Security & privacy
Data Protection Notice
Table of contents
- We are responsible for your data
- How secure are your data?
- Our Data Protection Officer
- What are mandatory data or mandatory fields?
- For what purposes will your data be processed?
- Your right to object and your right to withdraw your consent at any time
- What are cookies and what are they used for?
- Web tracking, web analysis and retargeting (anonymised / pseudonymised)
- What happens if integrated YouTube videos are activated and played?
- How can you exercise your data protection rights?
- Changes and update
1. We are responsible for your data
The protection and the security of your personal data are of utmost importance to us. Please be assured that we will process your personal data in strict compliance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (“Bundesdatenschutzgesetz”, BDSG). Personal data are data by which you can be identified or by which you are identifiable. We will only process your personal data if a legal provision allows us to do so or if you have consented prior to the processing.
We are Erwin Müller Versandhaus GmbH, Buttstr. 2, D-86647 Buttenwiesen, and our service providers that will process your data on our behalf for the purposes listed below (in the following: Erwin Müller, we).
Our service providers include, among others, print shops, letter shops, call centres, address service providers, internet service providers, data processing service centres and payment service providers. Our service providers are not allowed to process your data for other purposes or on their own behalf, unless you have given your consent.
You may contact us at the postal address given above or by e-mail at email@example.com.
In this Data Protection Notice we will inform you which personal data are collected when you visit our website and make use of our services and offers and how we process these data.
2. How secure are your data?
We have implemented technical and organisational security measures to protect your personal data from manipulation, loss, destruction, or access by unauthorised persons, and to ensure the protection of your rights and the observance of the applicable data protection regulations of the Federal Republic of Germany and of the EU.
The implemented measures shall provide for the ongoing confidentiality and integrity of your data, as well as for the ongoing availability and resilience of the systems and services used for processing your data. Moreover they shall ensure the ability to restore the availability and access to your personal data in a timely manner in the event of a physical or technical incident.
Our security measures include encryption of your data. Your data are encrypted by Secure Sockets Layer (SSL, Chart 256 RSA-Certificate) during their transmission to us. (Please note that this does not apply to data collected when you use our customer consulting chat service.)
All information entered online by you will be technically encrypted and only then be transmitted. Therefore this information can at no point in time be viewed by unauthorised third parties.
Our data processing and our security measures are being continuously improved according to the state of the art.
Our employees have of course signed a binding confidentiality agreement (data secrecy).
3. Our Data Protection Officer
If you have questions regarding data protection or data security, you may contact our Data Protection Officer by e-mail at firstname.lastname@example.org or by mail at Erwin Müller Versandhaus GmbH, Data Protection Officer, Buttstr. 2, D-86647 Buttenwiesen.
4. What are mandatory data or mandatory fields?
f certain data fields are designated as “mandatory data” or “mandatory fields” and/or asterisked (*), the collection of these data is either legally or contractually required, or else we need these data for conclusion of the contract, the requested service or the indicated purpose. It is of course your decision whether you supply these mandatory data or not. If not, we may not be able to fulfil the contract or to provide the requested service, or the indicated purpose may not be achieved.
5. For what purposes will your data be processed?
We will process your data to reply to your queries (Art. 6 par. 1 b, f GDPR). The address and telecommunication data marked as mandatory data are necessary to deal with and reply to your request. If you voluntarily supply further data, it will be easier for us to deal with your query and we can reply in more detail.
Having answered your query, we will as a rule store your query together with your data as a business letter for six years (Sect. 257 par. 4 HGB (“Handelsgesetzbuch”, German Commercial Code), Sect. 147 par. 3 AO (“Abgabenordnung”, German General Tax Code), Art. 6 par. 1 c GDPR).
b. Your personal customer account
We will process your required registration data to set up your customer account and to put it at your disposal for your use (Art. 6 par. 1 b GDPR). You can only access your account when you enter your personal password. Please treat your access data as confidential. If you voluntarily supply your telephone number, we can contact you if questions arise concerning your customer account.
We will store your data until you delete your account. If you have ordered goods with us, legal retention obligations or documentation duties require us to store your data relating to your orders for determined periods of time (see below c.).
c. Orders and requests for catalogues
We will initially process your personal data from your order or your request for a catalogue to deal with your order or your request for a catalogue and to issue an invoice (Art. 6 par. 1 b GDPR).
