EU Online Shop
As of 23 March 2024, in a nutshell - kurzgesagt GmbH (“kurzgesagt”) will directly handle your kurzgesagt EU shop purchases, whereas previously, they were managed by DFTBA Europe B.V. (“DFTBA”). For all orders placed on the kurzgesagt EU shop until 22 March 2024, DFTBA will be your contractual partner and fulfil these orders. If you have any questions or issues with an order placed before that date, DFTBA remains responsible for your order and data. For all purchases made on and after 23 March 2024, kurzgesagt will be your contractual partner.
If you do not want your data to be transferred you can object by emailing firstname.lastname@example.org until 22 March 2024. In that case you will not be able to receive information about updates, special offers, or rebates from kurzgesagt anymore. After 22 March 2024 you can always request kurzgesagt to delete your data at any time.
Valid as of 23 March, 2024
The personal data we collect consists of (i) information you provide to us directly, e.g. when creating an account in our online shop; (ii) information collected automatically, e.g. information collected via cookies on our online shop; and (iii) information we need to process to fulfill your orders.
2. CONTROLLER AND DATA PROTECTION OFFICER
2.1 Controller is:
In a nutshell – kurzgesagt GmbH ("KGS"),
Landwehrstraße 39, 80336 Munich, Germany,
Phone +49 (0)89 9545 730 20, e-mail: email@example.com
2.2 Our data protection officer (“DPO”) is:
LS Sport GmbH, Widenmayerstraße 28, 80538 München,
Germany, e-mail: firstname.lastname@example.org
If you have any questions about data protection, you can contact our data protection officer at any time.
3. GENERAL INFORMATION ON DATA PROCESSING
The use of our online shop is generally possible without any indication of personal data; however, if you want to use the services of our online shop (e.g. create an account, place an order, subscribe for the newsletter), processing of personal data could become necessary.
Please note that links and features in our online shop may take you to other websites which are not operated by us but by third parties. Such links are either clearly marked by us or are recognizable by an obvious change in the address line of your web browser. We are not responsible or liable for compliance with the respective data protection regulations and safe handling of your personal data on these websites operated by third parties.
4. VISITING OUR ONLINE SHOP / LOGFILES
Each time you visit our online shop, our system automatically collects data and information from the computer system of the calling computer. This general data and information are stored in the server log files. The following data is logged:
- IP address of the calling computer
- Operating system of the calling computer
- Browser type and version of the calling computer
- Name of the retrieved file/website
- Date and time of retrieval
- Transferred amount of data
- Referring URL
The mentioned data is processed in order to be able to present the online shop correctly, to ensure its security, availability and integrity (e.g., detection and defense against DoS attacks or access by bots), to improve the quality and presentation of the content of the online shop to be able to identify and correct errors and for statistical purposes.
In this context, we analyze this data and information statistically in order to ensure an optimal level of security and protection for both our business and the personal data we process in the course of entering in a contract with our potential customers.
The anonymous data of the server log files are stored separately from all personal data provided by potential customers. We do not combine this personal data with other data sources. This data is regularly deleted after a few days. However, we reserve the right to check the server log files retrospectively if there are concrete indications of illegal or system-inappropriate use of our online shop.
5. ONLINE SHOP
5.1 Operation of the KGS Online Shop
If you do not want your customer data to be transferred, you can object to the transfer by emailing DFTBA Europe at email@example.com until 22 March 2024.
As of 23 March 2024, i.e. after the data transfer to us, you can of course always object to the use of your data and request their deletion by contacting us directly (see Sec. 10).
Our online shop is provided and hosted by Shopify International Ltd. in Ireland (“Shopify”) on the basis of a data processing agreement (“DPA”) pursuant to Art. 28 GDPR. The processing by Shopify International Ltd. (Ireland), which is our contractual partner, may involve the transfer of data to a third country outside the EU, i.e. to the parent company Shopify Inc. (USA). In this case, we ensure that appropriate safeguards are provided for the transfer in accordance with Art. 44 et seq. GDPR. Shopify Inc. is also certified under the EU-US Data Privacy Framework (Art. 45 GDPR). We will provide you with proof of the appropriate safeguards (in particular the DPA) at any time upon request.
5.3 Placing Orders and Fulfillment, Payment
If you place an order in our online shop, we will process the following data:
- last name,
- first name,
- e-mail address,
- postal address,
- phone number,
- purchase and payment information.
When purchasing goods via our online shop we are your contractual partner and will fulfill all orders placed. We will process the above mentioned data for the conclusion of the contract with you and the fulfillment of your order. We record and process your personal data, which is transmitted to us after successful completion of the ordering process, if and to the extent that this is necessary to get your order to you or to handle returns and/or warranty claims you might have.
