Privacy Policy
Responsible Person
Petra Markert
Im Brühl 6
97688 Bad Kissingen
Germany
Email: petra@markert-art.com
Link to the imprint: https://www.markert-art.com/en/imprint.html
Types of Processed Data
Inventory data, such as names, addresses
Contact data, such as email addresses, phone numbers
Content data, such as text entries, photographs, videos
Usage data, such as visited websites, specific interest in content, user access times
Meta/communication data, such as device information, IP addresses
Categories of Data Subjects
Generally, I refer to users and visitors of our online offer collectively as “users” below.
Purpose of Processing
The purpose of this processing is to provide my online offer, its functions, and content, respond to contact inquiries, and communicate with customers. Additionally, it is necessary for security measures and reach measurement/marketing.
Our Terminology
“Personal Data”: Refers to identified or identifiable natural persons (also referred to as “data subjects” below). In this context, an identifiable natural person is one who can be identified, directly or indirectly, primarily by reference to an identifier such as a name, an identification number, specific location data, an online identifier (cookies), or one or more special characteristics that are an expression of the genetic, psychological, economic, cultural, physical, physiological, or social identity of these natural persons.
“Processing” refers to any operation performed, whether or not by automated means, as well as any series of operations associated with personal data. This aspect is very broad and includes virtually any handling of data.
The natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of processing personal data is referred to as the “controller.”
Relevant Legal Bases
I inform you of the legal bases for our data processing in accordance with Art. 13 GDPR. If the legal basis is not mentioned in the privacy policy, the following applies:
Legal basis for obtaining consent: Art. 6(1)(a) and Art. 7 GDPR
Legal basis for processing for the fulfillment and performance of our services and contractual measures and for responding to inquiries: Art. 6(1)(b) GDPR
Legal basis for processing to fulfill our legal obligations: Art. 6(1)(c) GDPR
Legal basis for processing to protect our legitimate interests: Art. 6(1)(f) GDPR
The following article serves as the legal basis in cases where the processing of personal data is necessary to protect the vital interests of the data subject or another natural person: Art. 6(1)(d) GDPR
Security Measures
In accordance with Art. 32 GDPR, I implement appropriate technical and organizational measures, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as the access, input, disclosure, availability, and segregation of data. Additionally, I have established procedures to ensure the exercise of data subject rights, deletion of data, and response to data breaches. Furthermore, I consider the protection of personal data already in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).
Collaboration with Data Processors and Third Parties
If, in connection with our processing activities, I disclose data to others, such as individuals or companies, namely data processors or third parties who transmit data to them or otherwise grant them access to data, this only occurs in connection with a legal permission, such as when data transfer to third parties, such as payment service providers, is necessary pursuant to Art. 6(1)(b) GDPR, you have consented, there is a legal obligation, or based on our legitimate interests, such as when using agents, web hosts, etc.
If I engage third parties to process data on the basis of a so-called “data processing agreement,” this occurs in accordance with Art. 28 GDPR.
Transfers to Third Countries
If I process data in a third country, meaning outside the European Union (EU) or the European Economic Area (EEA), or if this occurs in the context of using services from third parties or disclosing/transferring data to third parties, it only happens if it is necessary for the fulfillment of our (pre)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. I transfer or process data in a third country only when the special requirements of Articles 44 et seq. GDPR are met, subject to legal or contractual permissions. This means that processing, for example, is based on special guarantees, such as the officially recognized determination of a level of data protection equivalent to that of the EU (e.g., for the USA through the “Privacy Shield”), or compliance with officially recognized specific contractual obligations (“standard contractual clauses”).
Rights of Data Subjects
According to Article 15 GDPR, you have the right to request confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to obtain access to the personal data and certain additional information. Pursuant to Article 16 GDPR, you have the right to request rectification of inaccurate personal data concerning you or to have incomplete personal data completed. Under Article 17 GDPR, you have the right to obtain the erasure of personal data concerning you without undue delay, or alternatively, you may request a restriction of processing under Article 18 GDPR. Pursuant to Article 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller. Additionally, according to Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority.
Right to Withdraw Consent
According to Article 7(3) GDPR, you have the right to withdraw consent you have given at any time, with future effect.
Right to Object
Under Article 21 GDPR, you have the right to object to the future processing of your data. This can be done, in particular, against processing for the purposes of direct marketing.
