Data protection statement - Canyon Bicycles GmbH
We, Canyon Bicycles GmbH (hereinafter referred to as "Canyon"), are pleased that you are visiting our website and are interested in our bikes. The protection and security of your data is very important to us. Therefore, we would like to inform you with this Data protection statement about which data is processed during which interactions with our website and for what reasons this is done. This way, you can always keep an eye on how Canyon processes your personal data.
As changes to the law or adjustments to our internal company processes may make it necessary to regularly update this Data protection statement, we ask you to read it regularly to ensure that you are always up to date. The Data protection statement can be accessed, saved and printed out at any time under the "Data protection" navigation point on our website.
The privacy policies for our social media presence (Facebook, Instagram and others) can be found at the end of this Data protection statement.
1. Responsible party and scope of application
The controller within the meaning of the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection laws of the member states as well as other data protection regulations is
Canyon Bicycles GmbH
Karl-Tesche-Strasse 12
56073 Koblenz
Phone: +49 (0)261 - 9490 300 0
E-mail: privacy@canyon.com
Website: https://www.canyon.com/
This Data protection statement applies to the website of Canyon Bicycles GmbH which is available under the domains www.canyon.com and www.career.canyon.com as well as the various subdomains (hereinafter mostly summarized as "our website").
2. Data protection officer
The external data protection officer of the controller is
Dr. Karsten Kinast, LL.M.
KINAST Rechtsanwaltsgesellschaft mbH
Hohenzollernring 54
D-50672 Cologne
Phone: +49 (0)221 - 222 183 0
E-mail: team-cgn1@kinast.eu; mail@kinast.eu
Website: http://www.kinast.eu
You are also welcome to contact our external data protection officer directly if you have any questions or queries relating to data protection.
3. Principles of data processing
We only collect and use your data if and insofar as this is necessary for the provision of our website or our customer support services, order processing and all other services in connection with personal data or if we have received your consent for individual data processing operations.
Below we explain the most important basics and terms you should know about data protection:
Personal data is any information relating to an identified or identifiable natural person (see Art. 4 No. 1 GDPR). This includes, for example, information such as your name, age, address, telephone number, date of birth, email address, customer number, IP address or data about your activities on our website. Information that we cannot (or can only with disproportionate effort) link to your person is considered anonymized and is therefore not personal data. The processing of personal data (e.g. the collection, retrieval, use, storage or transmission) always requires a legal basis or your consent.
Your personal data will be deleted as soon as it is no longer required for the purposes of processing and no legally prescribed retention periods need to be taken into account.
The term "processing" of personal data is very broad and can be found in Art. 4 No. 2 GDPR. By definition, the processing of personal data includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Every process in which your personal data is processed requires a legal basis. In individual cases, legal bases from the respective member states of the EU, here for example from the Federal Data Protection Act (BDSG), may also be considered.
The collection and use of personal data of our users only takes place regularly after obtaining a corresponding consent, which in turn represents the legal basis for data processing (see Art. 6 para. 1 lit. a GDPR and Art. 7 GDPR).
The situation is different in cases where the processing of personal data is permitted by another legal basis. In particular, processing on the basis of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), processing on the basis of the fulfillment of legal or statutory obligations (Art. 6 para. 1 lit. c GDPR) or because we have a so-called "legitimate interest" in data processing (cf. Art. 6 para. 1 lit. f GDPR), if the data processing is necessary to safeguard this and in individual cases the fundamental rights and freedoms of the person affected by the data processing do not prevail.
Personal data is only processed for the period of time that is relevant to achieve the respective storage purpose. Insofar as statutory retention obligations and/or statutory retention rights exist, e.g. from tax or commercial law regulations, the data will be stored for up to 10 years. If a storage purpose no longer applies (e.g. in the case of unsubscribing from our newsletter service) or if a legally prescribed storage period expires, the personal data concerned is routinely deleted in accordance with the statutory provisions or its processing is restricted (e.g. limited processing within the scope of tax or commercial law retention obligations).
We only pass on your personal data if this is necessary to provide one of our services or to fulfill the purpose of processing, if you have given your prior consent or if another legal basis applies. These may be, for example, hosting service providers or IT service providers who help us with the maintenance and care of our systems or postal, payment or marketing service providers. These companies have been obliged by us to protect your personal data in accordance with the applicable data protection law.
In this context, personal data may also be transferred to countries outside the EU/EEA in which the provisions of the GDPR do not apply. However, we will take the necessary precautions in accordance with the provisions of the GDPR to ensure that your data is transferred in compliance with data protection regulations.
We therefore work in particular with companies in countries for which the EU Commission has issued an adequacy decision. These include the USA in particular. Since 10.07.2023, data transfers to the USA have been legitimized by a so-called EU adequacy decision (EU-US Data Privacy Framework) if the respective US company has committed itself to appropriate data protection standards with the US Department of Commerce. US companies that have not done so will be treated in the same way as other global companies outside the European Union if there is no EU adequacy decision for the country in question. At Canyon, we only work with companies for which legally required measures have been taken to ensure the lawful transfer of your data to these countries. If there is no adequacy decision for a third country in this respect, compliance with the required level of data protection is usually ensured by concluding standard contractual clauses and implementing additional measures.
We will then make separate reference to the transfer of personal data to these so-called third countries in the relevant sections of this Data protection statement.
4. Individual processing operations
Below we provide you with a list and detailed description of all processing operations in connection with your personal data that may become relevant when using our website.
First of all, we will show you all relevant information on data processing operations that can be initiated in connection with the general use of our website, i.e. without actively triggered data transmissions, such as during registration or online shopping.
a. Type and scope of data processing
When you access and use our website, we collect the personal data that your browser automatically transmits to our server. This information is temporarily stored in a so-called log file.
When you use our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:
- IP address of the requesting device
- Date and time of access
- Time zone difference to Greenwich Mean Time (GMT)
- Website accessed or requested
- Status of access (http status code)
- Size of the data volume transferred in each case
- Website from which you access the site (so-called referrer URL)
- Browser used, end device used and, if applicable, the operating system and the name of your access provider
- Language and versioning of the browser software
In addition, we use both technically necessary and voluntary cookies on our website, which may be used when using our web pages. You can find more information on this under point 5 ("Use of cookies") and in our cookie banner.
