Franks zauberhafte Holzkunst

Privacy Policy

  1.  General Notes
  2.  Person responsible for data processing, contact details   
  3. Processor used, hosting of the website   
  4. Data collection on the website, purposes and legal basis   
  5. Data collection during the processing of sales and other inquiries   
  6. Data collection for the provision of carving lessons   
  7. Categories of data recipients
  8.   Note on third country transfer (USA and other third countries)   
  9. Existence of automated decision making/profiling   
  10.  Your rights as a data subject   
  11. Status of the privacy policy (change history)


1 General Notes

This privacy policy explains what personal data is collected and processed from you as a visitor to this website. In this respect, the purposes and legal bases of the processing are also explained. Furthermore, section 5 also explains how your personal data is processed when you contact me directly with inquiries (such as for purchases).

Personal data is any data by which you can be or could be personally identified. Furthermore, the privacy policy also informs you about the rights you are entitled to.

I point out that data transmission on the Internet in general (eg communication by e-mail) may have security gaps. A complete protection of data against access by third parties is not possible.

I reserve the right to adjust the privacy policy at any time due to changing legislation or other necessary improvements.

Current status: May 2021 / history of changes at the end of the privacy policy.

2 Person responsible for data processing, contact details

Data processing on this website is carried out by me as the website operator.

Contact details of the responsible person:

Frank Addicks

Milchstraße 20

33775 Versmold

E-Mail: mail@rosenschnitzer.de

3 Processor used, hosting of the website

This website was created with the help of a homepage construction kit of the company Strato AG, Pascalstraße 10 in 10587 Berlin. To this extent, the website is also hosted externally by this company.

The personal data collected on this website is stored on the hoster's servers. This may include IP addresses, contact requests, meta and communication data, as well as website accesses and other data generated via a website.

The hoster is used for the purpose of fulfilling the contract with my potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of my online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). My hoster will only process your data to the extent necessary for the fulfillment of its service obligations and follow my instructions regarding this data.

Conclusion of a contract on commissioned processing:

In order to ensure data protection compliant processing, I have concluded a processing contract with my hoster.

4 Data collection on the website, purposes and legal basis

a) How is personal data collected from you?

 On the one hand, your data is collected if you provide it yourself. Legal basis is thus in the context of a sale the contract under Art. 6 para 1 lit. b GDPR or otherwise their consent in terms of Art. 6 para 1 lit. a GDPR. Since I do not have a webshop integrated into the website, I make sales of my workpieces by the fact that the interested parties could contact me directly via email. How your personal data is processed in this process, you can see this privacy policy a little more in detail below in section 5.

Other data is automatically collected by the IT systems when visiting the website. This is mainly technical data (e.g. internet browser, operating system or time of page view). The collection of this data takes place automatically as soon as you use this website.

b) What do I use your data for?

Some of the data is collected to ensure functionally error-free provision of the website. Other data may be used to analyze your user behavior (see a little further below under "d) Log data").

c) Storage duration

Unless a more specific storage period has been mentioned within this privacy policy, your personal data will remain with me until the purpose for data processing ceases to apply. If you assert a legitimate request for deletion or revoke consent for data processing, your data will be deleted, unless I have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, the data will be deleted after these reasons no longer apply.

d) Log data

When you visit my website, the device you use to access the page automatically transmits log data (connection data) to the server of Strato AG as my service provider and hoster of the website.

Why is log data being collected?

On the basis of the log data, Strato on the one hand creates a statistical analysis, which I as the website operator can view and, if necessary, evaluate or archive.

In addition to the statistical analysis of my website, Strato also stores this data in order to optimize services and to be able to detect and defend against attacks.

The following log data is collected during this process:

To detect server attacks, Strato AG stores non-anonymized IP addresses, which are stored for a maximum of seven days. After that they are anonymized. However, for data protection reasons, for me as the website operator, these IP addresses are anonymized  in the log file right from the beginning. An example: 123.456.789.001 becomes anon-123-456-165-41.invalid.

  • Request line

This is the path of the target address without the domain. If you, as a visitor to my site, click on a picture on my website, for example, the URL "rosenschnitzer.de/bild.jpg" is behind it. The request line is then "/image.jpg".

  • Time stamp

 Date and time of an access to the website

  • Status code

Surely you have seen a 404 page before. This is displayed whenever a requested page or file cannot be found. 404 is the status code that tells you that the visitor tried to access a page that does not exist. The Internet Assigned Numbers Authority has defined a number of other status codes that are helpful for error analysis: 200, for example, means OK - so here the user was able to call up my page without errors.

  • Size of the response body

When a website visitor goes to my site, he temporarily downloads data. This is, for example, the images and texts that he sees in his browser. The log file indicates how large this data is.

  • Referer sent by the client

This field shows from which page the visitor of my website came.

 User agent sent by the client

For example, information about the type and version of the browser and the operating system used by the website visitor.

