W&W Cycle AG processes personal data belonging to customers as described hereafter; it does so in accordance with the relevant laws and in particular the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and their associated directives.
We are, by introducing the following notice, satisfying our statutory information obligations and are hereby informing you of the collection of personal data by us and your rights in this context.
1. General object of data protection
The object of data protection is personal data that is processed by us (as controller).
Personal data means any information relating to an identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Name and contact details for the controller according to Art. 13 (1)(a), 14 (1)(a) GDPR
The controller is:
W&W Cycles AG
telephone: +49 / (0) 931 / 250 61 16
fax: +49 / (0) 931 / 250 61 20
represented by the Director: Mr Wolfgang Schmidt
commercial register number: AG Würzburg HRB 5217
VAT ID no.: DE 134182653
3. Contact details for the data protection officer according to Art. 13 (1)(b), 14 /1)(b) GDPR
The data protection officer is:
W&W Cycles AG
telephone: +49 / (0) 931 / 250 61 711
4. General information on data processing
In the following we will provide general information on the scope, legal grounds and data erasure, i.e. duration of storage, before proceeding to describe the actual form of data processing by us.
4a) Scope of processing of personal data
We collect and use personal data of our users only in the extent that is necessary to ensure website functionality and to provide our content and services. Collection and use of personal data of our users ordinarily takes place only with the prior consent of the user. Excepted from this are cases in which obtaining prior consent is not possible for factual reasons and where processing the data is lawful.
4b) Legal grounds for the processing of personal data
Where we obtain consent from the data subject for processing of personal data, this shall be based on Art. 6 paragraph 1 point (a) EU General Data Protection Regulation (GDPR).
Where processing of personal data is necessary for the performance of a contract in which the data subject is party to the contract, this shall be based on Art. 6 paragraph 1 point (b) EU General Data Protection Regulation (GDPR). This applies also to processing procedures that are necessary for the performance of pre-contractual measures.
Where processing of personal data is necessary for the fulfilment of a legal obligation applicable to our company, this shall be based on Art. 6 paragraph 1 point (c) EU General Data Protection Regulation (GDPR).
Where processing of personal data is necessary for the protection of the vital interests of the data subject or another natural person, this shall be based on Art. 6 paragraph 1 point (d) EU General Data Protection Regulation (GDPR).
Where processing is necessary for the purposes of the legitimate interests pursued by our company or a third party and where such interests are not overriden by the interests or fundamental rights and freedoms of the data subject, this shall be based on Art. 6 paragraph 1 point (f) EU General Data Protection Regulation (GDPR).
4c) Data erasure and duration of storage
Personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Storage may also take place where this is foreseen by regulations, laws or other directives under European or national legislation to which the controller is subject. The data shall also be blocked or erased after expiry of the retention period set out in the legal standards above, except where continued storage of the data is necessary for the conclusion or performance of a contract.
5. Individual forms of processing of personal data
W&W Cycles AG processes personal data as follows:
5a) Collection of personal data when visiting our website/creation of log files
Data is collected as follows when you visit our website:
5a1. Description and scope of data processing
We do not collect any personal data in the case of simple informative use of this website, i.e. if you do not login, register or otherwise transmit information to us or order products, with the exception of the data transmitted by your browser to our server. We collect the following data:
- IP address;
- date and time of the enquiry;
- time difference to Greenwich Mean Time (GMT);
- content of the request (actual page), pages you access, name of the accessed file;
- access status/HTTP status code, message whether access was successful;
- data volume transferred in each case;
- referring website;
- operating system and its interface;
- language and version of browser software;
- data volume transferred;
- page from which the file was requested (referrer URL);
- access status (file transferred, file not found etc.).
The data is also stored in our system in the form of log files. This data is not stored together with other personal data of the user.
5a2. Legal grounds for data processing
Temporary storage of data and log files takes place according to Art. 6 paragraph 1 point (f) GDPR.
