I. Preamble



II. Name and address of the controller



III. General information on processing activities
1. Scale of processing of personal data
2. Legal basis relating to processing of personal data
3. Data erasure and duration of storage



IV. Use of cookies



V. Provision of the website and compilation of log files
1. Description and scale of processing activities
2. Legal basis for processing activities
3. Purpose of processing activities
4. Duration of storage
5. Right to object and removal option



VI. Contact form and email contact
1. Description and scale of processing activities
2. Legal basis for processing activities
3. Purpose of processing activities
4. Duration of storage
5. Right to object and removal option



VII. Registration
1. Description and scale of processing activities
2. Legal basis for processing activities
3. Purpose of processing activities
4. Duration of storage
5. Right to object and removal option



VIII. Use of social-media plugins



IX. Web analysis by Google Analytics
1. Description and scale of processing activities
2. Legal basis relating to processing of personal data
3. Purpose of processing activities
4. Duration of storage
5. Right to object and removal option



X. Rights of the data subject
1. Right of access
2. Right to rectification
3. Right to restriction of processing
4. Right to erasure
5. Right to provision of information
6. Right to data portability
7. Right to object
8. Right to revoke the declaration of consent under data protection law
9. Right to lodge a complaint with a supervisory authority


 


I. Preamble



When using our website or our "TRUSTED NETWORK" portal, we collect and process your personal data according to this statement. If data can be assigned to any determined natural person, they are personal data (e.g. name, address, email, phone number, etc.). We process personal data in accordance with the provisions of European and German data protection law. The European General Data Protection Regulation (GDPR), the new Federal Data Protection Act (Bundesdatenschutzgesetz-neu; BDSG-neu) and the Telemedia Act (Telemediengesetz; TMG) form the essential legal basics. In the following provisions, we inform you about the type, scope and purpose of collection, use and processing of personal data on our website.


We would like to preventively note that internet-based data transmission may be subject to safety gaps and that seamless protection against third-party access is therefore not possible in spite of all safety measures taken.



II. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States and other provisions under data protection law is:


Beiersdorf AG
Unnastraße 48
20249 Hamburg
Germany


Phone: +49 (0) 40 4909-6528
Fax: +49 (0) 40 4909-186528
Email: trusted.pearlfinders@beiersdorf.com


Contact details of the data protection officer: Datenschutz[at]beiersdorf.com or under the postal address of the controller with the addition "c/o data protection officer".



III. General information on processing activities



1. Scale of processing of personal data
We only collect and use personal data of our users if this is necessary to provide a functional website or our contents and services within the portal. Collection and use of personal data of our users shall usually only take place with the user's consent. An exemption shall apply in such cases where prior consent cannot be obtained for factual reasons and where processing of the data is permitted by the law.



2. Legal basis relating to processing of personal data
As far as we collect the consent of the data subject for processing of personal data, point (a) of Article 6(1) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
For legal processing of personal that is necessary to perform a contract of which the data subject is a party, point (b) of Article 6(1) GDPR serves as the legal basis. This also applies to processing operations that are necessary to perform pre-contractual measures.
As far as processing of personal data is necessary to perform a legal obligation that our company is subject to point (c) of Article 6(1) GDPR serves as the legal basis.
If any vital interests of the data subject or any other natural person requires processing of personal data, point (d) of Article 6(1) GDPR serves as the legal basis.
If processing is necessary to maintain a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not override the former interest, point (f) of Article 6(1) GDPR serves as the legal basis for processing.



3. Data erasure and duration of storage
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may furthermore take place when this is intended by the European or national legislator in regulations under Union law, laws or other rules that the controller is subject to. Blocking or erasure of the data shall also take place if a storage period necessary according to the standards named expires, except if further storage of the data is required for conclusion of a contract or performance of a contract.



IV. Use of cookies



1. Description and scale of processing activities
Our website uses cookies. Cookies are text files that are stored in the web browser or on the user's computer system by the web browser. A cookie contains a characteristic character sequence that permits unique identification of the browser when calling up the website again.
Use of our website requires storage of cookies in your browser. You can prevent the installation of cookies in the settings of your browser. In such a case, you may be unable to fully use all functions of our website.



Session cookies
We use session cookies in order to recognise whether individual pages of our offer are called up multiply by users / internet connections:
· .ASPNet.Application
· .ASPXAUTH



These are cookies that are stored on your (client or PC) and that will be deleted again after the end of your visit. Session cookies contain randomly generated identification numbers (session ID), information on the origin and the storage period. The cookies store and transmit the following data and information:
(1) Email address
(2) User ID
(3) Language settings



Tracking cookies
We use cookies on our website that permit analysis of the users' surfing behaviour. The website itself uses no tracking cookies. Google Analytics uses tracking cookies:
· _ga
· _gat_customerTracker
· _ga_globalTracker
· _gid



This way, the following data can be transmitted:
(1) Search terms entered
(2) Frequency of page calls
(3) Use of website functions



The user data collected in this manner will be pseudonymised by technical measures. Therefore, assignment of the data to the calling user is no longer possible. The data are not stored together with any other personal data of the user.