This data will be passed on to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of the ordered goods as well as to credit institutions and/or payment service providers commissioned with the payment processing. These third party companies act as independent data controllers and are not bound to any instructions by us.
On the same legal basis, your personal data may be passed on to our customer service commissioned, if necessary, to sort out any issues/inquiries regarding your online purchase. Our customer service acts as our data processor on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR. In this context, we regularly use service providers which process your personal data in the EU or in a third country with an adequate level of data protection (Art. 45 GDPR), otherwise we ensure guarantees according to Art. 46 GDPR. We will provide you with proof of the appropriate safeguards (in particular the DPA) at any time upon request.
5.4 Creating an Account
You do not have to create an account but can shop as a guest in our online shop. However, creating an account in the context of ordering via our online shop can make future purchases easier and provide a more customized, simpler shopping experience. For example, your address data and payment methods may be pre-selected for your next order in our online shop.
If you create an account, we will process your data as described under Sec. 5.3 as well as login data provided for your account.
Your data will be processed and stored as long as you use your account. You can, of course, delete your account and any data stored therein at any time by contacting us (see Sec. 10). If you delete your account, the data processed via your account will be deleted (subject to any retention obligations, see below under "Retention and Deletion").
5.5 Direct advertising
We may use the e-mail address you provide when creating an account and/or concluding a contract with us for direct advertising for our own and similar products and services. If you do not wish to receive any direct advertising, you can object to the use of your e-mail address at any time by using the unsubscribe link contained in every newsletter, or you can exercise your right to object by contacting us directly (see Sec. 10.
We may use an external service provider as a data processor for sending direct advertising e-mails on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR. We will provide you with proof of appropriate safeguards in accordance with Art. 44 et seq. GDPR, if needed, (in particular the DPA) at any time upon request.
6.1 Registration and scope of data processing
In order to verify that a registration for the newsletter is made by the actual owner of an email address, we use the so-called "double opt-in" procedure. In this process, after registration of an email address, a confirmation email is sent to the registered email address. Registration for the newsletter is only completed when a confirmation link contained in the confirmation e-mail is activated. The IP address of the calling computer and the date and time of activation of the confirmation link are also transmitted to us.
We will use your data to send you our newsletter, in which we inform you about all our services and news.
You can unsubscribe from the newsletter any time by using the unsubscribe link contained in each newsletter or by contacting us directly (please see Sec. 10). Your data will be deleted immediately after you unsubscribe.
6.2 Newsletter Analytics/Tracking
The newsletter of KGS contains so-called tracking pixels. A tracking pixel is a miniature graphic embedded in such e-mails, which are sent in HTML format to enable log file recording and analysis. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, KGS may see if and when you opened an e-mail, and which links in the e-mail were called up by you.
These personal data will not be passed on to third parties. You are at any time entitled to revoke the respective separate declaration of consent issued by means of the double-opt-in procedure. After withdrawal, these personal data will be deleted by us.
KGS automatically regards a withdrawal from the receipt of the newsletter as a withdrawal of this data processing.
6.3 Newsletter Service Provider
We use an external service provider as a data processor for sending and analyzing our newsletter on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR.
Depending on where the service provider is based and where its servers are located, of the personal data may be transferred to a third country outside the EU without an adequate level of data protection. In this case, we ensure that appropriate safeguards are provided for the transfer in accordance with Art. 44 et seq. GDPR. We will provide you with proof of the appropriate safeguards (in particular the DPA) at any time upon request.
7. COOKIES AND THIRD-PARTY TOOLS/FUNCTIONS
7.1 Description and scope of the data processing
Cookies are pieces of information that are transferred from our web server or third-party web servers to your browser and stored there for later retrieval. Cookies may be small files or other types of information storage. Information is stored in cookies that is related to the specific end device used. Cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.
A cookie also contains information about its origin and the storage period. However, this does not mean that we gain immediate knowledge of your identity. Some of the cookies we use are deleted at the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your end device and enable us or our partner companies (so-called third-party cookies) to recognize your browser on your next visit (so-called persistent cookies). If cookies are set, they collect and process certain user information such as browser and location data as well as IP address values to an individual extent.
The following data is processed:
- Date and time of access,
- Browser information,
- Device information,
- Geographic location,
- Cookie preferences URL of the page visited.
Persistent cookies are automatically deleted after a certain period of time, which can vary depending on the cookie. There are also cookies that are used to evaluate user behavior or display advertising (so-called analysis or marketing cookies).
We also use third-party functionalities, buttons, plug-ins and tools, for example, to expand the functional scope of the shop website, to analyze the use of the shop website, and to optimize our shop and the other content accordingly.
