Data protection information of Smart Organic GmbH
(Version 1.1; as of May 13, 2020)
Since May 25, 2018, the provisions of the EU General Data Protection Regulation (hereinafter: GDPR) have applied across Europe. Below, we would like to inform you about the processing of personal data carried out by Smart Organic GmbH in accordance with this new regulation (see Article 13 GDPR). Please read our data protection information carefully. If you have any questions or comments about this data protection information, you can send them to the email address given in section 2 at any time.
The following data protection notices inform you about the type and scope of processing of so-called personal data by Smart Organic GmbH. Personal data is information that is or can be assigned to your person directly or indirectly.
Data processing by Smart Organic GmbH can essentially be divided into three categories:
- For the purpose of contract processing, all data necessary for the execution of a contract with Smart Organic GmbH is processed. Should external service providers also be involved in the execution of the contract, e.g. Logistics companies or payment service providers, your data will be passed on to them to the extent necessary.
- In addition to contract processing, we use the data you collect in the course of contract processing for the purpose of informing you periodically, about new offers and promotions.
- When you access the website / application of Smart Organic GmbH, various information is exchanged between your device and our server. This can also be personal data. The information collected in this way is used, among other things, to optimise our website or to display advertisements in the browser of your device.
In accordance with the provisions of the GDPR, you have different rights that you can assert against us. This includes the right to object to selected data processing, in particular data processing for advertising purposes.
If you have any questions about our data protection information, please feel free to contact our company data protection officer at any time. You will find the contact details below.
2. Name and contact details of the person responsible for processing and the company data protection officer
This data protection information applies to data processing by Smart Organic GmbH, Bad Antogast 1, Oppenau, 77728, Germany
(“Responsible”), and for the following websites or applications: https://shop.smartorganic.eu/ The operational data protection officer of Smart Organic GmbH is at the above-mentioned Address, to Hd.
Data protection department, or at firstname.lastname@example.org.
3. Purposes of data processing, legal bases and legitimate interests pursued by Smart Organic GmbH or a third party, as well as categories of recipients
3.1. Access our website / application
When you visit our website / application, the browser used on your device automatically sends information to the server of our website / application and temporarily stores it in a so-called log file. We have no influence over this. The following information is recorded without your intervention and stored until it is automatically deleted:
- The IP address of the requesting internet-enabled device,
- The date and time of access,
- the name and URL of the file accessed,
- The website / application from which the access was made (referrer URL),
- The browser you are using and, if applicable, the operating system of your internet-enabled computer and the name of your access provider.
The legal basis for processing the IP address is Article 6 paragraph 1 letter f) GDPR. Our legitimate interest follows from the purposes of data collection listed below. At this point, we would like to point out that we cannot draw any direct conclusions about your identity from the data collected and that we cannot draw any information from you.
We use the IP address of your end device and the other data listed above for the following purposes:
- ensuring a smooth connection establishment,
- Ensuring comfortable use of our website / application,
- Evaluation of system security and stability.
If you have consented to geolocation in your browser or in the operating system or other settings on your device, we use this function to be able to offer you individual services related to your current location (e.g. the location of the nearest branch). We process your location data in this way exclusively for this function. If you stop using the data, it will be deleted.
3.2. Conclusion, execution or termination of a contract
3.2.1. Data processing when concluding a contract
The purpose of Smart Organic GmbH is the distance selling of goods and services, the retail trade within the framework of the officially issued permits and the serial production of the goods on offer. In this context, we process the data required for the conclusion, implementation or termination of a contract with you. Which includes:
- First name, last name
- Invoice and delivery address
- Email address
- Billing and payment data
- Date of birth, if applicable
- Telephone number, if necessary
The legal basis for this is Article 6 paragraph 1 letter b) GDPR, i.e. You provide and the data on the basis of the contractual relationship between you and us. We are also obliged to process your email address based on a requirement in the German Civil Code (BGB) to send an electronic order confirmation (Article 6 Paragraph 1 Letter c) GDPR). Insofar as we do not use your contact details for advertising purposes (see 3.3. Below), we store the data collected for the execution of the contract until the expiry of the statutory or possible contractual warranty and guarantee rights. After this period has expired, we retain the information of the contractual relationship required by commercial and tax law for the legally determined periods on the basis of Art. 6 para. 1 lit. c) in a blocked form. For this period (usually six or ten years after the end of the year in which the contract is concluded, the data will be processed again only in the event of a review by the tax authorities.