You can find a more detailed explanation (in German) here:   

https://www.strato.de/blog/dsgvo-logfiles/

The data is processed on the basis of legitimate interest according to Art. 6 para. 1 lit. f GDPR and stored for a maximum of 6 months at Strato. Should I terminate my contract with Strato at some point, this service provider would delete the data within 2-4 months.

e) Cookies used on the website

Generally, no tracking cookies or the like are used on my website. Only functionally necessary cookies, such as session cookies (also called session cookies/temporary cookies) could be set. Session cookies are something like the short-term memory of a browser. They are deleted after the browser is closed. The legal basis for this is the legitimate interest in providing a functional website within the meaning of Art. 6 (1) lit. f GDPR.

f) Social Media

I do not use any plugins of the messenger service Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) on this page.

Rather, I explicitly link to my Twitter account by providing the URL of my profile page there, just like this:

https://twitter.com/rosenschnitzer

My social media presence on Twitter is not exclusively of a professional nature, as I sometimes also express myself privately there. Nevertheless, the account there is intended to ensure that I have as comprehensive a presence on the Internet as possible. This is a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. The analysis processes initiated by Twitter may be based on different legal grounds, which must be specified by the operator of this social network (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).

I expressly point out that when you click on the link, you leave my website and land on the pages of Twitter. There, the data protection and terms of use of Twitter then apply.

Twitter's Terms of Service (ToS) can be found here:

https://twitter.com/en/tos

For more information about Twitter's privacy practices, please visit:

https://twitter.com/en/privacy

You can change Twitter's privacy settings in your Twitter account:

https://twitter.com/login?redirect_after_login=%2Faccount%2Fsettings

If you visit my Twitter account, I am jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against me and against Twitter.

Please note that despite the joint responsibility with this social media portal operator, I do not have full influence on the data processing operations there. My options are largely based on Twitter's corporate policy. For more information, you can read everything even more in detail in my Twitter privacy policy.

g) Hinweis zur SSL- bzw. TLS-Verschlüsselung der Webseite

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or requests. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

5 Data collection during the processing of sales and other inquiries

a) Customer and contract data

If you contact me by e-mail, telephone or other electronic means (e.g. Twitter direct messages), your request including all resulting personal data will be stored and processed by me for the purpose of processing your request. So for example, if you contact me, your name, email address and the content of your request will be processed by me. In the case of a purchase request, your data will be processed by me as an order, for which otherwise necessary data for the processing by me may be collected, such as your payment information. I do not share this data without your consent.

The processing of this data is based on the legal basis of Art. 6 (1) lit. b GDPR, provided that your request is related to the performance of a contract or is necessary for the performance of pre-contractual measures. In all other cases, the processing is based on my legitimate interest in the effective processing of requests addressed to me (Art. 6 para. 1 lit. f GDPR) or based on your consent (Art. 6 para. 1 lit. a GDPR), if this consent was requested.

The data you send to me via contact requests will remain with me until you request me to delete it, you revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after processing your request has been completed). Mandatory legal provisions - in particular (for example, tax or commercial law) statutory retention periods - remain unaffected.

If you have contacted me via Twitter, I would like to point out that I have no influence on the storage period of your data, which is stored by the operators of this social network for their own purposes. For details, please contact the operators of the social network directly (e.g. in the privacy policy, https://twitter.com/privacy).

b) Payment services and shipping

No third-party payment services are directly integrated on my website, as I have not implemented a webshop. The initiation of sales takes place only due to direct requests from customers who contact me via email, phone or other electronic means (such as direct messages to my Twitter account).

The processing of sales usually takes place either via advance payment by bank transfer or via the payment service PayPal. PayPal is offered by the following payment service provider: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal").

If you make a purchase from me, your payment data (eg name, payment amount, account details, credit card number) will be processed by me or my payment service provider for the purpose of payment processing. The same applies if you make a payment in advance by bank transfer via a credit institution.

If a sale takes place via PayPal, the respective contract and data protection provisions of the payment service provider apply to this transaction. The use of PayPal is based on Art. 6 para. 1 lit. b GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (Art. 6 para. 1 lit. f GDPR). Insofar as your consent is requested for certain actions, Art. 6 para. 1 lit. a GDPR is the legal basis for data processing. Consent can be revoked at any time for the future.

With PayPal, due to the terms of use, it cannot be ruled out that data is transferred to the USA. The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Detailed, per global region applicable legal documents, including the Terms and Conditions (ToS) and the Privacy Policy can be found here:

https://www.paypal.com/cz/webapps/mpp/ua/legalhub-full?locale.x=en_CZ

Furthermore, a transfer of your data when purchasing my workpieces to a shipping company for the purpose of sending the purchased piece. In all cases, I strictly observe the legal requirements, the scope of data transmission is limited to a minimum (name, address for delivery). I pass on this data for the fulfillment of the concluded purchase contract (Art. 6 para. 1 lit. c GDPR).