We use a service provider to host our website. For this purpose, we have concluded an order processing contract with this service provider (Art. 28 GDPR).
b. Legal basis
Art. 6 para. 1 lit. f GDPR serves as the legal basis for the aforementioned data processing. The processing of the aforementioned data is absolutely necessary for the provision of a website and thus serves to safeguard a legitimate interest of our company.
c. Storage period
As soon as the aforementioned data is no longer required to display the website, it is deleted. The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Further storage may take place in individual cases if this is required by law.
a. Type and scope of data processing
On our website, we offer you the opportunity to register by providing personal data.
With the processed data, we create an individualized user account for you, with which you can create certain content and services such as a wish list, an order overview, a list of preferred delivery addresses, message settings, etc., partly in self-administration and thus use certain content on our website.
We process your e-mail address so that we can send you new access data if you forget it or to send you information that is directly related to your account registration.
By adding products to your wish list, you give us the opportunity to remind you by e-mail of the products you have saved on your wish list or to send you information about them. The same applies to activating the reminder function for unavailable items, for which we will then remind you by e-mail as soon as they are available again in our store.
We recommend that you place your orders on the basis of a registered and logged-in user profile. This allows us to assign your orders to your user profile so that you can be offered further digital services.
The following overview shows you in detail which personal data we process when you register:
- Name
- E-mail address
- Date of birth (optional)
- Country and language
- IP address
- Gender
The following overview shows you the type of data that we can process through your information within the user account or through orders linked to the customer account:
- Registered bicycles ("Bike Garage")
- Open orders
- Name
- Birthday
- Address
- Different delivery addresses, if applicable
- Body height and inside leg length
- Orders
- Returns
- Wish list
- Newsletter settings
- Wish list
- Body height and stride length
- Language settings
We use a British service provider to validate your address, your e-mail address and your telephone number to prevent incorrect data from entering our system.
As part of the processing, your data may therefore be processed in the UK and therefore outside the EU or the European Economic Area (EEA). The EU Commission has determined that an adequate level of protection comparable to the GDPR is guaranteed in the UK. Data transfers to the UK are therefore permitted under Art. 45 GDPR. For the purpose of legitimizing data processing, we have concluded a corresponding contract with the service provider for order processing. Further information on the processing of your data by external service providers can be found in section 3.5. of this Data protection statement.
b. Legal basis
The processing of the personal data described serves the fulfillment of a contract or the implementation of pre-contractual measures between you and Canyon in accordance with Art. 6 para. 1 lit. b GDPR. Insofar as you give your consent, for example in the context of your newsletter settings, Art. 6 para. 1 lit. a GDPR is the legal basis for the data processing based on this. Otherwise, we only process this data if there is a legitimate interest (Art. 6 para. 1 lit. f GDPR).
c. Storage period
As soon as the registration on our website is canceled or modified, the data processed during the registration process will be deleted. Further storage may take place in individual cases if this is required by law. We store certain order, customer and contract data for up to 10 years after termination of the contract with you, in particular on the basis of statutory retention obligations (especially tax and commercial law regulations). Your data will only be processed in accordance with the applicable retention periods.
d. Dissolution of the registration
As a user, you have the option of canceling your registration at any time. You can change the data stored about you at any time. The best way to do this is as follows: Either make the changes yourself after logging into your customer account or send an email to privacy@canyon.com.
However, if the processed data is still required to fulfill a contract or to carry out pre-contractual measures or similar requests, premature deletion of the data is only possible insofar as this does not conflict with contractual or legal rights or obligations.
4.3.1 Purchase of goods
a. Type and scope of data processing
On our website, we offer users the opportunity to purchase goods by providing personal data. The data required for this is entered into an input mask and transmitted to us and stored. Mandatory fields are marked as such, as in these cases we require the data as part of the ordering process. The following data is collected during the ordering process:
- Salutation
- Name
- Address
- Phone number
- E-mail address
- Your order
- Payment method and payment information
- Shipping method
Your data will be passed on to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of the goods. In order to process payments, we pass on your payment data to the credit institution or payment service provider commissioned with the payment. These companies may only use your data for order processing and not for any other purposes. Following your order, we will send you an order confirmation by e-mail.
If you purchase goods on our website and enter your e-mail address, we may subsequently use it to send you notifications about similar goods or services, as we are interested in maintaining our customer relationship with you and would like to send you information that we believe may be of interest to you. You can object to the use of your e-mail address for this purpose at any time.
If you have to interrupt this process during the order process or cannot complete the purchase, we will remind you of the items you have placed in the shopping cart by e-mail after a certain period of time so that you can complete the process at a later date if necessary without having to put the items together again in the web store. We use cookies for this purpose. You can find more information about the use of cookies under point 5 ("Use of cookies") and in our cookie banner.
As soon as you have completed your purchase, it will be entered into our customer support platform. We use the software of an external US provider so that we can offer you optimized and tailored customer service. The protection of your personal data is particularly important to us when processing data outside the EU. We have therefore ensured that this service provider has been certified under the EU-US Data Privacy Framework (see point 3.5.) and that a data processing agreement (Art. 28 GDPR) has been concluded with it.
b. Legal basis
When processing your personal data that is required to fulfill a contract concluded with us, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures. We are obliged to send your order confirmation in accordance with Section 312i (1) No. 3 BGB. In the event of a legal obligation, Art. 6 para. 1 lit. c) GDPR is the legal basis for the relevant data processing.
The legal basis for sending notifications for similar goods or services as a result of the purchase of goods is Art. 6 para. 1 lit. f GDPR, taking into account the requirements of Section 7 para. 3 UWG. You can object to the sending of notifications at any time by clicking on the unsubscribe link provided for this purpose at the end of the newsletter. Otherwise, we will only send you notifications on the basis of your consent (Art. 6 para. 1 lit. a GDPR).
