Data protection intro
Canyon Bicycles GmbH (hereinafter called CANYON) is pleased that you are visiting our website. Data protection and data safety while using our website are very important for us. Therefore, we would like to inform you at this point about which of your personal details we record at the time of your visit to our website and for what purposes these data are used.
Since changes in laws or changes in our internal company procedures may make amendments to this data protection statement necessary, we ask you to read through this data protection statement on a regular basis. The data protection statement can be called up on the data protection navigation area on our website, and it can be stored and printed out at any time.
§ 1 Responsible party and scope of validity.
The responsible party as defined in the EU General Data Protection Regulation (hereinafter GDPR) and other national data protection laws of the member states as well as other legal data protection specifications is:
Canyon Bicycles GmbH
Karl-Tesche-Straße 12
56073 Koblenz
Tel.: +49 261 9490 3000
E-Mail: info@canyon.com
Website: https://www.canyon.com
This data protection statement is valid for the Internet offer of Canyon Bicycles GmbH, which can be found at the domain www.canyon.com and www.career.canyon.com as well as the different sub-domains (hereinafter called ‘our website’).
§ 2 Data protection officer
The external data protection officer of the responsible party is:
Attorney Dr. Karsten Kinast, LL.M.
KINAST Rechtsanwaltsgesellschaft mbH
Hohenzollernring 54
D-50672 Köln
Tel.: +49 (0)221 – 222 183 – 0
E-Mail: mail@kinast.eu
Website: http://www.kinast.eu
§ 3 Data processing principles
All items of information that refer to an identified or identifiable natural person constitute personal details. For example, this includes information such as your name, your age, your address, your telephone number, your date of birth, your e-mail address, your IP address or the user behaviour. Information, with which we can make no reference (or only at disproportionately great expense) to your person, e.g. by anonymising the information, does not constitute personal data. The processing of personal data (for example, collecting, questioning, using, storing, or transmitting) always requires a legal basis or your consent. Processed personal data are erased as soon as the purpose of the processing has been achieved and legally stipulated retention obligations are no longer in effect. If we process your personal data for preparing specific offers, we will subsequently inform you about the specific procedures, the scope, and the purpose of the data processing, the legal basis for the processing and the respective storage duration.
§ 4 Individual processing procedures
1. Preparing and using the website
A. Type and scope of the data processing
Whenever you call up and use our website, we collect the personal data automatically. Your browser then transmits this to our server. This information is temporarily stored in a so-called log file. When you use our website, we collect the following data, which are technically necessary for us in order to display our website to you and to assure stability and reliability.
- IP address of the requesting computer,
- Date and time of the access,
- Name and URL of the requested file,
- Website, from which the access takes place (referrer URL),
- Browser used, terminal used, and, if appropriate, the operating system as well as the name of your access provider
B. Legal basis
Article 6, paragraph 1, (f) GDPR serves as the legal basis for the specified type of data processing. The processing of specified data is necessary for preparing a website and thus serves for supporting a justified interest of our company.
C. Storage duration
As soon as the specified data are no longer necessary for displaying the website, they are deleted. The recording of the data for preparing the website and the storage of the data in logfiles is absolutely required for the operation of the website. Consequently, there is no possibility of objection on the part of the user. Further storage can take place in individual cases, if this is legally stipulated.
2. Registration/User account
A. Type and scope of the data processing
On our website, we offer you the possibility of registeringThis involves you in providing us with your personal details.
We use the processed data to create a customised user account for you where you can create certain content and services including a wish list, order overview, list of preferred delivery addresses, message preferences etc. in partial self-administration. This way, you can use the content on our website.
We process your e-mail so that we can send you new login details in the event you forget them or the information required to create your account.
When you set your preferences in message settings and areas of interest, you consent to the e-mail address provided being used to send messages relevant to the information you provided. This consent can be withdrawn at any time by e-mailing privacy@canyon.com.
When you add products to your wish list, you consent that we send you e-mail reminders of the products saved on your wish list or information about them.
When you enable the reminder function for unavailable items, you consent that we send you e-mail reminders as soon as they become available again in our shop.
After initial registration, you must log in to your user account for future orders so that we can allocate your order to an existing account. You can of course place all your orders as guest orders, although you will not benefit from a range of services only available with user accounts.
The following overview shows the personal details we process during registration:
- Name
- e-mail address
- Date of birth (optional)
- Country and language
- IP address
- Gender
The following overview shows you the type of details we process from your information in a user account or via orders placed from a user account.
- Address
- Different delivery addresses, if applicable
- Order overview
- Message settings
- Wish list
- Height and leg length
To prevent any false data you provide from entering our system, we use an external service provider – loqate GBG – to validate the addresses, email addresses, and telephone numbers you submit. Further information about the processing of your data by external service providers can be found under § 6 of this data protection statement.
B. Legal basis
Processing the personal data provided (cf. section 4 2. a.) is based on Art. 6 paragraph 1 (b) GDPR.