The following data processing is also required to process the purchase contract:
If you have selected a payment method other than prepayment or cash on delivery, we will pass on the necessary payment data to a payment service provider commissioned by us. We pass on details of your delivery address to a logistics company commissioned by us for the purpose of processing the purchase contract. If you agree, we will transmit your email address and, if applicable, your telephone number to the logistics company commissioned by us to ensure that the goods are delivered according to your wishes. The logistics company will get in touch with you in advance of the delivery
Communicate delivery time or to coordinate delivery details with you. The data will only be transmitted for this purpose and will be deleted after delivery.
3.2.2. Identity, creditworthiness and transmission to credit agencies
If necessary, we will check your identity using information from service providers. The legal basis for this is Article 6 paragraph 1 letter b) and letter f) GDPR. The authorization for thеse results form the protection of your identity and the avoidance of fraud attempts at our expense. The circumstance and the result of our inquiry will be saved to your customer account or guest account for the duration of the contractual relationship.
In the course of the ordering process, we also check your creditworthiness so that we can only show you the payment methods that you can use. For this purpose, we transmit the following types of data to so-called credit bureaus that cooperate with us: name, address, date of birth. The legal basis for this is the declaration of consent declared by you in the sense of Article 6 paragraph 1 letter a) GDPR:
‘I hereby consent to the review of my creditworthiness by Smart Organic GmbH. I am aware that the check is carried out at the beginning of the ordering process and I can withdraw my consent at any time.’
You can withdraw your consent at any time with future effect by declaring to the address given under “Contact”. The revocation of consent does not affect the legality of the personal data processed up to the revocation. If you do not want to give the above consent, please give us a note before you complete your purchase or use the option of guest orders. In this case, however, we can only offer you payment methods that are not associated with a credit risk for Smart Organic GmbH. The circumstance and the result of our inquiry will be saved to your customer account for the duration of the contractual relationship.
As long as you have already bought from us, your data stored by us about you can be supplemented with so-called score values. Scoring means creating a forecast of future events based on information and past experience. Such processing is based on Article 6 paragraph 1 letter f) GDPR. The creation of such forecasts is considered a legitimate interest in the sense of the aforementioned Rule.
On the basis of the data stored about you, an assignment to statistical groups of people who have had similar entries in the past takes place. The underlying method used is a well-founded, long-established, mathematical-statistical method for forecasting risk probabilities.
In the event of a delay in payment, if the other legal requirements are met, we will transmit the necessary data to a company commissioned to assert the claim. The legal bases for this are both Article 6 paragraph 1 letter b) and Article 6 paragraph 1 letter f) GDPR. The assertion of a contractual claim is to be regarded as a legitimate interest within the meaning of the second provision. If the other legal requirements are met, we will also send information about the delay in payment or a possible bad debt loss to credit agencies that cooperate with us. The legal basis for this is Article 6 paragraph 1 letter f) GDPR. The legitimate interest required here arises from our and the interests of third parties in reducing contract risks for future contracts.
3.3. Data processing for advertising purposes
The following explanations relate to the processing of personal data for advertising purposes. The GDPR declares such data processing on the basis of Article 6 paragraph 1 letter f) as fundamentally conceivable and as a legitimate interest. The duration of data storage for advertising purposes does not follow rigid principles and is based on the question of whether the storage is necessary for advertising purposes. At Smart organic GmbH, we also follow the principle of deleting data for advertising purposes after 10 years. How to proceed in the event of your objection, please refer to para. 3.3.3.
3.3.1. Advertising purposes of Smart Organic GmbH and third parties
If you have concluded a contract with us, we will manage you as an existing customer. In this case, we process your postal contact data outside of the existence of a specific consent in order to send you information about new products and services. From time to time, we will send your postal contact details to contractors from the mail order and telecommunications sectors that we have selected with particular care so that they can also inform you about their products. We process your email address in order to provide you with information for your own similar products outside of specific consent.
3.3.2. Interest-based advertising
We categorise and supplement your customer profile with further information so that you only receive advertising information that is of interest to you. Both statistical information and information about you (e.g. basic data of your customer profile) are used for this. The aim is to send you advertising based solely on your actual or supposed needs and, accordingly, not to bother you with useless advertising.
3.3.3. Right to object
You can object to the data processing for the aforementioned purposes at any time free of charge, separately for the respective communication channel and with effect for the future. For this, an email or a letter to the contact details mentioned under 2 is sufficient.
If you file an objection, the contact address concerned will be blocked for further advertising data processing. We would like to point out that in exceptional cases, even after receipt of your objection, advertising material may be sent temporarily. Technically, this is due to the necessary lead time for advertisements and does not mean that we will not implement your objection. Thank you for your understanding.