When integrating tools and functionalities from third-party providers, personal data may be transmitted to the providers of the integrated tools and functionalities in order to be able to provide the tools and functionalities.
Cookies and tools and functionalities from third-party providers are referred to uniformly as "cookies" in the following for the sake of simplicity.
7.2 Cookie Consent Tool/Consent Management Service (Usercentrics)
We use the consent management service Usercentrics of Usercentrics GmbH, Sendlinger Straße, 70331 Munich in Germany („Usercentrics“). This enables us to obtain and document the consent of visitors of our online shop.
When you enter our online shop, the following personal data is transferred to Usercentrics:
- Your consent(s) or the withdrawal of your consent(s),
- your IP address,
Information about your browser,
- Information about your end device,
- Time of your visit.
Furthermore, the cookie consent tool stores a cookie in your browser in order to be able to assign the consents given or their withdrawals to you. The data collected in this way is stored until you ask us to delete it, delete the corresponding cookie yourself or the purpose for storing the data no longer applies. Mandatory statutory retention obligations remain unaffected.
The cookie consent tool is used to obtain the legally required consent for the use of certain technologies. A distinction is made between functional cookies and cookies for compiling statistics. You can change the cookie settings at any time by clicking on the fingerprint symbol.
Usercentrics acts for us as a data processor on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR. Accordingly, Usercentrics is prohibited from selling your data and using it for purposes other than sending newsletters. Usercentrics is a certified provider that has been selected in accordance with the requirements of the GDPR and the Federal Data Protection Act.
The processing takes place in the EU, so no data is transferred to a third country.
For more information on
objection and removal options vis-à-vis Usercentrics, please visit:https://usercentrics.com/de/datenschutzerklaerung/
7.3 Necessary/Essential Cookies and Tools/Functions
When visiting our shop website, cookies are set that are necessary for the operation of the shop website. These necessary/essential cookies may be, for example, cookies that are required for the display of the shop website with a content management system, which are used to recognize language settings, or which are used to document whether you have consented to the setting of further (non-essential) cookies or whether you have rejected them.
These necessary/essential cookies, including their purpose and storage period or deletion period, are explained to you in our cookie consent tool, which is displayed when you access the shop website.
7.4 Non-Essential Cookies and Tools/Functions
We also use non-essential cookies, for example to collect additional information about the interests of visitors to our shop website or about their usage behavior, in order to analyze and optimize our shop website and generally our customer interactions on this basis.
Non-essential cookies, including their purpose and storage period or deletion period, are also explained to you in our cookie consent tool, which is displayed when you access our shop website.
Non-essential cookies are only set if you have expressly consented to the setting of non-essential cookies. You can also select different categories of non-essential cookies that you wish to allow in the cookie consent tool.
7.5 Storage duration
- Microsoft Internet-Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
- Mozilla Firefox: https://support.mozilla.org/de/kb/Cookies-blockieren
- Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=de
- Safari: https://support.apple.com/kb/ph21411?locale=en_GB
7.6 Google Tag Manager
On our online shop we use the tool Google Tag Manager. Google Tag Manager is provided by Google Ireland Limited 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Irland (“Google”). Through this tool, website tags can be managed via an interface. Google Tag Manager only implements tags, but no cookies are used, and no personal data is collected. Google Tag Manager triggers other tags, which in turn may collect data, but Google Tag Manager does not access this data.
7.7 Fonts (Google Fonts)
We have concluded a Data Processing Agreement (“DPA”) with Google for commissioned data processing within the meaning of Art. 28 GDPR. Google is also certified in accordance with the EU-US Data Privacy Framework (Art. 45 GDPR).
7.8 Social Media Buttons
Social media buttons of various social media networks (e.g. Linkedin, Instagram, X (Twitter), Youtube and Facebook) are integrated on our shop website.
The providers of the social platforms whose buttons we have integrated on the shop website may have their registered office (often via the parent company) outside the EU or the EEA - an adequate level of data protection in accordance with the GDPR may therefore not exist. The buttons/links are clearly marked on our website. To ensure data protection on our website, we only use such buttons if you have given your consent as part of the cookie consent tool or together with the so-called "two-click" solution. This application prevents the buttons integrated on our website from transmitting data to the providers as soon as you enter the website for the first time. Only when you have given your express consent using the opt-in function or activate the respective button by clicking on the associated button (implied consent), a direct connection to the provider's server will be established. As soon as you activate the button, the providers receive the information that you have visited our website with your IP address. If you are logged into your respective social media account (e.g. Facebook or Instagram) at the same time, the providers can assign the visit to our website to your user account. Activating the button/plugin constitutes implied consent within the meaning of Art. 6 para. 1 lit. a) GDPR. You can revoke both express and implied consent at any time with effect for the future.