Cookies and Right to Object to Direct Marketing
Small data files stored on users’ computers are called “cookies.” These cookies can store various information. The benefit of a cookie is that the information of a user, or the device on which the cookie is stored, is saved during the visit to the website. If cookies are deleted after a visitor leaves the website and closes their browser, they are referred to as temporary cookies or “session cookies.” Such cookies can, for example, store the contents of a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies, on the other hand, are stored even after the respective browser is closed, when the user revisits the site after several days. Additionally, such cookies make it possible to store the interests of the user, which can be used for reach measurement or marketing purposes. Cookies provided by providers other than the controller operating the online offer are called “third-party cookies.” If they are only the controller’s cookies, they are referred to as “first-party cookies.”
As I use both temporary and permanent cookies, I inform you about this in our privacy policy.
If users do not want cookies to be stored on their computer, they are prompted with a notice to disable this option in their browser’s system settings. Additionally, it is possible to delete stored cookies in the browser’s system settings. However, it should be noted that disabling cookies may lead to limitations in the functionality of the online offer.
If users wish to generally object to the use of cookies for online marketing purposes, they can do so for many services, especially for tracking, through the US-American website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Additionally, as mentioned earlier, the storage of cookies can be disabled at any time in the browser settings. However, it should be noted that not all functions of the online offer may be available in this case.
Data Deletion
In accordance with Articles 17 and 18 GDPR, data processed by us will be deleted or its processing will be restricted. User data stored by us will be deleted if it is no longer needed for its intended purpose as stated in this privacy policy and if there are no legal retention obligations requiring its deletion. If the data is required for other legally permissible purposes, it will be processed in a restricted manner and not deleted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to certain data that must be retained for commercial or tax reasons.
Legal Requirements in Germany for Retention:
6 years according to §257 para. 1 HGB (Commercial Code): Accounting records, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.
10 years according to §147 para. 1 AO (Fiscal Code): Books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.
Business-related Processing
In addition, I process the following data:
Contractual data, such as contract subject matter, duration, customer category
Payment data, such as bank details, payment history
due to the provision of contractual services by our customers, interested parties, and business partners, services and customer care, marketing, advertising, and market research
Hosting
Our hosting services are used for the following:
Infrastructure and platform services
Computing capacity
Storage space and database services
Security services
Technical maintenance services for the purpose of operating the online offering
In accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement), I or my hosting provider process usage data, content data, contractual data, contact data, inventory data, meta and communication data of interested parties, customers, and guests of our online offering out of legitimate interest in an effective and secure provision of our online offering.
Collection of Access Data and Log Files
Based on our legitimate interests, I or my hosting provider collect data about every access to the server on which this service is located (server log files). This is done in accordance with Art. 6 para. 1 lit. f GDPR. This includes the name of the accessed website, the date and time of access, the file accessed, the amount of data transferred, the message about a successful access, the user’s operating system, the website visited before, the type and version of the browser, the requesting provider, and the IP address. For security reasons, such as investigating misuse or fraudulent activities, log file information is stored for a maximum of seven days and then deleted. However, certain data that must be retained for evidentiary purposes until the final resolution of the incident may be excluded from deletion.
Provision of Contractual Services
Inventory data, such as names and addresses, as well as contact information of users, contractual data, such as services used, names of contact persons, payment information, are processed by us. This is done in order to fulfill our contractual obligations and services according to Art. 6 para. 1 lit. b GDPR. All entries marked as mandatory in the online forms are required for the conclusion of the contract.
When you use our online services, I store the IP address and the time of the respective user action. This is done based on our legitimate interests as well as those of the users, as it helps protect them against misuse and unauthorized use. The data is generally not passed on to third parties unless this is necessary to pursue our claims or there is a legal obligation to do so according to Art. 6 para. 1 lit. c GDPR.
Usage data, such as visited websites of our online offering or interest in our products, and content data, such as entries in a contact form or the user profile, are processed by us for advertising purposes in a user profile so that the user can be shown product recommendations, for example, based on services they have used so far.
The data is deleted after the expiry of statutory warranty and comparable obligations. Furthermore, the necessity of data retention is reviewed every three years. For data subject to legal archiving obligations, deletion occurs after the expiry of these obligations. Until then, this information remains in the customer account.