3.3.4. Newsletter dispatch
On our website we offer you the opportunity to subscribe to our newsletter. In order to be able to asure that no errors were made when entering the email address, we use the so-called double opt-in procedure: After you have entered your email address in the registration field, we will send you a confirmation link. Your email address will only be added to our mailing list when you click on this confirmation link. The processing of your electronic contact details takes place here solely on the basis of your consent (Article 6 paragraph 1 letter a GDPR). You can withdraw your consent in this way at any time with future effect. All you need to do is briefly send an email to the email address specified under 2. or click the “Unsubscribe” button at the end of each newsletter.
3.4. Online presence and website optimization
3.4.1. Cookies – general information
If you have a customer account with Smart Organic GmbH and are logged in or activate the “stay logged in” function, the information stored in cookies will be saved to your customer account.
3.4.2. Google Analytics
We use Google Analytics, a web analytics service provided by Google Inc. (“Google”), for the purpose of designing and continually optimising our pages based on Article 6 (1) (f) GDPR. In this context, pseudonymised usage profiles are created and cookies are used. The information generated by the cookie about your use of this website such as
- Browser type / version,
- Operating system used
- referrer URL (the page previously visited),
- host name of the accessing computer (IP address),
- time of the server request,
are transferred to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage for the purposes of market research and the needs-based design of this website. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf. Under no circumstances will your IP address be merged with other Google data.
The IP addresses are anonymised so that an assignment is not possible (so-called IP masking).
You can prevent the installation of cookies by setting your browser software accordingly; however, we would like to point out that in this case not all functions of this website can be used to their full extent. You can also prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing this browser add-on. As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking on this link. An opt-out cookie is set which prevents the future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you have to set the opt-out cookie again. Further information on data protection in connection with Google Analytics can be found on the Google Analytics website.
The targeting measures listed below and used by us are carried out on the basis of Article 6 paragraph 1 letter f GDPR. With the targeting measures used, we want to ensure that you are only shown advertising on your end devices that is oriented towards your actual or supposed interests. It is in both your and our interest not to bother you with advertisements that are of no interest to you.
18.104.22.168 Onsite targeting
We also use re-targeting technologies from Facebook and Google. This enables us to make our online offers more interesting for you. For this purpose, a cookie is set, with which interest data is collected using pseudonyms. Based on this information, you will be shown interest-based advertisements for our offers on the websites of our partners. No directly personal data will be saved and no usage profiles will be merged with your personal data. The cookie is saved for a period of 30 days and then automatically deleted.
22.214.171.124. Opposition / opt-out option
In addition to the described deactivation methods, you can also generally prevent the explained targeting technologies by setting the appropriate cookie in your browser (see also 3.4.1). You also have the option of deactivating preference-based advertising using the preference manager available here.
3.4.4 Social media plug-ins
We use social plug-ins from the social networks Facebook, Google+ and Twitter on our website based on Article 6 Paragraph 1 Letter f GDPR in order to make our company better known. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Responsibility for data protection-compliant operation must be guaranteed by their respective providers. We integrate these plug-ins using the so-called two-click method in order to best protect visitors to our website.
So-called plug-ins from the social network Facebook, which is offered by Facebook Inc., are used on our website. The Facebook plug-ins are marked with a Facebook logo or the addition “Like” or “Share”. You can find an overview of the Facebook plug-ins and their appearance using the following link. If you activate such a plug-in (first click), your browser establishes a direct connection to the Facebook servers. The content of the plug-in is transmitted from Facebook directly to your browser and integrated into the page. Through this integration, Facebook receives the information that your browser has accessed the corresponding page of our website, even if you do not have a Facebook profile or are currently not logged in to Facebook. This information (including your IP address) is sent from your browser directly to a Facebook server in the USA and stored there. If you are logged in to Facebook, Facebook can immediately assign your visit to our website to your Facebook profile. If you interact with the plug-ins, for example by clicking the “Like” button, this information is also transmitted directly to a Facebook server and stored there. The information is also published on your Facebook profile and displayed to your Facebook friends.
For the purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights and setting options to protect your privacy, please refer to Facebook’s data protection information. If you do not want Facebook to directly associate the information collected about your visit to our website with your Facebook profile, you must log out of Facebook before visiting our website.
3.5. Customer account
In order to provide you with the greatest possible convenience when shopping, we offer you the permanent storage of your personal data in a password-protected customer account. The creation of the customer account is voluntary and takes place on the basis of your consent within the meaning of Article 6 Paragraph 1 Letter a) GDPR. Once a customer account has been set up, no additional data entry is required. You can also view and change the data stored about you in your customer account at any time.