In accordance with legal obligations, we will store your data relevant for your order or your request for a catalogue and the corresponding documents (e.g. business letters, invoices) for six years (Sect. 257 par. 4 HGB) or for ten years (Sect. 147 par. 3 AO) after completion of your order or your request for a catalogue.
We will also process your data from your orders or your requests for catalogues for postal advertising and customer analyses (see below g.).
d. Credit assessments
When we run the risk of non-payment in taking an order, we may retrieve and use probability values as to your ability and your willingness to pay, in order to decide whether to conclude, carry out or terminate a contractual relationship. To this end, your name, your address, your customer number and your date of birth, as well as order value and order date may be transmitted to: CRIF GmbH, Freisinger Landstr. 74, D-80939 München; infoscore Consumer Data GmbH, Rheinstr. 99, D-76532 Baden-Baden; Bürgel Wirtschaftsinformationen GmbH & Co. KG, Gasstr. 18, D-22761 Hamburg; CEG Creditreform Consumer GmbH, Hellersbergstr. 11, D-41460 Neuss; SCHUFA Holding AG, Kormoranweg 5, D-65201 Wiesbaden. The probability values are determined using the above data and your address data (Art. 6 par. 1 f GDPR, Sect. 31 par. 1 and 2 BDSG).
In the first of altogether two written reminders, we will inform you that we may transmit personal data concerning due, unpaid and undisputed claims to the above credit agencies. Four weeks after receipt of the first reminder, we may transmit these claim data to the credit agencies. The credit agencies may then put these data at the disposal of other companies that have a legitimate interest in this information (Art. 6 par. 1 f GDPR, Sect. 31 par. 2 no. 4 BDSG).
e. Recommend Your Friend!
If you take part in our Recommend Your Friend! campaign, we will initially process the personal data of the recruited new customer (address data, communication data, purchase data) to deal with his/her order and to issue an invoice (Art. 6 par. 1 b GDPR). We will process the data of the existing customer to check whether the conditions to receive the recruitment bonus (gift) are fulfilled and to send out the gift (Art. 6 par. 1 b GDPR).
The legal retention obligations apply (see above c.).
f. Voucher offers of Sovendus GmbH
In order to select a currently interesting voucher offer for you, we will transmit the hash value of your e-mail address and your IP-address in pseudonymised and encrypted form to Sovendus GmbH, Moltkestr. 11, D-76133 Karlsruhe (Sovendus) (Art. 6 par. 1 f GDPR). Sovendus will use the pseudonymised hash value of the e‑mail address to observe a possible objection to advertising (Art. 21 par. 3, Art. 6 par. 1 c GDPR). Sovendus will use the IP-address exclusively for data security purposes and as a rule anonymise it after seven days (Art. 6 par. 1 f GDPR). In addition, we will transmit order number, order value and currency, session-ID, coupon code and time stamp in pseudonymised form to Sovendus for billing purposes (Art. 6 par. 1 f GDPR).
If you are interested in a voucher offer of Sovendus and if you click on the voucher banner (which will only appear if there is no objection to advertising registered with your e-mail address), we will transmit your form of address, your name and your e‑mail address in encrypted form to Sovendus to prepare the voucher (Art. 6 par. 1 b, f GDPR).
You will find further information about the processing of your data by Sovendus in their Data Protection Notice at https://www.sovendus.de/en/privacy_policy/.
g. Comments and ratings
If you comment on or rate our products, we only need your first name and at most the first letter of your family name, not your full name. You may also post your comments or ratings under a pseudonym. If you give your full name, you may be found by Internet search engines (Art. 6 par. 1 f GDPR).
We will store your data from your comments and ratings as long as the corresponding products are offered on our website. If unlawful comments or ratings are posted, we reserve the right to store the comment or the rating for a longer period of time or to delete it, according to the legal regulations.
E-mail advertising / newsletter
If you have given us your consent (which you may withdraw at any time), we will send you by e-mail our newsletter with our offers and information for the whole family about our products for bedroom and bathroom, living, underwear and loungewear, and our customised gift articles (Manutextur) (Sect. 7 par. 2 no. 3 UWG (“Gesetz gegen den unlauteren Wettbewerb”, German Act Against Unfair Competition), Art. 6 par. 1 a GDPR). When you give us your consent, we will collect some mandatory data.
We will use these data in order to personally address you in our newsletter.
Postal advertising and customer analyses
We will process your data from queries, orders and requests for catalogues for postal advertising and for our customer analyses to the extent allowed by law. We may transmit your data to partner companies from the mail-order industry which will then use your data for their own postal advertising (Art. 6 par. 1 f GDPR).