The further processing of the personal data transmitted in connection with the purchase of goods is based on our legitimate interest in providing optimal customer service and efficient support for your concerns (Art. 6 para. 1 lit. f GDPR).
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
4.3.2 Use of the 3D-Secure 2.0 procedure for credit card payments
a. Type and scope of data processing
You have the option of paying with your credit card when purchasing goods. The amount is first reserved. The final debit and charging of the card takes place when the item is dispatched. When paying by credit card, personal data such as the name of the cardholder, the card number, the expiry date and the security code of the card are processed. Your card details are stored and kept securely.
To ensure greater security when processing payments, we use the so-called 3D Secure 2.0 process. For each transaction, data elements are sent to your credit card company, which can use this data to carry out a real-time risk assessment in order to identify you as the legitimate holder of the credit card. In this context, we use the Dutch service provider Adyen (Adyen N.V., Simo Carmiggelstraat 6-50, 1011 DJ) to process credit card payments, which we have obliged to provide an appropriate level of data protection by means of an order processing agreement. Your data will only be transmitted to this service provider and will not be passed on to third parties.
We collect the following data when you make a credit card payment:
- Credit card information
- Transaction-related data, such as the identification numbers required to assign the transaction and merchant, as well as the purchase amount and currency
- Automatically transmitted browser information that provides information about the end device used and the user's location. This includes the IP address, screen height and width and the browser language used.
- The complete billing and delivery address of the order
- Customer account data collected as part of an existing customer account. This includes information on the duration of the customer account, the number of transactions carried out within certain time intervals and the frequency with which passwords and delivery addresses are changed.
- Data on delivery details, such as the selected shipping method, availability of the goods, the delivery time window, the e-mail address in the case of shipping digital goods or the date of first availability for products that have not yet been published.
We collect this data exclusively to enable credit card institutions to carry out a real-time risk assessment. If a transaction is classified as low-risk, you can authorize it directly and without further interaction. However, if fraud is suspected, you will be asked to reconfirm your identity via an additional security prompt. The purpose of this data processing is, on the one hand, to meet the requirements of Strong Customer Authentication (SCA) and thus ensure better and legally required protection against fraud and, on the other hand, to simplify the purchasing process.
b. Legal basis
The legal basis for the processing of data during the payment process by credit card is Art. 6 para. 1 lit. b GDPR. The processing of personal data is necessary for the fulfillment of the payment obligation.
The legal basis for data processing in the context of the use of the 3D Secure 2.0 procedure is Art. 6 para. 1 lit. c and f GDPR. A legal obligation to process data in this regard arises from the EU Directive on payment services in the internal market (Directive (EU) 2015/2366) and the supplementary regulatory-technical standards from EU Regulation 2018/389, which requires strong customer authentication. In addition, there are the legal obligations arising from the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz - ZAG) and Sections 675c to 676c of the German Civil Code. One way of meeting this obligation is to use the 3D Secure 2.0 process. In addition, we rely on our "legitimate interest" in the form of an economic interest, which is to be seen in a reduction in the purchase abandonment rate and the simplification of the ordering process. Thanks to the individual, data-based risk assessment, transactions can in most cases be approved directly and without further buyer interaction, resulting in an improved user experience.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law. If you have chosen to store your credit card details for future orders, they will be stored securely until you edit or remove them from your Canyon account.
4.3.3 Financing service providers
a. Type and scope of data processing
As part of the purchase of goods, we offer you the option of processing the purchase of goods via a payment service provider. The payment service provider we use is "Consors Finanz" as a registered trademark of BNP Paribas S. A. (for Germany BNP Paribas S. A., Niederlassung Deutschland, Senckenberganlage 19, 60325 Frankfurt am Main and for Austria BNP PARIBAS PERSONAL FINANCE SA, Niederlassung Österreich, Vordere Zollamtsstraße 13, 3. Stock, 1030 Wien)
Among other things, the following data is collected from you:
- First and last name
- Country, place and date of birth
- Nationality
- Address
- Phone number
- E-mail address
- Household data such as income
This data is collected by us exclusively for the processing of the contractual relationship and passed on to the payment service provider for the processing of payments. The payment service provider may only use your data for order processing and not for any other purposes.
b. Legal basis
The processing of the personal data presented is based on the legal basis of Art. 6 para. 1 lit. b GDPR, as this processing is necessary for the execution of the contract.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
4.3.4 Payment in advance by bank transfer
a. Type and scope of data processing
When purchasing goods, we offer you the option of paying in advance by bank transfer. With this payment method, the goods are reserved for you until payment has been made. Data will only be passed on to third parties in the cases listed below.
The following data is collected as part of the payment process:
- Name of the account holder
- Account number
- Bank code
- Invoice amount
- Currency
- Intended use
b. Legal basis
When processing the account data (name of the account holder, account number, bank code, invoice amount, currency, purpose of use) for the purpose of payment processing, Art. 6 para. 1 lit. b GDPR serves as the legal basis.
This also applies to processing operations that are necessary to carry out pre-contractual measures. In some cases, we may also be legally obliged to transfer the data concerning you in accordance with the implementation of strong customer authentication under Directive EU 2015/2366 (PSD 2) or the Act Implementing the Second Payment Services Directive (Payment Services Implementation Act - ZDUG). Insofar as we are legally obliged to transfer data, Art. 6 para. 1 lit. c GDPR in conjunction with the corresponding provisions of Directive EU 2015/2366 (PSD 2) or the Payment Services Implementation Act (Zahlungsdiensteumsetzungsgesetz - ZDUG) is used as the legal basis.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
4.3.5 Payment via PayPal / PayPal installment payment
a. Type and scope of data processing
You can also pay for your purchase via the payment service provider PayPal. You will be automatically redirected to the PayPal website to enter your details. The amount will be reserved until the goods have been dispatched. Only then will your account be debited. You can also select payment by installments on the PayPal website.
If you choose the payment method PayPal, your data will be transmitted to PayPal (i.e. to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg) so that you can authorize the payment to us via PayPal. (You need a PayPal account for this). PayPal acts as an online payment service provider and trustee and offers buyer protection services.