5a3. Purpose of data processing
The log files are saved to ensure functionality of the website. We also use the data to optimise the website and to ensure security and stability of our information technology systems. The data is not analysed for marketing purpose in this context.
These purposes represent our legitimate interest in data processing according to Art. 6 paragraph 1 point (f) GDPR.
5a4. Duration of storage
The data is erased as soon as the purpose of its storage no longer applies. Where this refers to log files, erasure takes place after seven days at maximum. Storage beyond this period is possible. In these cases the IP addresses of the users are deleted or pseudonymised to ensure that an identification of the requesting client is not possible.
5a5. Information according to Art. 13 (2)(e) GDPR
The provision of the data is absolutely necessary for the provision and operation of our website. You are therefore obliged to provide this data in order to use the website, otherwise it is not possible to use the website. There is no possibility of objection.
5b) Use of cookie
5b1. Description and scope of data processing
In addition to the data described above, cookies are placed on your computer when you visit our website. Cookies are small text files that are saved on on your hard drive and contain information about the browser you use. A cookie can be placed on the operating system of a user when the user visits our website. This cookie contains a characteristic sequence of characters that enable definite identification of the browser the next time that you access our website.
Our website uses the following cookie types, whose scope and functions are explained in the following:
- transient cookies;
- persistent cookies.
Transient cookies are deleted automatically when you close your browser. Session cookies belong to this group in particular. They store what is known as a session ID that enables assignment of your browser to various requests during your visit to our website. This allows identification of your browser if you return to our website. The session cookies are deleted when you log out or close the browser.
Persistent cookies are deleted automatically after a set period, which may differ according to the cookie. You can adjust your browser settings to delete the cookies.
We use the following proprietary cookies:
Session ID cookie: This cookie stores your session ID that enables assignment of your browser to various requests during your visit to our website. It is therefore possible to recognise your browser if you return to our website. It is a transient cookie.
shopping basket cookie: This cookie stores the items you have placed in your shopping basket in our online shop. It is a persistent cookie.
5b2. Legal grounds for data processing
5b3. Purpose of data processing
5b4. Duration of storage
Transient cookies are deleted automatically when you close your browser. Persistent cookies are deleted automatically after a set period. This is one week from closing the browser after visiting our website in the case of our opt-out and shopping basket cookies.
5b5. Information according to Art. 13 (2)(e) GDPR
5c) Use of Google Analytics
We use Google Analytics as follows:
5c1. Description and scope of data processing
In addition, we use Google Analytics, a web analysis service by Google Inc, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; „Google“). We use the „Universal Analytics“ version. This allows us to assign data, sessions and interaction across several devices to a pseudonymised user ID and therefore to analyse the activities of a user on any device.
Google Analytics uses „cookies,“ which are text files placed on your computer that enable an analysis of your use of the website. The information generated by the cookie about your use of this website, for instance browser type/version, operating system used, referrer URL (last visited page), host name of the accessing computer (IP address), time of server request, is generally transmitted to and stored on a Google server in the United States. The IP address transmitted by your browser within the scope of Google Analytics will not be associated with any other data held by Google. Further, we have added the code „anonymizeIP“ to Google Analytics on this website. This ensures masking of your IP address, so that all data is collected anonymously. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there.
We have concluded a Data Processing Agreement with Google and implement the full requirements of the data protection authorities in the use of Google Analytics.
5c2. Legal grounds for data processing
The legal grounds for the use of Google Analytics are set out in Section 15 (3) Telemedia Act (TMG), i.e. in Art. 6 paragraph 1 point (f) GDPR.
5c3. Purpose of data processing
On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing the website operator with other services relating to website and Internet use.
These purposes represent our legitimate interest in data processing.
5c4. Duration of storage, right of objection and rectification
Opt-out cookies prevent your data from being collected in future when you visit this website. You must complete opt-out on all devices in order to prevent logging by Universal Analytics on various devices.