2. Legal basis for processing activities
The legal basis for processing of personal data using technically necessary cookies is point (f) of Article 6(1) GDPR.
The legal basis for processing of personal data using cookies for analysis purposes is point (a) of Article 6(1) GDPR if the user has consented to this.



3. Purpose of processing activities
The purpose of using technically necessary cookies is simplifying the use of websites for the users. Some functions of our website cannot be offered without using cookies. For this, the browser must be recognised after a page change as well. We need cookies for the following applications:
(1) Language settings
The user data collected by the technically necessary cookies are not used to compile user profiles.
Analysis cookies are used in order to improve the quality of our website and its contents. The analysis cookies will tell us how the website is used and enable us to continually optimise our offer.
These purposes also reflect our legitimate interest in processing the personal data in accordance with point (f) of Article 6(1) GDPR.



4. Duration of storage, objection and removal option
Cookies are stored on the user's computer and transmitted to our page by it. Therefore, you as the user also have the full control of use of cookies. By changing the settings in your web browser, you can deactivate or restrict transmission of cookies. Already-stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of the website in full.



V. Provision of the website and compilation of log files



1. Description and scale of processing activities
Every time you call up our website, our system will automatically record data and information from the computer system of the calling computer. For technical reasons, we automatically collect and store the following data upon every use of our website (usage data) in server log files:
· Browser type and version
· Operating system used
· The internet address of the website from which you visit us (referrer)
· The internet address of the website that you visit
· Date and time of the access
· Internet protocol (IP) address of your computer from which you access our website
· Name of the called data or information, transmitted data volume (in bytes)
The logfiles contain internet protocol addresses or other data that permit assignment to a user. This may be the case, e.g. when the link to the website from which the user reaches the website or the link to the website to which the user moves on contains any personal data.


Such data will be automatically transmitted to us by your internet browser. They are stored separately from any personal data entered. They are evaluated anonymised for statistical purposes in order to optimise our internet offer and our offers.
We will store these data for a period of up to seven days for security reasons (e.g. identification of attempted attacks on our system and investigation of the respective incident). After this, the data will be deleted / stored with anonymised IP addresses. This shall not include data that must be stored for evidence purposes. These will be stored until the respective incident has been fully investigated.



2. Legal basis for processing activities
The legal basis for temporary storage of the data and log files is point (a) of Article 6(1) GDPR.

3. Purpose of processing activities
The temporary storage of the internet protocol address by the system was necessary in order to make it possible to send the website to the user's computer. For this, the user's internet protocol address must remain stored for the duration of the session.


Storage in log files shall take place in order to ensure the function of the website. We also use the data for optimisation of the website and to ensure the security of our information-technical systems. They are evaluated anonymised for statistical purposes in order to optimise our internet offer and our offers.


These purposes also reflect our legitimate interest in the processing activities in accordance with point (f) of Article 6(1) GDPR.


4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose of their collection. If data are recorded for provision of the website, this is the case when the respective session is ended.


If your data are stored in log files, this will be the case no later than after seven days. Storage beyond this will be possible. In such a case, the internet protocol addresses of the users will be deleted or changed so that it can no longer be assigned to the calling client.



5. Right to object and removal option
Collection of the data for provision of the website and recording of the data in log files is mandatory for operation of the website. Accordingly, the user cannot object to this.



VI. Contact form and email contact



1. Description and scale of processing activities
It is possible to contact us by email and/or via a contact form on our website. In such a case, the information provided by you, in particular your name, email address, the message and any further information that the author provides are stored for the purpose of processing of your contact. They will not be passed on to any third parties. The data collected in this manner will not be reconciled with any other data that may be collected by other components of our website.


At the time of dispatch of the message, the following data will be stored as well:
(1) First, last names
(2) Email address
(3) The internet protocol address of the user
(4) Date and time of the contact
(5) Visited page when using the contact form


Alternatively, contact via the provided email address is possible. In such a case, the user's personal data transmitted in the email will be stored.


No data will be passed on to any third parties in this context. The data are only used for processing of the conversation.



2. Legal basis for processing activities
The legal basis for processing of the data is the presence of the user's consent in accordance with point (a) of Article 6(1) GDPR.


The legal basis for processing of the data transmitted in the scope of transmission of an email is also point (f) of Article 6(1) GDPR. If the email contact is targeted at conclusion of a contract, point (b) of Article 6(1) GDPR shall be an additional legal basis for processing.