As a rule, I use the shipping service provider DHL. You can find their privacy policy (in German) here:

https://www.dpdhl.com/de/datenschutz.html

Please also note my information about payment and shipping here.

c) Legal or contractual requirements for the provision of personal data, necessity for the conclusion of the contract, obligation to provide the personal data, possible consequences of non-provision

 

Please note that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. information on the contractual partner in the case of a sale). Sometimes it may be necessary for the conclusion of a contract that the customer provides me with personal data, which must subsequently be processed by me. For example, the data subject is obliged to provide me with personal data if he or she wishes to purchase a workpiece from me, thus concluding a purchase contract with me. Failure to provide the personal data would mean that the contract could not be concluded.

6 Data collection for the provision of carving lessons

If I conduct carving lessons (in German language!), it will be possible to register for them by e-mail. If interested persons contact me for the purpose of registration, I will then process the following personal data:
  • Name
  • Email address
  • If necessary, payment data, as far as payment does not occur in cash
  • If the course is to take place after arrangement away from the participant, the address.

The legal basis for this processing is the consent according to Art. 6 para. a lit. a GDPR. This data will be deleted after the purpose has been achieved (implementation of the course). Any statutory retention requirements (such as tax law with regard to payment information, Art. 6 para. 1 lit. c GDPR) remain unaffected.

7 Categories of data recipients

I transmit personal data to third parties only if this is necessary in the context of the contract, such as to the companies entrusted with the delivery of the goods or the payment service provider entrusted with the payment processing. A further transmission of data does not take place or only if you have expressly agreed to the transmission. Your data will not be passed on to third parties without your express consent, for example for advertising purposes.

The basis for data processing is Art. 6 (1) lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.

In this regard, tax and commercial law retention periods are taken into account by me (legal basis n. Art. 6 para. 1 lit. c GDPR). By order of the competent authorities, I must provide information about this data (inventory data) in individual cases, insofar as this is necessary for the purposes of criminal prosecution, to avert danger, to fulfill the statutory tasks of the constitutional protection authorities or the Military Counter-Intelligence Service or to enforce intellectual property rights.

8 Note on third country transfer (USa and other third countries)

 

My website itself does not integrate any tools from companies based in the USA or other third countries that are not secure under data protection law.

My service provider and website hoster Strato AG uses subcontractors to provide the service to me. These subcontractors are also contractually bound to data protection in the sense of the GDPR in accordance with the order processing agreement concluded between me and Strato. The list of Strato subcontractors can be found on the website (in German language) here:

https://www.strato.de/subunternehmer-strato-ag/

Third country transfers only take place insofar as you either contact me via my Twitter account and/or use the payment service provider PayPal for buyers of my workpieces. With both companies, due to their terms of use, it cannot be ruled out that data will be transferred to the USA.

For Twitter as well as for PayPal, the data transfer to the USA is based on the standard contractual clauses of the EU Commission.

Details regarding Twitter can be found here:   

https://gdpr.twitter.com/en/controller-to-controller-transfers.html

Twitter's Terms of Service (ToS) can be found here:  

https://twitter.com/en/tos

For more information about Twitter's privacy practices, please visit:

https://twitter.com/en/privacy

Detailed, per global region applicable legal documents, including the Terms and Conditions (ToS) and the Privacy Policy can be found here:

https://www.paypal.com/cz/webapps/mpp/ua/legalhub-full?locale.x=en_CZ

9 Existence of automated decision making/profiling

 

Automated decision-making/profiling in the sense of Art. 22 GDPR does not take place.

10 Your rights as data subject

If your personal data is processed, you are entitled to various rights as a data subject of this data processing according to the European General Data Protection Regulation (GDPR). These are briefly explained below.

a) Information, deletion and rectification

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if necessary, a right to correction or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact me at any time.

b) Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. For this purpose, you can contact me at any time. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by me, I usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data. If the processing of your personal data happened/is happening unlawfully, you can request the restriction of the data processing instead of the deletion. If I no longer need your personal data, but you wish to use it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of the deletion. If you have lodged an objection pursuant to Art. 21 para.1 GDPR, a balancing of your and my interests must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State.

c) Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.

d) Revocation of your consent to the data processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

e) Right to object to data collection in special cases, direct marketing

 

If the data processing is based on Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. The respective legal basis on which processing is based can be found in this privacy policy.   

If you object, I will no longer process your personal data unless I can demonstrate legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims (objection under Article 21 para. 1 GDPR).

If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. If you object due to direct advertising, I will no longer use your personal data for this purpose (objection according to Art. 21 para. 2 GDPR).

f) Right to lodge a complaint at the competent supervisory authority

 

In the event of violations of the GDPR, data subjects have a right of appeal to a supervisory authority. In particular, data subjects may do so in the Member State of their habitual residence, their place of work or the place of the alleged infringement. The right of appeal is without prejudice to other administrative or judicial remedies.

The data protection supervisory authority responsible for my small business is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen

Kavalleriestr. 2-4

40213 Düsseldorf

Telefon: 0211/38424-0

Fax: 0211/38424-999

E-Mail: poststelle@ldi.nrw.de

11 Status of the privacy policy (change history)

Version 1 – May 2021