The following data is transmitted to the payment service provider and credit institutions involved as part of payment processing:
- First and last name
- Phone number
- E-mail address
- Device information of the user
- Delivery and invoice address
- Order and article number
- Invoice amount
PayPal also reserves the right to collect personal data from the buyer. According to PayPal, this may include the following information:
- Name
- Address
- Phone number
- Account number
PayPal may pass on your personal data to affiliated companies and service providers or subcontractors insofar as this is necessary to fulfill the contractual obligations or the data is processed on behalf of PayPal.
The personal data transmitted by us to PayPal may be transmitted by PayPal to credit agencies. The purpose of this transmission is to check identity and creditworthiness. PayPal uses the result of the credit check, taking into account the statistical probability of non-payment, for the purpose of deciding on the provision of the respective payment method. The credit check may contain probability values (so-called score values). If score values are included in the result of the credit check, they are based on a scientifically recognized mathematical-statistical procedure.
You can find out which credit agencies are involved here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full#rAnnex
You have the option to revoke your consent to the processing of your personal data at any time from PayPal. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal, provided that the personal data must be processed, used or transmitted for contractual payment processing.
You can view PayPal's Data protection statement at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
b. Legal basis
The legal basis for the processing of personal data is Art. 6 para. 1 lit. b GDPR. The processing is necessary to fulfill a contractual obligation, in this case the obligation to pay the purchase price. This also applies to processing operations that are necessary to carry out pre-contractual measures. In some cases, we may also be legally obliged to transfer the data concerning you in accordance with the implementation of strong customer authentication under Directive EU 2015/2366 (PSD 2) or the Act Implementing the Second Payment Services Directive (Payment Services Implementation Act - ZDUG). Insofar as we are legally obliged to transfer data, Art. 6 para. 1 lit. c GDPR in conjunction with the corresponding provisions of Directive EU 2015/2366 (PSD 2) or the Payment Services Implementation Act (Zahlungsdiensteumsetzungsgesetz - ZDUG) is used as the legal basis.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
4.3.6 Payment by Klarna (invoice)
a. Type and scope of data processing
It is possible to complete your purchase on account via the service provider Klarna (Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden). With this payment method, your order will be paid for directly, even if the item will only be shipped in the future. You will be forwarded directly to Klarna after confirming your order. As part of the payment, you enter into an agreement with Klarna through which Klarna may collect personal data such as your first and last name, address, date of birth, gender, e-mail address, IP address and telephone number from Canyon. In addition, Klarna may collect additional data necessary for the processing of the purchase on account, such as the number of items and the item number from Canyon. Klarna processes the data to process your purchase and to carry out an identity and credit check. Klarna may obtain information from credit agencies.
You can view a list of credit agencies at https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/credit_rating_agencies.
You can find details on the processing of your data by Klarna in Klarna's Data protection statement at https://www.klarna.com/de/datenschutz/.
b. Legal basis
The legal basis for the processing of your data is Art. 6 para. 1 lit. b GDPR. The processing is necessary to fulfill your contractual payment obligation.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
4.3.7 Payment by Klarna (instant bank transfer)
a. Type and scope of data processing
You can also process your purchase by instant bank transfer via the company Sofort GmbH (Theresienhöhe 12, 80339 Munich, Germany, part of Klarna since 2014, hereinafter referred to as "Klarna"). With this payment method, personal data such as your first and last name, your e-mail address and telephone number, your address and your IP address and, if applicable, other data relevant to payment processing are transmitted to Klarna. In addition, your payment data such as the bank code or bank name, account number and access data for online banking will be transmitted. When paying by instant bank transfer, your PIN and TAN are transmitted to Klarna. The payment provider then logs into your online banking account, automatically checks your account balance and makes the transfer. This is followed by an immediate transaction confirmation. After logging in, there is also an automated check of your turnover, the credit limit of your overdraft facility and the existence of other accounts and their balances.
You can find more details about instant bank transfer at https://www.klarna.com/sofort/.
b. Legal basis
The legal basis for the transfer of your data to Klarna is your consent in accordance with Art. 6 para. 1 lit. a GDPR and Art. 6 para. 1 lit. b GDPR, which is necessary to fulfill your payment obligation. You can withdraw your consent at any time.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
3.8 Payment by cash on delivery
a. Type and scope of data processing
You have the option of paying for your order by "cash on delivery". With this payment method, we deliver your order to you and you only pay in cash when you receive the items. The prerequisite for this is that you have the order sent to a German delivery address and the order is not more expensive than 3,500 euros. When paying by cash on delivery, we transmit data such as your first and last name, your address and payment information such as the item price to our supplier so that they can deliver your order to you and you can also pay for it with them.
b. Legal basis
The legal basis for the processing of your personal data in the context of payment by cash on delivery is Art. 6 para. 1 lit. b GDPR. The processing is necessary to process the order and the associated payment and delivery obligation.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
4.3.9 JobRad Leasing
a. Type and scope of data processing
We work together with JobRad (JobRad GmbH, Heinrich-von-Stephan-Str. 13, 79100 Freiburg, Germany), one of the leading bike leasing providers. You have the option of leasing bikes if you are an employee of a German company or a self-employed person based in Germany and you or your employer cooperate with JobRad. Simply select "JobRad" as the payment method during the order process. You will receive an order confirmation and your Canyon bike will be reserved for three weeks. You will then receive a link from your employer that you can use to log in to the JobRad portal. JobRad is responsible for the data processing that takes place there. You can find out more at https://www.jobrad.org/datenschutz.html.
As part of the JobRad leasing process, we transmit data to JobRad that is necessary for the conclusion of the contract. This includes, for example, your first and last name, your address, your e-mail address and the item number of the selected bike. JobRad may share your data with third parties, such as suppliers or your employer, in order to complete the leasing process. You can also find out more about this in JobRad's Data protection statement.
b. Legal basis
The legal basis for the processing of your data is Art. 6 para. 1 lit. b GDPR. The processing is necessary to complete the Fahrrand leasing process.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
3.10 Bike leasing
a. Type and scope of data processing
You have the option of leasing a bike via the bike leasing service of BLS Bikeleasing-Service GmbH & Co. KG (Ernst-Reuter-Straße 2, 37170 Uslar, Germany). To do this, select Bikeleasing-Service in the order process during payment and follow the next steps. If you are an employee, your employer must be registered with Bikeleasing. If you are self-employed, you must be registered with Bikeleasing yourself. Bikeleasing is responsible for data processing as part of your registration.