Our analyses are regularly made in pseudonymised form on the basis of a customer number.
Documentation of consent
When collecting your consent to e-mail advertising, we online use the so-called double-opt-in procedure to avoid that our e-mail advertisements are sent to e-mail addresses of persons who have not requested them. Your IP-address will also be recorded and stored for documentation purposes, as required by the data protection supervisory authorities (Art. 7 par. 1, Art. 6 par. 1 c GDPR).
If you send us your consent declaration by mail, we will scan and store it, or file the original for documentation purposes (Art. 7 par. 1, Art. 6 par. 1 c GDPR).
We will store your data collected for advertising purposes until you withdraw your consent or until you object to the processing of your data for advertising purposes (see below 7.).
Change of purpose
We may change the processing purposes over time. Before implementing such changes, we will update this Data Protection Notice.
i. Online job applications
If you apply for a job with Erwin Müller, we will process your address, telecommunication and application data to handle and evaluate your application (Sect. 26 par. 1 BDSG). We need your address and telecommunication data marked as mandatory data to correctly assign your application and to contact you. Your application data marked as mandatory data allow us to assess the chances of success of your application.
If you are not chosen for or if you refuse the offered job, we will store your data for another six months for documentation purposes and then delete them.
j. Extended storage periods
The indicated storage periods may be extended if in individual cases (especially if data are processed for different purposes) longer legal or contractual retention periods apply.
6. Your right to object and your right to withdraw your consent at any time
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, provided that the legal requirements are met (Art. 21 par. 1 GDPR).
If you want to object to the processing of your data for advertising purposes or if you wish to withdraw your consent (Art. 21 par. 2 GDPR), you may at any time send a short message to our Data Protection Officer by e-mail to email@example.com or by mail to Erwin Müller Versandhaus GmbH, Data Protection Officer Buttstr. 2, D-86647 Buttenwiesen. In order to process your query without delay please let us have your customer-no or your complete address. Your data will then no longer be processed for the advertising purposes covered by your objection or your withdrawal of consent.
This does not affect the lawfulness of the processing before objection or withdrawal of consent.
If you object to the processing of your personal data for advertising purposes or if you withdraw your consent, we are obliged, according to data protection law (Art. 21 par. 3 GDPR), to enter your required data (name, address, e-mail address) into our internal advertising black list and to store (block) these data permanently, in order that we can compare them with future advertising files (Art. 6 par. 1 c, f GDPR). In this way we can ensure the ongoing observance of your objection or of your withdrawal of consent. We will use your blocked data exclusively for this purpose.
7. What are cookies and what are they used for?
“Cookies” are small files which are transmitted via your web browser or via other programmes to the hard disk of your computer. They are locally stored on the hard disk and may be retrieved at a later time.
to enable and ensure the required technical functions (Art. 6 par. 1 b, f GDPR),
to analyse the visits to our website in anonymised and pseudonymised form in order to optimise our website (web tracking) (Art. 6 par. 1 f GDPR) and
If you have given your consent, cookies are used for a pseudonymised processing of data
to create a user-friendly Internet presence which best meets your requirements (Art. 6 par. 1 a GDPR) and
to show you interesting offers on our website and on websites in associated advertising networks (tracking and retargeting) (Art. 6 par. 1 a GDPR).
Under certain circumstances, cookies are also placed by third-party suppliers (e.g. for retargeting) to enable functions and techniques of third-party suppliers (Art. 6 par. 1 a GDPR).
Session cookies are only used for one session. These cookies will be deleted after termination of the session, i.e. when you leave our website or when you close the browser window.
Other cookies will remain on your end device over a longer period and enable us to recognise your browser during your next visit.
c. Deactivation of cookies / withdrawal of your consent
Please note that if you delete all cookies on your end device, also these “do not track or retarget” cookies, which enable us to observe your withdrawal of consent, will be deleted.
You may change the settings of your web browser in such a way that it will inform you when cookies are placed, or that it will reject all cookies or particular cookies (e.g. cookies of third-party suppliers) to generally prohibit web tracking and retargeting. However, please note that if you disable cookies, you will not be able to use various functions on our website.