In addition to the data requested when placing an order, you must provide a password of your choice to set up a customer account. Together with your e-mail address, this serves to access your customer account. Please treat your personal access data confidential and, in particular, do not make it accessible to unauthorised third parties. We cannot accept any liability for misused passwords unless we are responsible for the misuse. Please note that you will remain automatically logged in even after you leave our website, unless you actively log out. You have the option to delete your customer account at any time. Please note, however, that this does not at the same time delete the data visible in the customer account.
3.6. Contact form
We offer visitors to our website the opportunity to contact us using a contact form. We only use the information you provide via the contact form (mandatory information is marked with an asterisk) for the purpose of processing your request. The legal basis for this is both your consent within the meaning of Article 6 paragraph 1 letter a) GDPR and Article 6 paragraph 1 letter f) GDPR. The proper processing of your concerns is to be regarded as a legitimate interest within the meaning of the GDPR. If you contact us in connection with a contractual relationship between you and us, Article 6 paragraph 1 letter b) GDPR, i.e. this contractual relationship is the legal basis for data processing. You consent to the above. You can revoke data usage at any time with effect for the future free of charge by sending a short message to the contact details given under 1. This does not affect the lawfulness of processing based on your consent until the time of your withdrawal. However, we would like to point out that it will no longer be possible to process your request from the time you withdraw your consent. If there is no revocation, your data relating to the request will be deleted after your request has been processed. You can find out how we proceed in the event of the exercise of data subject rights below.
4. Recipients outside the EU
With the exception of those under 3.2.1. and the processing shown, we will not pass on your data to recipients based outside the European Union or the European Economic Area. The under 3.4. The processing mentioned causes data to be transmitted to the servers of our commissioned providers of tracking and targeting technologies. These servers are located in the United States. The data is transmitted in accordance with the principles of the so-called Privacy Shield and on the basis of so-called standard contractual clauses of the EU Commission.
5. Your rights
In addition to the right to withdraw your consent given to us
Subject to the respective legal requirements, the following additional rights:
- Right to information about your personal data stored by us in accordance with Art. 15 GDPR; In particular, you can obtain information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the origin of your data, unless it was collected directly from you,
- Right to correct incorrect or to complete correct data acc. 16 GDPR,
- Right to delete your data stored by us in accordance with Art. 17 GDPR insofar as there are no statutory or contractual retention periods or other legal obligations or rights for further storage,
- Right to restrict the processing of your data in accordance with Art. 18 GDPR, provided that the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to delete it; the controller no longer needs the data, but you need it to assert, exercise or defend legal claims or you have objected to processing in accordance with Art. 21 GDPR,
- Right to data portability according to Art. 20 GDPR, i.e. the right to receive selected data stored by us about you in a common, machine-readable format, or to request transmission to another person responsible
- Right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or work or our company headquarters.
5.2. Right to object
Under the conditions of Art. 21 Para. 1 GDPR, data processing can be objected to for reasons that arise from the particular situation of the data subject.
The above general right to object applies to all processing purposes described in this data protection information, which is processed on the basis of Article 6 paragraph 1 letter f) GDPR. Unlike the special right to object to data processing for advertising purposes (see 3.3 above), we are only obliged to implement such a general objection under the GDPR if you give us reasons of overriding importance (e.g. a possible danger to life or health). There is also the option of contacting the supervisory authority responsible for Smart Organic GmbH, the
Data protection officer in Smart Organic GmbH. (email@example.com)
If you assert us against one or more of the data subject rights listed above, we will save this fact in anonymised form on the basis of Article 6 paragraph 1 letter f) GDPR. The fact that we can also prove that we have properly followed your request in cases of doubt is a legitimate interest within the meaning of this regulation. Deletion of this anonymized, i.e. There is no information that can no longer be associated with you.
6. Data security
All data that you personally transmit, including your payment details, are transmitted using the generally accepted and secure standard SSL (Secure Socket Layer). SSL is a secure and proven standard that e.g. also used in online banking. You can recognize a secure SSL connection by the appended at http (i.e. https: // …) in the address bar of your browser or by the lock symbol in the lower area of your browser.
We also use suitable technical and organisational security measures to protect your personal data stored by us against manipulation, partial or complete loss and against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
Information source: https://www.bevh.org/
7. Privacy Notice from Smart Organic GmbH
In which cases may Smart Organic GmbH collect/process your personal data?
- When we have to issue an invoice or other document to you as our customer, or send you your ordered goods or other items.
- When you contact us/our employees using public information about us and/or using our contact details published on our website, an e-shop or on Internet.
- When you register on our website, for instance to place orders or receive news or other services.