5c5. Information according to Art. 13 (2)(e) GDPR
The use of Google Analytics is stipulated neither by contract nor by law for the provision of data. Neither is this data necessary for the conclusion of a contract. You are not required to provide this data. A failure to provide this data will have no repercussions whatsoever.
6. Rights of the data subject
In the following we will inform you of your rights according to Art. 13 (2)(b-d), 14 (2)(c-e) GDPR. Where your personal data is processed, you are the data subject in the meaning of the GDPR, and you therefore have the following rights in regard to the controller:
6a) Right of access, Art. 15 GDPR
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed. Where that is the case, you are entitled to demand access from the controller to the following information
- the purposes of the processing of personal data;
- the categories of personal data that is processed;
- the recipients or categories of recipient to whom the personal data has been or will be disclosed;
- the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22 paragraphs 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You are also entitled to demand access to information whether your personal data is transferred to recipients in third countries or to an international organisation. In this regard, you may insist on instruction of the appropriate safeguards according to Art. 46 GDPR in regard to the transfer of your personal data.
6b) Right to rectification, Art. 16, 19 GDPR
You have the right to obtain from the controller rectification and/or completion insofar as the processed personal data concerning you is inaccurate or incomplete. The controller must rectify the data without undue delay.
6c) Right to restriction in processing, Art. 18, 19 GDPR
You have the right to obtain from the controller restriction of processing your personal data where the following applies:
- the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of use of the personal data instead;
- the controller no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims; or
- you have objected to processing pursuant to Article 21 paragraph 1 GDPR and it is not yet ascertained whether the legitimate grounds of the controller override your own.
Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where restriction of processing has been enforced for the reasons set out above, you will be informed by the controller before the restriction of processing is lifted.
6d) Right to erasure, Art. 17, 19 GDPR
6d1. Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
- You withdraw consent on which the processing is based according to point (a) of Article 6 paragraph 1 or of point (a) of Article 9 paragraph 2 GDPR, and where there is no other legal ground for the processing.
- You object to the processing pursuant to Article 21 paragraph 1 and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 paragraph 2 GDPR.
- The personal data concerning you was unlawfully processed.
- The personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8 paragraph 1 GDPR.
6d2. Information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 1 paragraph 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, this personal data.
The right to erasure shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 paragraph 2 as well as Article 9 paragraph 3 GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 paragraph 1 GDPR insofar as the right referred to in paragraph (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
6d4. Right to instruction
Where you have enforced the right to rectification, erasure or restriction of processing toward the controller, the controller shall be obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of data or the restriction of processing, except where compliance proves impossible or would be associated with an unreasonable expense.
You have the right to instruction by the controller as to the names of these recipients.
6e) Right to data portability, Art. 20 GDPR
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6 paragraph 1 GDPR or point (a) of Article 9 paragraph 2 GDPR or on a contract pursuant to point (b) of Article 6 paragraph 1 GDPR; and
- the processing is carried out by automated means.
In exercising your right to data portability, you shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This must not adversely affect the freedoms and rights of other persons.
The right to data portability shall not apply to the processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6f) Right to object, Art. 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 paragraph 1 GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.
Where personal data concerning you is processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
6g) Right to revoke your declaration of consent under data protection laws, Art. 7 (3) GDPR
You are entitled at any time to revoke your declaration of consent under data protection laws according to Art. 6 (1)(a) or Art. 9 (2)(a) GDPR. Revoking your declaration of consent is without prejudice to the lawfulness of processing conducted until your revocation of consent.
6h) Automated individual decision-making, including profiling, Art. 22 GDPR
You have right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly affects you in a significant way. This does not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
Decisions of this kind must not be based on special categories of personal data referred to in Article 9 paragraph 1 GDPR, unless point (a) or (g) of Article 9 paragraph 2 GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in paragraphs (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
6i) Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.