3. Purpose of processing activities
Processing of the personal data from the input screen serves only to process your contact. In case of contact by email, this is also the necessary legitimate interest in processing of the data.
The other personal data processed while sending serves to prevent misuse of the contact form and to ensure the security of our information-technical system.



4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose of their collection. This is the case for the personal data from the input screen of the contact form and those transmitted by email when the respective conversation with the user has ended. The conversation is ended when the circumstances show that the corresponding matter has been finally completed.


The personal data collected additionally when sending will be deleted at the latest after a period of seven days.

5. Right to object and removal option
The user has the option at any time to withdraw his or her consent to processing of the personal data. If the user contacts us by email, he or she may object to storage of his or her personal data at any time. In this case, the conversation cannot be continued.


VII. Registration



1. Description and scale of processing activities
You can register on our website in order to gain access to personalised services (groups and apps). For technical reasons, we automatically collect and store data upon every use of our website (usage data) in server log files (see V.1: Description and scale of processing activities). Furthermore, we collect the following data:
· Email address
· First name
· Last name
· User name
This is done for your and our security, for the case that a third party abuses your data and registers on our page with them without your knowledge. We will check the email address entered by you to ensure that you as the owner of the email address and actually are the person who wants to register. You as the owner of the email address will receive a message with a link back through which you confirm your interest in registering (double opt-in procedure). Subsequently (via confirmation by the link back), we will store your name and any further information on your company in order to compile your profile. The information marked * are mandatory information.
All information will only be collected and stored for use within the page. Forwarding to third parties or reconciliation with any other data that may be collected by other components of our website will not take place.
Within the context of the registration process, the user's consent to processing of these data is collected.



2. Legal basis for processing activities
The legal basis for processing of the data is the presence of the user's consent in accordance with point (a) of Article 6(1) GDPR.

3. Purpose of processing activities
Registration of the user is necessary for providing certain contents and services on our website.



4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose of their collection.
This is the case for the data collected during the process of registration if registration on our website is cancelled or changed.



5. Right to object and removal option
You as the user have the option of ending your registration at any time. You can have the data stored concerning you changed at any time. In order to change or delete your data in the profile, call up the profile and process the sections. In order to delete the profile, follow the instructions in your profile under "Login data"/"How do I delete my account?".


VIII. Use of social-media plugins


Google+ components
On our website, we use the " +1" button (red "+1" on a white tile) of provider Google+ from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, (hereinafter: "Google"). Every time a website from our offer that is equipped with such a "+1" component is called up, the component will cause the browser you use to download a corresponding presentation of the component from Google and display it in the website. This will inform Google of which specific page of our website you are currently visiting. We cannot influence the scale of data that Google collects with the components and we will inform you according to our knowledge.
According to the information of Google, your visit will not be evaluated any further if you are logged out of your Google account.
If you are logged in with Google or Google+ and visit our website, Google will record and store information concerning your Google account, the website recommended by you and your internet protocol address as well as other browser-related information when you push the "+1" button.
This way, your "+1" recommendation may be stored and made publicly accessible. The Google "+1" recommendation made thus can be displayed in the Google services as an indication together with your account name and any profile image filed with Google. For example, it can be shown in search results, in your Google account or in any other locations, such as on websites and online ads. Furthermore, Google may link your visit to our page to your data stored at Google. Google records this information in order to optimise the services offered by Google.



If you want to prevent the data collection and storage by Google as described, you need to log out of your Google account before you visit our website.
Even if you do not have any member account with Google or Google+ or if you are logged out there, Google may obtain your internet protocol address and store it.
The data protection notes of Google concerning the "+1" button with further information concerning recording, forwarding and use of data by Google, your rights in this respect and the possibilities of personal profile settings can be viewed here: https://developers.google.com/+/web/buttons-policy.



IX. Web analysis by Google Analytics



1. Description and scale of processing activities
Our website uses Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter "Google". Google Analytics uses "cookies", which are text files stored on your computer. This permits analysis of your use of our website.
The information generated by this cookie, e.g. the time, location and frequency of your website visit and your internet protocol address, will be transmitted to Google in the USA and stored there.
On our website, we use Google Analytics with the addition "_gat._anonymizeIp", in order to permit anonymised use. This means that your internet protocol address will already be abbreviated first by Google within Member States of the European Union or in other contracting states of the convention on the European Economic Area and therefore anonymised. Only in exceptional circumstances will your full internet protocol address be transmitted to the USA and be abbreviated by Google there.
Google uses this information on our order to compile reports concerning your activities on our website for us and in order to render further services connected to website use and internet use.
According to its information, Google will never combine your internet protocol address with any other personal data of Google. You can prevent installation of cookies by making the corresponding settings in your browser software. In such a case, you may be unable to fully use all functions of our website.



2. Legal basis relating to processing of personal data
The legal basis for processing of the personal data of the users is point (f) of Article 6(1) GDPR.