As part of the bike leasing service, we transmit necessary data such as your first and last name, your address, your e-mail address and the item number of the selected bike to our leasing partner. Bikeleasing may transfer your data to third parties, such as suppliers or your employer, during the leasing process. You can find out more about data processing and transmission by Bikeleasing at https://bikeleasing.de/datenschutz.
b. Legal basis
The legal basis for the processing of your data is Art. 6 para. 1 lit. b GDPR. The processing is necessary in order to prepare or complete the Fahrrand leasing process.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
a. Type and scope of data processing
You can subscribe to a free newsletter on our website. To be able to send you the newsletter regularly, we only need your e-mail address. After you enter it, we will send you an e-mail with a confirmation link to verify that you are actually the owner of the e-mail account you have provided (so-called "double opt-in" procedure).
If you click on the link in the email, you will be redirected to one of our websites, which will confirm that you have successfully subscribed to our newsletter. Here you will have the opportunity to provide further voluntary information that can help us to personalize your newsletter. The following overview shows you what additional information is required:
- Gender
- First and last name
- Date of birth
- Bicycle category of interest
- News category of interest
You can also customize the interests you share, which may affect the content we communicate to you, within your account settings.
We use the so-called double opt-in procedure for sending the newsletter, i.e. we will only send you the newsletter if you first confirm your registration via a confirmation e-mail sent to you for this purpose using a link contained therein. This is to ensure that only you, as the owner of the e-mail address provided, can subscribe to the newsletter. Your confirmation in this regard must be made promptly after receipt of the confirmation e-mail, otherwise your newsletter registration will be automatically deleted from our database. You can revoke your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can declare your revocation in particular by clicking on the link provided in every newsletter e-mail or by sending an e-mail to privacy@canyon.de.
In connection with sending the newsletter, your data will be forwarded to a US service provider whose software we use as part of our customer relationship management. For this purpose, we have concluded an order processing contract with this company.
For data transfers to the USA, an adequacy decision of the European Commission has been in force since July 10, 2023, subject to the proviso that the respective service provider can provide certification in accordance with the EU/U.S. Data Privacy Framework (DPF). This certification attests that the company has an adequate level of protection for personal data, comparable to that of the European Union. Such certification is available here.
b. Legal basis
The processing of your email address, title, date of birth and the bike and news category of interest to you for sending the newsletter is based on your declaration of consent given as part of a double opt-in in accordance with Art. 6 para. 1 lit. a GDPR. If a newsletter is sent on the basis of previous purchases of goods, this may also be done on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 UWG).
c. Storage period
Your e-mail address will be stored for as long as you are subscribed to the newsletter. After you unsubscribe from the newsletter, your e-mail address will be deleted. Further storage may take place in individual cases if this is required by law or if we store your e-mail address due to a user profile that still exists and for which you have not requested deletion.
4.5.1 Forms
a. Type and scope of data processing
On our website, we offer you the opportunity to contact us using the forms provided. As part of the process of sending your request via the contact or pre-chat form, reference is made to this Data protection statement. If you use the contact forms, the following personal data will be processed by you:
- Salutation
- Name
- E-mail address
- Phone number
- the country of residence
- Your customer number (for returns, repair or CRP requests)
- Your order number (for returns, repair or CRP requests)
- Model name of your bike (for returns, repair or CRP requests)
- Your address (for repair or CRP requests)
- Pictures and details to describe the problem (for repair or CRP requests)
- Other personal data provided by you in the course of contacting us
The purpose of providing your e-mail address and country of residence is to be able to assign your request and respond to you. The provision of the other data mentioned above serves the purpose of preparing the processing of your request and corresponding services. When using the contact form, your personal data will not be passed on to third parties.
To enable us to offer you optimized and tailored customer service, we use the software of an external US provider to respond to your inquiries. The protection of your personal data is particularly important to us when processing data outside the EU. We have therefore ensured that this service provider has been certified under the EU-US Data Privacy Framework (see point 3.5.) and that a data processing agreement (Art. 28 GDPR) has been concluded with it.
b. Legal basis
The data processing described above for the purpose of establishing contact is carried out in accordance with Art. 6 para. 1 lit. b, lit. f GDPR either for the implementation of (pre-)contractual measures or on the basis of our legitimate interest.
c. Storage period
As soon as the request you have made has been dealt with and the matter in question has been conclusively clarified, the personal data processed via the contact form will be deleted. Further storage may take place in individual cases if this is required by law.
4.5.2 Contact via chat module
a. Type and scope of data processing
You have the opportunity to get in touch with our experts or the Canyon Community via our chat module. We use the services of the provider "guuru" (GUURU Solutions GmbH, Rothusstraße 21, 6331 Hünenberg, Switzerland). If you wish to use this option to contact us, you agree to guuru's terms of use and Data protection statement. We cannot offer you the use of the chat without this consent.
When you contact us via our chat, we process data such as your first and last name and your email address. We then only process the information and data that you share with us during the chat conversation.
The provider "guuru" also receives access to the personal data that you share with us via the chat. You can find more information on this in the Data protection statement of "guuru" at https://www.guuru.com/de/privacy-policy/.
To enable us to offer you optimized and tailored customer service, we also use the software of an external US provider to assign and process your inquiries. The protection of your personal data is particularly important to us for processing operations outside the EU. We have therefore ensured that this service provider has been certified under the EU-US Data Privacy Framework (see point 3.5.) and that a data processing agreement (Art. 28 GDPR) has been concluded with it.
b. Legal basis
The processing of your personal data is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. If your contact is aimed at the conclusion of a purchase contract, the legal basis is Art. 6 para. 1 lit. b GDPR.