- When you state your interest to take part in a recruitment procedure following an advertisement by Smart Organic GmbH and/or when you submit/provide your CV, motivation letter, etc., or when you become or were our employee.
- When you provide your personal data to us or give your consent to our processing such data.
|Legal grounds||Activities, actions, interests|
|· Legitimate business purposes of Smart Organic GmbH||· Economic activity of Smart Organic GmbH;|
|· Execution and/or performance of a contract||· Lawful creation, implementation and termination of commercial, employment and civil relationships;
· Ensure compliance with the health and safety procedures;
|· Compliance with legal obligations||· Compliance of Smart Organic GmbH with its obligations under the existing labour, civil, tax, social security and other laws;
· Ensure safety and security conditions for its employees and assets;
· Prevention and/or investigation of incidents, violations and criminal offences;
|· Your consent||· To register on our website;
· To address your request to exercise a right, etc.
8. Why may Smart Organic GmbH process your personal data?
Smart Organic GmbH may process your personal data for various reasons, depending on our relationship and on the basis of the relevant applicable legal grounds under the privacy laws, such as legitimate business purposes of Smart Organic GmbH, execution and/or performance of an existing contract with you, compliance of Smart Organic GmbH with its legal obligations, and based on your freely given, specific, informed and unambiguous consent to processing your data
What types of personal data does Smart Organic GmbH process?
Depending on the specific purpose, Smart Organic GmbH may process various sets of data:
- Your names, address, personal identification number (e.g. to issue an invoice, for courier delivery);
- Your contact details (address, telephone, e-mail), for the purposes of correspondence, a contract, delivery;
- Video images, when coming within the reach of a CCTV.
About our employees engaged under labour/civil law contracts:
- Physical identity: name, passport data, personal identification number, place of birth, address, telephone;
- Economic identity: remuneration, bank data, borrowing / repayment of loans, allowance, distraint, other debts;
- Social identity: education, qualifications, employment history, professional experience, marital status, children;
- Health identity: current health status, common diseases, chronic diseases, follow-up care, sheltered employment, disability, pregnancy and child-birth;
- Criminal record.
9. How long are your personal data kept/processed?
We keep your personal information for periods corresponding to the specific business purpose or purposes for which the information is collected, and/or for the period provided by law. The criteria for setting time limits that are not legally prescribed depend on:
- The purpose of data collecting and the achievement of such purpose.
- The grounds for data collecting (e.g. in the case of consent, you may at any time withdraw your consent).
There are cases in which, by virtue of legal provisions applicable to our activities or pursuant to internal rules, time lines may be shorter or longer. For instance:
- Personal data in accounting records: 10 years;
- Video images in the VIDEO SURVEILLANCE Register are kept for 13 to 16 days, depending on the number of days in the relevant month; thereafter, they are deleted from DVR/NVR and from back-up records;
- Personal data in the STAFF Register are kept for the legally required time periods: from 3 to 50 years, depending on the types of documents.
10. How can you obtain access to your personal data we process, object to the processing, request limitation of processing, or request supplement, rectification or erasure of your data?
In order to express your wish to have access to your personal data we process, or to object to the processing, request limitation of processing, or request supplement, rectification or erasure of your data, please contact us using the contact form on our website or write to e-mail: firstname.lastname@example.org or our address: Sofia, 7, Amsterdam St.
11. Who may access your personal data?
Access to processed personal data is strictly governed by the internal rules of Smart Organic GmbH depending on the purposes of processing. Such access may have:
- personal data subjects, to their own data;
- authorised employees of Smart Organic GmbH, on a ‘need to know’ basis, according to their designated roles and duties;
- persons to whom data disclosure is prescribed by a statutory instrument (such as authorities of the Ministry of Interior, courts, prosecution offices, the National Social Security Institute, the National Revenue Agency, etc.).
We do not sell or provide in any way personal data to anyone, except as specified above.
12. How can you exercise the right to portability of your personal data we process?
You have the legal right to obtain the personal data concerning you which we process in a structured, commonly used and machine-readable format, and you have the right to transmit such data to another controller, under certain legal conditions. You may also request this from us and we will make it if technically feasible.
13. What security measures do we apply to ensure personal protection?
In full compliance with the legal requirements for personal data protection, we apply strict organisational and technical security measures, including:
- personal data encryption;
- measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems;
- measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- regular testing and evaluating the effectiveness of measures for ensuring the security of the processing.
14. How can you contact us with questions regarding data confidentiality?
E-mail: email@example.com or business address: Bad Antogast 1, 77728 Oppenau, Germany
15. Who are we and how do you find us?
Smart Organic GmbH
Registered office and business address: Bad Antogast 1, 77728 Oppenau, Germany