C. Storage duration
As soon as the registration on our website is cancelled or modified, the data processed during the registration procedure are deleted. Further storage can take place in individual cases, if this is legally stipulated.
D. Cancelling registration
Users can cancel registration at any time. You can change your saved personal data at any time. To do this, proceed as follows: You can either make the changes yourself after logging into your customer account or e-mail privacy@canyon.com.
In the event the processed data are still required for contractual purposes or pre-contractual purposes, data can only be deleted early provided this is not prevented by any contractual or legal obligations.
3. Purchasing process
3.1 Goods purchase
A. Type and scope of the data processing
On our website, we offer users the possibility of purchasing goods with the specification of personal data, The data required for this are input into an input mask and transmitted to us and stored. Transfer of the data to third parties does not take place. The following data are collected within the framework of the ordering procedure:
- Form of address
- Name
- Address
- Telephone number
- e-mail address
- Payment information
- Type of shipping
- IP address
Your data are transferred to the shipping company in charge of the delivery, in so far as this is necessary for delivery of the goods. For transacting payments, we transfer your payment data to the financial institution entrusted with the payment. That company may only use your data for contract settlement and not for other purposes.
When you make a purchase on our website and therefore store your e-mail address, this address can be used by us to send you information on similar products or services. We are keen to maintain customer relations and we would like to send you information that we believe may be of interest to you.
If you need to interrupt the ordering process or cannot complete the purchase, we will send an e-mail to remind you of the items placed in your basket so that you can complete the process at a later date without having to collect all the items again. To do this, we use cookies. More information on using cookies can be found in section 7 (‘Using cookies’).
B. Legal basis
When processing your personal data (cf. section 4 3. a.) that are required for fulfilling a purchase agreement concluded with us, Art. 6, paragraph 1, (b) GDPR serves as the legal basis. This also applies for processing procedures that are required for carrying out pre-contractual measures.
The legal basis for sending information on similar goods or services as a result of the purchase of goods is section 7 paragraph 3 UWG [Act against unfair competition]. You can choose to stop receiving messages at any time by using the unsubscribe link at the end of the newsletter.
C. Storage duration
With complete settlement of the agreement and complete purchase price payment, your data are stored for further use and erased after expiry of the legal tax and commercial law retention periods, if you have not expressly agreed to the further use of your data. Further storage can take place in individual cases, if this is legally stipulated.
3.2. Use of the 3D Secure 2.0 protocol for credit card payments
A. Type and scope of the data processing
When purchasing goods, you have the option of paying with your credit card. To guarantee enhanced security during payment processing, we now use the 3D Secure 2.0 protocol. With every transaction, data is transmitted to your credit card company. They can use this data to carry out a real-time risk assessment to identify you as the legitimate owner of the credit card. In order to process the credit card payment, we use the service provider Computop. Computop are contractually obliged to observe an appropriate standard of data protection – we have ensured this by means of an order processing contract. Your data will only be transferred to this service provider and will not be passed on to third parties.
When you pay with credit card, we collect the following data:
- Your credit card details.
- Transaction-related data, such as identification numbers required to assign transactions and merchants, as well as the purchase amount and currency.
- Browser data including information on the end device used and the location of the user. This includes IP address, screen resolution, and the browser language setting.
- The complete billing and delivery address of the order.
- Customer account data recorded from and about the customer’s existing account. This includes – but is not limited to – information about how long the account has existed, the number of transactions carried out within certain time intervals, and the frequency with which passwords and delivery addresses have been changed.
- Data on delivery details, such as shipping method, availability of the goods, the delivery time window, the email address (in the case of a shipment of digital goods) or the date of initial availability for products not yet published.
This data is collected by us solely to let credit card companies perform real-time risk assessments. If a transaction is classified as low-risk, you can authorise it directly, without the need for any further actions. However, if there is a suspicion of fraud, you will be asked to confirm your identity again by answering an additional security question. Data is processed in this way for two reasons. Firstly, to meet Strong Customer Authentication (SCA) protocol – guaranteeing better (and legally required) protection against fraud. And secondly, to simplify the purchase process.
B. Legal basis
The legal basis for this data processing is Article 6 (1), (C) and (F) of the General Data Protection Regulation. A legal obligation for data processing arises here from the EU Payment Services Directive (Directive (EU) 2015/2366), which requires Strong Customer Authentication. One way of fulfilling this obligation is to use the 3D Secure 2.0 process. In addition, we have a ‘legitimate interest’ in the form of an economic interest – the reduction of the purchase termination rate and the simplification of the ordering process. By means of case-by-case, data-based risk assessment, transactions can in most cases be released directly and without further buyer interaction, resulting in an improvement of the user experience.
C. Storage duration
With complete settlement of the agreement and complete purchase price payment, your data are stored for further use and erased after expiry of the legal tax and commercial law retention periods, if you have not expressly agreed to the further use of your data. Further storage can take place in individual cases, if this is legally stipulated.