The following links will inform you about how to change the settings of the most commonly used browsers:
8. Web tracking, web analysis and retargeting (anonymised / pseudonymised)
If you have given your consent, we will also use the web tracking and retargeting service of Criteo GmbH, Gewürzmühlstr. 11, D-80538 München (Criteo) (Art. 6 par. 1 a GDPR). A cookie is installed on our website that will be activated when you have given your consent. The cookie will then send pseudonymised information about the products viewed and bought by you to Criteo, in order that we can present to you our offers and information for the whole family about our products for bedroom and bathroom, living, underwear and loungewear, and our customised gift articles (Manutextur) on the websites of the advertising network of Criteo, too.
If you no longer want your data to be recorded by Criteo or if you wish to withdraw your consent, you may also deactivate retargeting here.
We use the webextend service of our service provider emarsys to create product recommendations from our range that are tailored to you and your interests. We use existing information for this, such as confirmation of receipt and reading of e-mails, information about computers and connection to the Internet, operating system and platform, your service history, date and time of your visit to the homepage, products you have ordered or viewed. We only use this information in pseudonymized form. We will send you offers that match your areas of interest. In this respect, for example, it is also compared which of our advertising emails you open in order to avoid unnecessary emails being sent to you. If you do not want to receive personalized advertising, you can object to this at any time. A message to our contact details is sufficient for this. Alternatively, you can unsubscribe via the unsubscribe link at the end of each advertising email.
Exactag GmbH collects and stores data on this website and its subpages for marketing and optimization purposes. From this data anonymized user profiles can be created. For this purpose, cookies and a technique that is called fingerprint can be used. Cookies are small text files that are stored locally in the cache of the visitor's web browser. The fingerprint technology stores environment variables of the Internet browser in a database, without storing user-related data such as an IP address. Cookies and/or fingerprints allow for the recognition of the Internet browser. The data collected by the Exactag technology is, without the explicit consent of the person concerned, not used to identify the user personally nor aggregated with any personal data. To ensure this exclusion from data storage, a cookie is set in your browser. This cookie is named "exactag_new_ccoptout" and is set by "m.exactag.com". It may not be deleted as long as the storage of the data is contradicted. If you want to object to the storage of your anonymously collected visitor data for the future, please click this link.
9. What happens if integrated YouTube videos are activated and played?
We have integrated YouTube videos on our website, which are stored with YouTube (responsible: Google Inc., Amphitheater Parkway, Mountain View, CA 94043, USA), but can be played directly on our website.
To protect your privacy you must first activate the videos on our site.
If you activate videos, cookies of YouTube or DoubleClick may be stored on your end device and/or be read out, and you will transmit data concerning your use of this website to YouTube / Google (USA), e.g. your IP-address and cookie-ID, the specific address of the site you have visited, system date and time of access, browser-ID (Art. 6 par. 1 f GDPR). You will find information about the purposes and the scope of data collection and data processing by YouTube / Google and about your rights at: https://www.google.de/intl/de/policies/privacy/.
If you do not want YouTube or DoubleClick to obtain data about you by your using our website, you must not activate videos.
When videos are activated, the data will be transmitted, independent of whether you have a user account with YouTube or Google or not. If you are logged in to this account, these data can be directly related to your account. If you do not want this, you should log out of your account prior to activating videos.
Every time a visitor accesses this website, the following data are temporarily stored in a log file (server log files) and processed (Art. 6 par. 1 b, c, f GDPR):
- a description of the type and the version of the used web browser
- the used operating system
- the referrer URL category
- the host name of the accessing end device
- date and time of the server inquiry
These so-called server log data need to be processed to technically provide the service for billing purposes and subsequently to ensure system security and for documentation purposes (Art. 6 par. 1 b, f GDPR). Those data processed for technical purposes and to ensure system security will be anonymised after seven days at the latest by shortening the IP-address, unless the IP-address must be stored for documentation purposes (Art. 6 par. 1 c, Art. 5 par. 2, Art. 7 par. 1 GDPR). The data are further processed in anonymised form for statistical purposes.
11. How can you exercise your data protection rights?
If you have questions concerning the processing of your personal data by us, we will of course be pleased to provide information about the data relating to you (Art. 15 GDPR).
Moreover you have the right to rectification (Art. 16 GDPR), erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR), as well as the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR), provided that the legal requirements of the GDPR are met.
Please contact in all these cases our Data Protection Officer (see above 3.) at the communication addresses given there.
Finally you have the right to lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR, Sect. 19 BDSG).
12. Changes and update
It will from time to time be necessary to update this Data Protection Notice. We therefore reserve the right to change its contents at any time. We will publish the updated version of this Data Protection Notice on this site. When you visit our website the next time, you should once again read the Data Protection Notice.
As of: Juli 2020