To protect your own personal data, please refrain from providing us with special categories of personal data within the meaning of Art. 9 para. 1 GDPR (for example: health data).
c. Storage period
The data provided and the message history with our Service Desk will be stored for follow-up questions and subsequent contact. If the purpose of the storage no longer applies, which we regularly assume after 12 months, this data will be deleted in accordance with data protection regulations, unless statutory retention periods prevent this.
4.5.3 Contact by e-mail
a. Type and scope of data processing
It is possible to contact us without using the contact form by sending us an e-mail with your request to our e-mail address. If you make use of this option, the following personal data will be processed by default in addition to the content provided in the email:
- E-mail address
- Name
The purpose of providing your e-mail address is to assign your request and to be able to reply to you. When contacting us by email, your personal data will not be passed on to third parties.
To enable us to offer you optimized and tailored customer service, we also use the software of an external US provider to assign and process your inquiries. The protection of your personal data is particularly important to us for processing operations outside the EU. We have therefore ensured that this service provider has been certified under the EU-US Data Privacy Framework (see point 3.5.) and that a data processing agreement (Art. 28 GDPR) has been concluded with it.
b. Legal basis
The data processing temporarily described for the purpose of responding to your request is based on Art. 6 para. 1 lit. b and f GDPR. As with the contact form, the provision of an interface for communicating with you is in our legitimate interest, which will generally coincide with your interest in contacting us quickly and easily.
c. Storage period
As soon as the request you have made has been dealt with and the matter in question has been finally clarified, the personal data processed via the e-mail will be deleted. Further storage may take place in individual cases if and insofar as there is a legitimate interest (Art. 6 para. 1 lit. f GDPR).
4.5.4 Contact by telephone
a. Type and scope of data processing
To clarify your concerns, you can also contact us by telephone on 0261 9490 30000. In addition to your telephone number, we will process the personal data that you provide to us during the call.
To enable us to offer you optimized and tailored customer service, we also use the software of an external US provider to assign and process your inquiries. The protection of your personal data is particularly important to us for processing operations outside the EU. We have therefore ensured that this service provider has been certified under the EU-US Data Privacy Framework (see point 3.5.) and that a data processing agreement (Art. 28 GDPR) has been concluded with it.
b. Legal basis
The legal basis for the processing of the data transmitted in the course of contacting us is Art. 6 para. 1 lit. f GDPR. If you contact us, the necessary legitimate interest in processing the data lies in processing your request.
If the contact is aimed at the conclusion of a contract, the legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
To protect your own personal data, please refrain from providing us with special categories of personal data within the meaning of Art. 9 para. 1 GDPR (for example: health data).
c. Storage period
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. Further storage may take place in individual cases if this is required by law or if there is a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.
a. Type and scope of data processing
On our website, we offer you the opportunity to apply online for jobs advertised by us and thus become part of the Canyon family. If you apply online, the following data will be collected from you and processed as part of the application process:
- Your career level
- Your name
- Your e-mail address
- Your phone number
- Your address
- Your availability in terms of time
- Your application documents (consisting of letter of application, CV, references, certificates, etc.)
- Links to your online profiles on XING and LinkedIn, if applicable
- Your possible entry date
- Your salary expectations
- and, if applicable, further individual comments as part of the application process
The data entered online is collected and processed exclusively for the purpose of filling vacancies at Canyon Bicycles GmbH. Only the departments and positions responsible for the application process within the company will have access to your data. Your application data will not be used for any other purpose or passed on to third parties.
b. Legal basis
The legal basis for the processing of your personal data in the context of the application is Art. 6 para. 1 lit. b GDPR. Insofar as you expressly allow us to store your application documents beyond this application procedure in the context menu (see c.), for example in order to be able to consider you again for future vacancies, this is done on the basis of Art. 6 para. 1 lit. a GDPR.
c. Storage period
Your application data will be automatically deleted 6 months after completion of the application process. This does not apply if legal provisions prevent deletion or if further storage is necessary for the purpose of asserting any legal claims or for the purpose of providing evidence. However, further storage is otherwise only possible on the basis of your consent. This may be useful, for example, if we do not currently have a vacancy to offer, but your profile may be of interest for future vacancies. This procedure is used in particular for unsolicited applications, provided that you have expressly consented to such storage and use. You can revoke this consent at any time, preferably by sending a message via the contact form in the careers section or an email to karriere@canyon.com.
From a technical and organizational point of view, we have taken various precautions to protect your data. The transmission of your online application is encrypted. Your data is stored in a database that is separate from all other systems and to which only the relevant people in the HR team have access.
a. Type and scope of data processing
It is possible to track an order on our website. We need the following information from you to query the database:
- E-mail address
- Order number
Your data will not be passed on to third parties when tracking shipments.
b. Legal basis
Data processing for the purpose of tracking your order is carried out in accordance with Art. 6 para. 1 lit. f GDPR, our legitimate interest in enabling you to track your delivery status and thus to be able to guarantee customer-friendly order processing.
c. Storage period
Once the contract has been fully processed and the purchase price has been paid in full, your data will be blocked for further use and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to the further use of your data. Further storage may take place in individual cases if this is required by law.
a. Type and scope of data processing
Once you have received the goods you purchased from us, we may send you a follow-up email to ask for your feedback. As part of this survey, we process your name and e-mail address, as well as some data relating to your order, such as the item number. Your feedback from the survey helps us to improve our processes and procedures in the context of an order. We process the following personal data for this purpose:
- First and last name
- E-mail address
- Order or order data
- Delivery data
b. Legal basis
The legal basis for the processing of your data for the purpose of sending a survey is our legitimate interest Art. 6 para. 1 lit. f GDPR and takes into account competition law requirements (cf. § 7 UWG).
c. Storage period
We only process this data for as long as is necessary for the purpose described above. This data will then be deleted, provided that there are no statutory retention periods to the contrary.
a. Type and scope of data processing
We use cookies on our website. Cookies are small files that are sent by us to the browser of your end device and stored there when you visit our website. This website uses cookies to improve your experience and to provide you with personalized content and functions. Cookies do not cause any damage to your end device. They cannot execute programs or contain viruses. In this notice, we would like to inform you about the different types of cookies we use and how you can manage your cookie settings. You can find more detailed information on the individual cookies in our cookie banner.