4. Newsletter
A. Type and scope of the data processing
On our website, there is the possibility of subscribing to a free newsletter. In order to be able to send you the newsletter regularly, we need the following information from you:
- Name
- e-mail address
The following overview shows which additional processed information you can decide to share with us when registering for the newsletter. This information helps us optimise our newsletter and to share specific information with our newsletter subscribers.
- Form of address
- Name
- Date of birth
- Bicycle category of interest
- News category of interest
No transfer of your data to third parties takes place in connection with the sending of the newsletter.
We use the so-called double opt-in method for sending the newsletter, that is, we will send you the newsletter only if you confirm your request beforehand via a confirmation e-mail sent to you for this purpose per link contained therein. Thus, we want to make sure that only you can subscribe to the newsletter yourself as holder of the indicated e-mail address. Your confirmation concerning this must take place soon after receiving the confirmation e-mail, since otherwise your newsletter subscription is automatically erased from our database.
B. Legal basis
The processing of your e-mail address, form of address, your date of birth, and the bicycle and news category of interest for you for sending the newsletter is based on Article 6, paragraph 1, (a) GDPR on the consent statement issued by you on the basis of a double opt-in.
C. Storage duration
Your e-mail address is stored as long as you have subscribed to the newsletter. After cancellation of sending the newsletter, your e-mail address is erased. Further storage can take place in individual cases, if this is legally stipulated.
5. Contact form, including for Crash-Replacement guarantee, return and repair enquiries, chat and concerning our career section
A. Type and scope of the data processing
On our website we invite you to get in contact with us via a prepared form and Chat module. Within the framework of the procedure of sending your inquiries via the contact or Pre-Chat form, reference is made to this data protection statement for obtaining your consent. If you make use of the contact form or Chat module, the following personal data from you are processed via the contact form.
- Form of address
- Name
- e-mail address
- Telephone number
- the country of residence
- your customer number (for returns, repairs or CRP enquiries)
- your order number (for returns, repairs or CRP enquiries)
- model of your bike (for returns, repairs or CRP enquiries)
- your address (for returns or CRP enquiries)
- Photos and details to describe the problem (for repairs or CRP enquiries)
The specification of your e-mail address and the country of residence is so that your enquiry can be associated with you and that you can be answered. The above details are used to help us process your enquiry and relevant services. If the contact form is used, your personal data will not be transferred to third parties.
B. Legal basis
The previously (cf. section 4 5. a.) described data processing for the purpose of making contact takes place according to Article 6, paragraph 1, (b), (f) GDPR.
C. Storage duration
As soon as the enquiry made by you has been dealt with, and the matter concerned is finally clarified, your personal data processed via the contact form will be erased. Further storage can take place in individual cases, if this is legally stipulated.
6. Canyon Careers Section
A. Type and scope of the data processing
On our website we offer you the opportunity to apply online for our job vacancies and to become part of the Canyon family. If you apply online, the following data will be collected and processed in the context of the application process:
- your career stage,
- your name,
- your e-mail address,
- your phone number,
- your address,
- when you can be contacted,
- your application documents (letter of application, CV, testimonials, diplomas etc),
- links to your online profiles at XING and LinkedIn, if applicable
- your possible start date,
- your salary expectations
- and any other remarks you may have about the application process, if applicable.
The data entered online shall be collected and processed solely for the purpose of filling job vacancies at Canyon Bicycles GmbH. Only the departments and officers responsible in-house for the application process shall obtain access to your data. More extensive usage or the passing on of your application data to third parties shall not take place.
B. Legal basis
The legal basis for the processing of your personal data in the context of a job application is provided by Article 6, paragraph 1, (a) GDPR.
C. Storage duration
Your application data shall always be erased automatically six months after conclusion of the application process. This does not apply if legislative provisions countermand such erasure or if ongoing storage is required for evidence purposes. This can also apply for example if we are not currently able to offer a suitable vacancy, but find your profile of potential interest for possible future job openings. In particular when you apply on your own initiative, we can store and use your data in this way if you have specifically consented to this. This consent can be revoked at any time via the contact form in the careers section.
From a technical and organisational viewpoint, we have taken various precautions to protect your data. Any onward transmission of your online application is in encrypted format. Your data are saved to a database that is separate from all other systems, to which only the people responsible for this on the HR team have access.
7. Shipment tracking
A. Type and scope of the data processing
Orders can be tracked via our website. We require the following details from you for database enquiries:
- e-mail address
- Order number
No data are sent to third parties during shipment tracking.
B. Legal basis
The previously (cf. section 4 6. a.) described data processing for the purpose of tracking your order takes place according to Art. 6 section 1 (b) DSGVO.
C. Storage duration
With complete settlement of the agreement and complete purchase price payment, your data are stored for further use and erased after expiry of the legal tax and commercial law retention periods, if you have not expressly agreed to the further use of your data. Further storage can take place in individual cases, if this is legally stipulated.
§ 5 Transfer of data to third parties
We transfer your pe