Data Privacy Statement
The following Data Privacy Statement applies to the use of our online offer at www.kneipp.com (hereinafter referred to as the “Website”).
We attach great importance to data privacy. The collection and processing of your personal data are carried out in compliance with the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR). We collect and process your personal data in order to be able to offer you the above portal.
With the present Data Privacy Statement we want to inform you about the collection, use and transfer of your data.
1. Responsible party and contact information
Responsible party:
Kneipp GmbH
Winterhäuser Str. 85
97084 Würzburg
Telephone: +49-931-8002-0
E-Mail: info@kneipp.de
Contact Data Protection:
Kneipp GmbH
Data Privacy
Winterhäuser Str. 85
97084 Würzburg
E-Mail: datenschutz@kneipp.de
2. Which data are processed, and for which purpose?
2.1 Use of the Website
2.1.1 Access data
We collect information about you when you use the Website. We automatically collect information about your usage patterns and your interaction with us, and we record information about your computer or mobile device. We collect, store and use data about each access to our online offer (so-called server log files). The access data include:
• Name and URL of the retrieved file
• Date and time of retrieval
• Data volume transferred
• Confirmation of successful retrieval (HTTP response code)
• Browser type and browser version
• Referrer URL (i.e. the previously visited page)
• IP address
We use these log data without ascription to your person or any other profiling for statistical evaluations for purposes of operation, security and optimization of our online services, but also for anon-ymous determination of the number of visitors to the Website (“traffic”), as well as the scope and type of use of the Website and our services, and also for billing purposes, to measure the number of clicks received from cooperation partners. This information is used to further our legitimate interest to provide personalized and location-based contents and to analyze data traffic, to pinpoint and correct errors, and to improve our services. The legal basis is therefore Art. 6 I 1 lit. f of the GDPR.
2.1.2 Cookies
We use cookies on the Website. Cookies are small text files in which information is stored. This allows a web server to recognize a user and store settings.
When you visit our website for the first time, the so-called cookie banner appears. You have the choice of either accepting all cookies or clicking on "Save" under "Setting" in order to select, for example, only technically necessary cookies.
To change the consent from the cookie declaration, please delete the stored cookies in your browser and reopen the Kneipp website so that the cookie banner appears again and you can make a new selection.
Information about the respective cookies, such as storage duration, provider, collected data, etc., can be found in the cookie banner. To do so, simply click on "Settings" and then on the question mark to the right of the respective cookie category.
The use of technically necessary cookies has its legal basis in Art. 6 I p. 1 lit. f GDPR. For all other cookies, the legal basis is the consent according to Art. 6 I p. 1 lit. a GDPR, which you give with the corresponding settings of the cookie banner.
2.2 Integration of third-party services and content:
2.2.1 Social Media
We use content or service offers from third-party providers within our online offer. This is done on the basis of our legitimate interests (interest in the analysis, optimization and economic operation of our online offer within the meaning of Art.6 I lit.f GDPR) or on the basis of your consent pursuant to Art.6 I lit.a GDPR. This means that we integrate content and services from third-party providers, such as videos or fonts (hereinafter uniformly referred to as "content"). The prerequisite for this is that the third-party providers perceive your IP address, as without the IP address they would not be able to send the content to your browser. The IP address is thus required for the display of content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web bea-cons") for statistical or marketing purposes. "Pixel tags" can be used to analyze information such as visitor traffic on the website. The pseudonymous information may also be stored in cookies on your device and contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be combined with such information from other sources.
In the following presentation, we have compiled an overview of third-party providers together with their offered content as well as links to their data protection declarations, which may contain further information on the processing of data as well as information on how to object.
Provider: (Youtube) Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Privacy policy: https://policies.google.com/privacy?hl=en&gl=en
Opt-out: https://adssettings.google.com
We have integrated components of YouTube within our online offers. YouTube allows the free post-ing of video clips and their free viewing, rating and commenting. By calling up one of the individual pages of our online offers on which content from YouTube has been integrated, a connection to YouTube is established in order to download the necessary elements for displaying the correspond-ing video. In the process, YouTube or the operating company Google receives information about which sub-page within our online offers has been called up by the respective user. In addition, fur-ther information, such as the IP address, the browser used, the operating system and technical de-vice information, date and duration of the visit are forwarded. If the user is logged into YouTube with the same device at the same time as visiting our online offers, YouTube recognizes the user when a single page containing a YouTube video is called up. This takes place regardless of whether the data subject clicks on a YouTube video or not. This information can be collected by YouTube or Google and assigned to the profile of the respective user, unless the elements have been integrated in "Privacy Mode".