(1) Required cookies:
These cookies are essential to ensure that the website functions properly. For example, they enable you to navigate the website, fill in forms and access your shopping cart. Without these cookies, certain services on our website cannot be provided.
(2) Performance and marketing cookies:
These cookies collect information about how you use our website. They help us measure and improve the performance of our website by providing statistics and analytics. We use this information to optimize the user-friendliness and relevance of our content. This enables us to make our website more user-friendly and effective for you.
However, you can change your cookie settings at any time by clicking on the cookie settings option on our website. You have control over your cookie preferences.
b. Legal basis
The legal basis for the use of technically necessary cookies for the associated storage of information on your end device and its subsequent reading is § 25 para. 2 no. 2 TDDDG. The following processing of your personal data is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR.
The legal basis for the use of performance or marketing cookies with regard to their associated storage on your end device is Section 25 (1) of the GDPR. The processing of the personal data collected on this basis takes place exclusively on the basis of your consent in accordance with Art. 6 para. 1 lit. a) GDPR.
With regard to data transfers to companies based outside the EU/EEA, your consent to the use of the corresponding cookies also includes the transfer of your personal data to third countries (Art. 49 para. 1 lit. a) GDPR).
c. Storage period
As soon as the data transmitted to us via the cookies is no longer required to achieve the purposes described above, this information is deleted. Further storage may take place in individual cases if this is required by law.
You can find more detailed information on the respective storage periods in our cookie banner.
d. Configuration of the browser settings
Most browsers are set to accept cookies by default. However, you can configure some browsers so that they only accept certain cookies or no cookies at all. However, we would like to point out that you may no longer be able to use all the functions of our website if cookies are deactivated by your browser settings on our website. You can also delete cookies already stored in your browser via your browser settings. It is also possible to set your browser to notify you before cookies are stored. As the various browsers may differ in their respective functions, we ask you to use the respective help menu of your browser for the configuration options. If you would like a comprehensive overview of all third-party access to your Internet browser, we recommend that you install specially developed plug-ins.
6. Hyperlinks
Our website contains so-called hyperlinks to websites of other providers. If you activate these hyperlinks, you will be forwarded directly from our website to the website of the other provider. You can recognize this by the change of URL, among other things. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on whether these companies comply with the applicable data protection regulations. In this regard, we refer you to the Data protection statement and other information provided by the respective website operators.
Insofar as we are jointly responsible for certain data processing operations with a website operator, you will find more information on this under point 10.
7. Rights of data subjects
The GDPR gives you, as the data subject of the processing of personal data, the following rights:
- In accordance with Art. 15 GDPR, you can request information about your personal data processed by us. In particular, you can request information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, about a transfer to third countries or to international organizations and about the existence of automated decision-making including profiling and, if applicable, meaningful information about its details.
- In accordance with Art. 16 GDPR, you can immediately request the correction of incorrect or the completion of your personal data stored by us.
- In accordance with Art. 17 GDPR, you can request the deletion of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
- In accordance with Art. 18 GDPR, you can request the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful, we no longer need the data and you refuse to delete it because you need it to assert, exercise or defend legal claims. You also have the right under Art. 18 GDPR if you have objected to the processing in accordance with Art. 21 GDPR.
- In accordance with Art. 20 GDPR, you can request to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or you can request that it be transferred to another controller.
- In accordance with Art. 7 (3) GDPR, you can revoke your consent to us at any time. As a result, we may no longer continue the data processing based on this consent in the future.
- In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence, your place of work or our company headquarters.
9. Data security and security measures
to prevent manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security precautions that are regularly reviewed and adapted to technological progress. These include the use of recognized encryption methods (SSL or TLS). However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions outside our area of responsibility. In particular, it cannot be ruled out that data disclosed in unencrypted form - e.g. by e-mail - may be read by third parties. We have no technical influence on this. It is the responsibility of the user to protect the data provided by him/her against misuse by encryption or in any other way or to refrain from communicating sensitive/personal data.
As part of the use of our social media presence, we, Canyon Bicycles GmbH (hereinafter "we" or "Canyon"), are partly responsible and partly the platform operators of the respective social media channel. However, for individual processing operations, such as "Facebook Insights", the respective social media providers and we are jointly responsible (see Art. 26 GDPR). In the following, we will inform you about what data is involved, how it is processed and what rights you have in this regard.
You can reach us, Canyon, as follows:
Canyon Bicycles GmbH
Karl-Tesche-Strasse 12
56073 Koblenz
Phone: +49 (0)261 - 9490 300 0
E-mail: privacy@canyon.com
Website: https://www.canyon.com/
This Data protection statement applies to the social media presences of Canyon Bicycles GmbH (see 10.3.).
Our external data protection officer is:
Dr. Karsten Kinast, LL.M.
KINAST Rechtsanwaltsgesellschaft mbH
Hohenzollernring 54
D-50672 Cologne
Phone: +49 (0)221 - 222 183 0
E-mail: team-cgn1@kinast.eu; mail@kinast.eu
Website: http://www.kinast.eu
You are also welcome to contact our external data protection officer directly if you have any questions or queries relating to data protection.
The contact details of the data protection officers on the websites of the social media providers listed below can be found in their privacy policies.
You can find us on the following social media websites:
- Facebook: https://www.facebook.com/Canyon.DE
- Instagram:
- https://www.instagram.com/Canyon
- https://www.instagram.com/cllctv_mtb/
- https://www.instagram.com/cllctv_grvl/
- YouTube: https://www.youtube.com/@CanyonBicycles
- Strava: https://www.strava.com/clubs/3812
- TikTok: https://www.tiktok.com/@canyon_bicycles
- X: https://x.com/canyon_bikes
We would like to expressly point out at this point that we have no influence on the basic functionalities of the social media platforms. The operation of the respective platforms and the way in which your personal data is subsequently processed is therefore largely the responsibility of the respective operators. Further information can be found in their respective privacy policies. For further questions in this regard, you should therefore contact the respective platform operators.