8. LEGAL BASIS
When processing your personal data as described above this is based on the following legal sources in accordance with the GDPR. The respective legal basis for each data processing depends on the specific purpose (as outlined above) of the respective data processing:
8.1 Performance of a contract (Art. 6 para. 1 lit. b) GDPR)
This applies when we conclude (or are about to conclude) a contract with you or communicate with you about it. This includes processing your personal data to accept and fulfill orders, deliver products and services, and process payments.
8.2 Legitimate Interest (Art. 6 para. 1 lit. f) GDPR)
This applies with regard to data processing with regard to necessary measures to operate the shop website, detecting and preventing fraud or abuse to protect the safety of our customers, our own safety and that of third parties regarding our online shop, and when we show you interest-based, direct advertising. In these cases, you may have the right to object the respective data processing by contacting us (see Sec. 10).
8.3 Consent (Art. 6 para. 1 lit. a) GDPR)
This applies when we ask for your consent to process your personal data for a specific purpose notified to you (i.e. also via our cookie consent tool). In these cases, you may freely withdraw your consent at any time by contacting us and we will stop processing your personal data for that purpose (see Sec. 10).
8.4 Legal obligations (Art. 6 para. 1 lit. c) GDPR)
This applies when we process your personal data to comply with a legal obligation. For example, need to store specific order information due to retention obligations under statutory commercial or tax law.
8.5 Other legal grounds in accordance with GDPR
Other legal grounds according to Art. 6 GDPR may apply depending on the purposes for which we use personal information.
9. RECIPIENTS OF DATA
Within our company, those internal departments or organizational units receive your data which they need to fulfill their tasks, to fulfill contracts with you if necessary, for data processing with your consent or to safeguard our overriding legitimate interests.
Data will only be passed on to third parties within the framework of legal requirements and as described with regard to the respective data processing above.
10. YOUR RIGHTS
You have the rights explained below with regard to the personal data processed by us concerning you:
10.1 Right of Access
You can request information in accordance with Art. 15 GDPR about your personal data that we process.
10.2 Right to Rectification
If the information concerning you is not (or no longer) accurate, you may request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you may request that it be completed.
10.3 Right to Erasure
You may request the erasure of your personal data in accordance with Art. 17 GDPR.
10.4 Right to Restriction of Processing
In accordance with Art. 18 GDPR you have the right to request restriction of processing of your personal data.
10.5 Right to Object to Processing
You have the right to object at any time on grounds relating to your particular situation to the processing of your personal data which is carried out on the basis of Art. 6 para. 1 lit. e) or lit. f) GDPR in accordance with Art. 21 para. 1 GDPR. In this case, we will not further process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves to assert and exercise or defend against legal claims (Art. 21 para. 1 GDPR).
In addition, according to Art. 21 para. 2 GDPR, you have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing; this also applies to any profiling, insofar as it is related to such direct advertising.
10.6 Right to Withdraw Consent
Insofar as you have given your consent for processing in accordance with Art. 6 para. 1 lit. a) GDPR, you have the right to withdraw your consent pursuant to Art. 7 para. 3 GDPR at any time without giving reasons. The consequence of this is that we may no longer continue the data processing based on this consent in the future. However, the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.
10.7 Right to Data Portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format ("data portability") as well as the right to have this data transferred to another controller if the conditions of Art. 20 para. 1 lit. a) and b) GDPR are met.
10.8 Exercise of Rights
10.9 Right of appeal to the supervisory authority
Finally, in accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office. The supervisory authority responsible for our registered office is Bayerisches Landesamt für Datenschutz.
11. RETENTION AND DELETION
We adhere to the principles of data avoidance and data economy and only store your personal data for as long as is necessary to achieve the respective purpose of the data processing purposes or as stipulated by the storage periods provided by law (in particular, regarding any retention periods under statutory commercial or tax law).
If the purpose of storage no longer applies or if a storage period provided for by law expires, the personal data will be routinely anonymized or deleted in accordance with the statutory provisions.
12. INFORMATION SECURITY
We take appropriate technical and organizational measures in accordance with the state of the art to ensure a level of protection for the personal data we process that is appropriate to the risk of the respective processing and to protect the data we process against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
Our shop website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as orders, inquiries or payment data that you send to us.
Our employees receive regular training on data protection and information security and are committed to confidentiality and data protection.
A restrictive rights and roles concept on a "need to know" basis ensures that employees only have access to the personal data they absolutely need to perform their duties.