Administration, Accounting, Office Organization, Contact Management
In connection with administrative tasks and the organization of our company, as well as accounting and compliance with legal obligations, such as archiving, I process data. The same data processed in the context of our contractual services is processed here. The legal bases for this are Art. 6 para. 1 lit. c GDPR and Art. 6 para. 1 lit. f GDPR. The following persons are affected by the processing: customers, interested parties, business partners, and visitors to our website. The processing serves administration, accounting, office organization, archiving of data, i.e., tasks that serve to maintain our business activities, perform our duties, and provide our services. Data deletion regarding contractual services and contractual communication corresponds to the information provided for these processing activities. In this context, I may disclose or transmit data to the tax authorities or consultants, such as tax advisors or auditors, as well as other fee offices and payment service providers. In addition, based on our business interests, information about suppliers, organizers, and other business partners, for example, due to subsequent contact, may be stored permanently by us.
Business Analysis and Market Research
In order to operate my business economically, identify market trends, and determine customer and user preferences, I analyze the data available to us based on business transactions, contracts, inquiries, etc. Here, I process inventory data, communication data, contract data, payment data, usage data, and metadata in accordance with Art. 6 para. 1 lit. f GDPR. This includes customers, interested parties, business partners, visitors, and users of our online offering.
These analyses serve the purpose of business evaluations, marketing, and market research. This allows us to consider profiles of registered users, for example, regarding their purchase transactions. These analyses serve to increase user friendliness, optimize our offerings, and improve business efficiency. Additionally, they are solely for our internal use and are not disclosed externally, unless they are anonymous analyses with aggregated values.
In the case of personal analyses or profiles, they will either be deleted or anonymized by us upon termination of the user, otherwise, after two years from the conclusion of the contract. Furthermore, we create overall business analyses and general trend determinations anonymously wherever possible.
Contact
When you contact us, for example via contact form, email, telephone, or social media, I process the user’s information in accordance with Art. 6 para. 1 lit. b GDPR to process the contact request and its handling. It is possible to store the user’s information in a Customer Relationship Management (CRM) system. Once the information is no longer necessary, I delete it and review the necessity every two years. Legal archiving obligations apply.
Online Presence in Social Media
I maintain online presences within social networks and platforms to communicate with customers, interested parties, and users active there and to inform them about our services.
Please note that user data may be processed outside the European Union. This may result in risks for users because enforcement of user rights may be more difficult. With regard to US providers certified under the Privacy Shield, I would like to point out that they are committed to complying with EU privacy standards.
Furthermore, user data is usually processed for market research and advertising purposes. For example, user profiles can be created from user behavior and resulting interests. These user profiles can then be used to display advertisements within and outside the platforms that presumably correspond to the users’ interests. For these purposes, cookies are usually stored on the users’ computers, in which the users’ usage behavior and interests are stored. Additionally, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in).
The processing of users’ personal data is based on our legitimate interests in effective information for users and communication with users pursuant to Art. 6 para. 1 lit. f GDPR. If users are asked by the respective providers for consent to data processing (i.e., their consent, e.g., by ticking a checkbox or confirming a button), the legal basis for processing is Art. 6 para. 1 lit. a., Art. 7 GDPR.
For a detailed presentation of the respective processing and the possibilities of objection (opt-out), I refer to the linked information of the providers below.
Even in the case of inquiries and the assertion of user rights, I point out that these can be asserted most effectively with the providers. Only the providers have access to the users’ data and can directly take appropriate measures and provide information. If you still need assistance, you can contact us.
– Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – Privacy Policy: https://www.facebook.com/about/privacy/, Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active
Integration of Third-party Services and Content
Based on our legitimate interests, i.e., the interest in analyzing, improving, and operating our online offering economically in accordance with Art. 6 para. 1 lit. f. GDPR, we use content or service offers from third-party providers within our online offering, which are uniformly referred to as “content” below. It is always assumed that the third-party providers of this content perceive the IP address of the users because it is not possible to send this content to their browsers without the IP address. Thus, the IP address is necessary for the presentation of the content. I always strive to use only content whose respective providers use the IP address solely for content delivery. It is possible that third-party providers use so-called pixel tags, invisible graphics also known as web beacons, for statistical or marketing purposes. Through these pixel tags, it is possible to evaluate information such as visitor traffic on the individual pages of this website. It is possible to store this pseudonymous information in cookies on the user’s device. They may also contain technical information about the browser and operating system, referring websites, visit time, and other information about the use of our online offering as well as being linked with such information from other sources.
Changes to Our Privacy Policy
I kindly ask you to continuously inform yourself about the content of our privacy policy. As soon as it becomes necessary for us to process changes to the data processing we perform, I will update the privacy policy accordingly. If your consent or any other individual notification is required, I will inform you accordingly.
Parts of the privacy policy have been kindly provided by RA Dr. Thomas Schwenke.