In addition, we will inform you below about the data processing procedures on our social media sites:
a. Making contact and sending messages
The above-mentioned social media channels offer the option of contacting us by direct message. In these cases, we process the personal data transmitted to us in each case, usually consisting of your specified user name, the time the message was sent and the "read/unread" status. We would like to point out at this point that data is inevitably also transmitted to the respective social media operator when contact is made. If you therefore have any concerns about the confidentiality of these messages, please contact us by other means.
The processing of the personal data communicated to us in this way is based on Art. 6 para. 1 lit. b and f GDPR.
We only store the messages sent to us in this way for as long as they are required for the respective processing purpose and then delete them, provided there are no statutory retention periods to the contrary. Please note that messages addressed to us publicly in particular are subject to the respective retention periods of the social media operator and we cannot always influence this.
b. Interaction with our contributions
Depending on their platform, the respective social media providers offer a wide range of options for interacting with our posts. This includes, in particular, sending "likes", comments and other reactions to posts. You should always be aware that our social media presences are publicly visible and that your interactions with our posts can therefore also be easily viewed by any visitor to the platforms.
The processing of interactions with our social media posts is based on our legitimate interest, Art. 6 para. 1 lit. f GDPR.
These interactions are generally stored without a time limit. If you are unable to delete content yourself, we therefore ask you to contact the respective platform operator. However, you are also welcome to let us know if you want a particular post to be deleted and we can help you with this. Otherwise, this is the responsibility of the respective platform operator.
c. Transfer of data to countries outside the EU/EEA
The vast majority of social media providers are based outside the EU/EEA, i.e. in countries where the provisions of the GDPR do not apply directly. However, we take the precautions required by the GDPR to ensure that your data is transferred in compliance with data protection regulations.
We therefore work in particular with companies in countries for which the EU Commission has issued an adequacy decision. These include the USA in particular. Since 10.07.2023, data transfers to the USA have been legitimized by a so-called EU adequacy decision ("EU-US Data Privacy Framework") if the respective US company has committed itself to appropriate data protection standards with the US Department of Commerce. US companies that have not done so will be treated in the same way as other global companies outside the European Union if there is no EU adequacy decision for the country in question. At Canyon, we only work with companies for which legally required measures have been taken to ensure the lawful transfer of your data to these countries. If there is no adequacy decision for a third country in this respect, compliance with the required level of data protection is usually ensured by concluding standard contractual clauses and implementing additional data protection measures.
In some cases, the personal tracking and analysis data provided to us via our social media channels by the respective platform operators is transmitted to our external US software service provider, whose software we use as part of our customer relationship management, for the purpose of optimizing our offer and our online presence. For this purpose, we have concluded an order processing contract with this company.
If you have given us your consent to do so, this data processing is based on Art. 6 para. 1 lit. a GDPR (and in individual cases and with regard to data transfer to countries outside the EU also on Art. 49 para. 1 lit. a GDPR). In addition, depending on the specific case, such data processing may also be based on our legitimate interest in optimizing our online presence.
We only store this data within the scope of our area of responsibility for as long as is necessary for the respective purpose. This data is then deleted if there are no legal retention periods to the contrary.
d. Shared responsibility: tracking and analysis
For the respective tracking and analysis functions of the platform operators, we generally act together with them as so-called "joint controllers" (cf. Art. 26 GDPR).
While the respective platforms collect corresponding personal data and process it for the purpose of optimizing their services and placing advertisements, we generally receive anonymized statistics about the visitors and their interactions with our respective pages. In order for us to better understand how you interact with our social media presences, demographic and geographical analyses are sometimes also created based on the information collected and made available to us. We can use this information to place targeted interest-based advertisements without gaining direct knowledge of the visitor's identity. If, for example, visitors use the Facebook platform on multiple devices, the data can also be collected and analyzed across devices if the visitors are registered and logged into their own profile. We have no influence whatsoever on the way in which tracking takes place and only receive anonymous statistics. The options for preventing these mechanisms of the respective platform operator can be found in their settings and data protection information.
The legal basis for this is Art. 6 para. 1 lit. f GDPR, our legitimate interest in optimizing our social media presences and our customer service with the help of tracking.
The storage period of the data processed by us in this way is the responsibility of the respective platform operator.
If you wish to exercise a so-called data subject right with regard to specific data processing over which we have an influence, you are welcome to contact us or our data protection officer at any time with an informal message using the contact details above. We will then review your request (e.g. request for information or objection) or, if necessary, forward it to the responsible social media platform if the request relates to data processing by the platform operator.
You have the following rights in this respect:
- The right to obtain information about the data processing and a copy of the processed data (so-called right of access, Art. 15 GDPR),
- the right to request the rectification of inaccurate data or the completion of incomplete data (so-called right to rectification, Art. 16 GDPR),
- the right to request the erasure of personal data and, if the personal data has been made public, to inform other controllers about the request for erasure (so-called right to erasure, Art. 17 GDPR),
- the right to demand the restriction of data processing (so-called right to restriction of processing, Art. 18 GDPR),
- the right to receive the data subject's personal data in a structured, commonly used and machine-readable format and to request the transmission of this data to another controller. In the case of social media channels, however, you can generally only assert this right against the operator of the social media platform, as only this operator has access to your profile data (so-called right to data portability Art. 20 GDPR),
- the right to object to data processing in order to prevent it (right to object, Art. 21 GDPR); if your data is processed on the basis of a legitimate interest (Art. 6 para. 1 lit. f GDPR), you have the right to object to this. If, due to your particular situation, there are reasons that outweigh our legitimate interest in further processing, we will stop processing your data. You are welcome to inform us of this at any time, preferably via the contact options provided
- the right to withdraw your consent at any time in order to prevent data processing based on your consent. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal (right of withdrawal, Art. 7 GDPR),
- the right to lodge a complaint with a supervisory authority if you believe that the data processing violates the GDPR (right to lodge a complaint with a supervisory authority, Art. 77 GDPR)