarding the application and, if necessary, to comply with our obligations to provide evidence under the regulations on equal treatment of applicants.
In the event of a successful application, the data provided will be further processed on the basis of Art. 6 para. 1 lit. b GDPR (in the case of processing in Germany in conjunction with § 26 para. 1 BDSG) for the purposes of carrying out the employment relationship.
11) Tools and other items
Cookie consent tool
This website uses a "cookie consent tool" to obtain valid user consent for cookies and cookie-based applications that require consent. The cookie consent tool is displayed to users upon visiting the site as an interactive interface, where consent for specific cookies and/or cookie-based applications can be granted by ticking boxes. By using this tool, all cookies/services requiring consent are only loaded if the respective user grants the corresponding consent by ticking the boxes. This ensures that such cookies are only placed on the user's device if consent has been given.
This tool uses technically necessary cookies to store your cookie preferences. No personal user data is processed in this process.
If, in individual cases, personal data (such as the IP address) is processed for the purpose of storing, assigning or logging cookie settings, this is done in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in a legally compliant, user-specific and user-friendly consent management for cookies and thus in a legally compliant design of our website.
A further legal basis for processing is Article 6(1)(c) GDPR. As data controllers, we are subject to the legal obligation to make the use of cookies that are not technically necessary dependent on the respective user's consent.
Further information about the operator and the settings options of the cookie consent tool can be found directly in the corresponding user interface on our website.
12) Rights of the data subject
12.1 The applicable data protection law grants you the following rights as a data subject (rights of access and intervention) vis-à-vis the controller with regard to the processing of your personal data, whereby reference is made to the legal basis cited for the respective conditions of exercising these rights:
- Right of access pursuant to Art. 15 GDPR;
- Right to rectification pursuant to Article 16 GDPR;
- Right to erasure pursuant to Article 17 GDPR;
- Right to restriction of processing pursuant to Article 18 GDPR;
- Right to information pursuant to Article 19 GDPR;
- Right to data portability pursuant to Art. 20 GDPR;
- Right to withdraw consent pursuant to Art. 7 para. 3 GDPR;
- Right to lodge a complaint pursuant to Article 77 GDPR.
12.2 RIGHT OF OBJECTION
If we process your personal data based on our overriding legitimate interest as part of a balancing of interests, you have the right to object to this processing at any time, on grounds relating to your particular situation, with effect for the future.
If you exercise your right to object, we will cease processing the data in question. However, further processing remains possible if we can demonstrate compelling legitimate grounds for the processing which override your interests, fundamental rights and freedoms, or if the processing serves the purpose of establishing, exercising or defending legal claims.
If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing. You can exercise your right to object as described above.
If you exercise your right to object, we will cease processing the data in question for direct marketing purposes.
13) Duration of storage of personal data
The duration of the storage of personal data is determined by the respective legal basis, the purpose of processing and – if applicable – additionally by the respective statutory retention period (e.g. commercial and tax law retention periods).
When processing personal data on the basis of explicit consent pursuant to Art. 6 para. 1 lit. a GDPR, this data will be stored until the data subject withdraws his or her consent.
If statutory retention periods exist for data processed in the context of contractual or quasi-contractual obligations on the basis of Art. 6 para. 1 lit. b GDPR, this data will be routinely deleted after the expiry of the retention periods, provided that it is no longer required for the performance of a contract or for initiating a contract and/or we no longer have a legitimate interest in its continued storage.
When processing personal data on the basis of Article 6(1)(f) GDPR, this data will be stored until the data subject exercises their right to object pursuant to Article 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the purpose of establishing, exercising or defending legal claims.
When processing personal data for direct marketing purposes on the basis of Art. 6 para. 1 lit. f GDPR, this data will be stored until the data subject exercises his or her right to object pursuant to Art. 21 para. 2 GDPR.
Unless otherwise stated in the other information in this declaration regarding specific processing situations, stored personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.