3. Purpose of processing activities
Processing of the personal data of the users enables us to analyse the surfing behaviour of our users. Evaluation of the data acquired enables us to compile information on use of the individual components of our website. This helps us continually improve our website and its user friendliness. These purposes also reflect our legitimate interest in processing the data in accordance with point (f) of Article 6(1) GDPR. Anonymisation of the internet protocol address appropriately considers the interest of the users in protection of their personal data.



4. Duration of storage
The data will be deleted as soon as they are no longer needed for our recording purposes. In our case, this is done after 18 days.



5. Right to object and removal option
Cookies are stored on the user's computer and transmitted to our page by it. Therefore, you as the user also have the full control of use of cookies. By changing the settings in your web browser, you can deactivate or restrict transmission of cookies. Already-stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of the website in full.
Furthermore, Google offers a deactivation add-on for the most common browsers that you can download and install on your (client or PC). This add-on gives you better control of what data Google records concerning the websites called up by you. The add-on informs the JavaScript (ga.js) of Google Analytics that no information on the website visit is to be transmitted to Google Analytics. For more information on installation of the browser add-in, see the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
You may prevent recording by Google Analytics by clicking the following link. An opt-out cookie is set that will prevent the future recording of your personal data when visiting this website: <a href="javascript:gaOptout()">Deactivating Google Analytics.



Please note that the deactivation add-on of Google Analytics for browsers does not prevent information from being transmitted to us or any other web analysis programs that we may use.
For more detailed information on usage conditions and data protection of Google, see http://www.google.com/analytics/terms/de.html or https://www.google.de/intl/de/policies/. Note that Google Analytics has been expanded by the code "gat._anonymizeIp();" on this website, in order to ensure anonymised recording of internet protocol address (IP masking).



X. Rights of the data subject.



If any personal data of you are processed, you are a data subject within the meaning of GDPR and you have the following rights towards the controller:



1. Right of access
You may demand that the controller confirm whether any personal data concerning you are processed by us. In case of such processing, you may demand the following information from the controller:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipients to whom the personal data concerning you have been disclosed or will be disclosed;
(4) the planned duration of storage of the personal data concerning you or, if specific information on this cannot be provided, criteria for specification of the storage duration;
(5) the existence of the right to request from the controller rectification or erasure of personal data or a right to restriction of processing of personal data concerning the data subject or to object to such processing;
(6) the existence of the right to lodge a complaint with a supervisory authority;
(7) all available information on the origin of the data, if the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to be informed on whether the personal data concerning you are transmitted to a third country or an international organisation. In this context, you may demand provision of information about suitable safeguards pursuant to Article 46 GDPR in connection with the transfer.



2. Right to rectification
You have a right to rectification and/or completion towards the controller, provided that the personal data processed concerning you are inaccurate or incomplete. The controller shall rectify them without undue delay.



3. Right to restriction of processing
You may demand restriction of processing of the personal data concerning you under the following conditions:
(1) if you dispute the accuracy of the personal data concerning you for a duration that enables the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
(4) if you have objected to processing in accordance with Article 21(1) GDPR and it is not yet certain if the legitimate reasons of the controller override your reasons.
Where processing of the personal data concerning you has been restricted, such personal data must - with the exception of storage - only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction of processing was limited according to the above conditions, you will be informed by the controller before the restriction is revoked.



4. Right to erasure
a) Erasure obligation
You may demand that the controller erase the personal data concerning you without undue delay and the controller shall have the obligation to erase such data without undue delay where one of the following grounds applies:
(1) The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw consent on which the processing was based according to point (a) of Article 6(1) or point (a) of Article 9(2) GDPR and there is no other legal basis for the processing.
(3) You object to processing in accordance with Article 21(1) GDPR and there are no overruling legitimate grounds for processing, or you object to processing in accordance with Article 21(2) GDPR.
(4) The personal data concerning you have been unlawfully processed.
(5) Erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
b) Information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing of the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Derogations
The right to erasure shall not exist if processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.



5. Right to provision of information
If you have asserted a right to rectification, erasure or restriction of processing towards the controller, the controller is obligated to inform all recipients to whom the personal data concerning you were disclosed of this rectification or erasure of data or reconstruction of processing, except if this turns out to be impossible or subject to unreasonable effort.
You are due the right to provision of information about such recipients by the controller.



6. Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition to this, you have the right to transmit these data to another controller without any impairment by the controller to whom the personal data were provided, as long as
(1) processing is based on consent in accordance with point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or a contract in accordance with point (b) of Article 6(1) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you further have the right to demand that the personal data concerning you be transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons must not be impaired by this.
That right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.



7. Right to object
You shall have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
You have the option to exercise the right to object in connection with use of information society services, irrespective of directive 2002/58/EC, where technical specifications are used.



8. Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.



9. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.