Provider: (Vimeo) Vimeo Inc, 555 West 18th Street, New York, NY 10011, USA.
Privacy policy: https://vimeo.com/privacy
Opt-Out: https://vimeo.com/cookie_policy
We have integrated components of Vimeo within our online offer. When you call up such compo-nents, a connection is established to the Vimeo servers and the content is displayed. This transmits to the Vimeo server which of our Internet pages you have visited. If you are logged in to Vimeo at the same time, Vimeo assigns this information to your personal user account. If you click on the start button of a video, for example, this information is also assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the corresponding cookies from Vimeo.
Provider: (Instagram) Meta Platform Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland.
Privacy policy: https://help.instagram.com/519522125107875
Provider: (Meta Pixel) Meta Platform Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland
Privacy policy: https://www.facebook.com/about/privacy/
Opt-out: https://www.facebook.com/settings?tab=ads
With the help of the Meta pixel, it is possible for Facebook, on the one hand, to determine the visitors to our online offer as a target group for the display of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those users on Facebook and within the services of partners cooperating with Facebook (so-called "Audience Network" https://www.facebook.com/audiencenetwork/) who have also shown an interest in our online offer or who have certain characteristics (e.g. interest in certain topics or prod-ucts that are evident from the websites visited) that we transmit to Facebook (so-called "Custom Audiences"). With the help of the Meta pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and do not have a harassing effect. Furthermore, with the help of the Meta pixel, we can track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion measurement").
2.2.2 Social Media Plug-ins
We have plug-ins of the social networks Facebook, Instagram, YouTube on our website. However, this does not collect any data, but only provides a link for the corresponding websites. If you click on one of the plug-ins, you will be redirected to the corresponding page. Which data is collected there, please refer to the privacy policy of the respective social network:
• Facebook https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0
• Instagram https://help.instagram.com/519522125107875
• YouTube https://policies.google.com/privacy?hl=en
2.2.3 Google Analytics
In order to continuously improve our site and design it to meet your needs, we use Google Analytics, a web analytics service provided by Google, Inc ("Google").
Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about the use of this website by site visitors is usually transmitted to a Google server in the USA and stored there.
In the event that IP anonymization is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contract-ing states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymization is active on this website. On our behalf, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage.
The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.
You can also prevent the transfer of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: tools.google.com/dlpage/gaoptout.
As an alternative to the browser plugin or within browsers on mobile devices, you can click on the following link to set an opt-out cookie that will prevent the collection by Google Analytics within this website in the future (this opt-out cookie only works in this browser and only for this domain. If you delete the cookies in your browser, you must click this link again): Google Analytics Disable.
Optimizing our web offer through the collected data is in our legitimate interest and is therefore lawful according to Art. 6 I p. 1 lit. f GDPR.
2.2.4 Google Ads/Remarketing
We use Google Ads, an online advertising platform from Google. Through the remarketing function, we have the opportunity to display interest-based advertisements to our website users on other websites within the Google display network (either on Google itself, so-called "Google Ads" or on other websites). When you click on such an advertisement, a cookie is placed on your terminal device. This does not contain any personal data and loses its validity after 30 days.
If you do not want this, you can deactivate the interest-based Google advertisements in your browser at http://www.google.com/settings/ads.
The collection of data for advertising purposes is a legitimate interest on our part and has its legal basis in Art. 6 I p. 1 lit. f GDPR.
2.2.5 Google reCAPTCHA
We use “Google reCAPTCHA” (hereinafter referred to “reCAPTCHA”), a service by Google Inc., 1600 Amphiteatre Parkway, Mountain View, CA 94043, USA, on the Website. This service helps us to check whether data input on the Website (e.g. in a contact form) is performed by a human being or by an automated program. To this end, the behavior of the Website visitor is analyzed by reCAPTCHA on the basis of various pieces of information (e.g. IP address, time spent on the Website, mouse movements made by the user). The analysis starts automatically upon invocation of the Website and then runs completely in the background. The Website visitor is not informed separately of the analysis currently taking place. The collected data will be forwarded to Google. The legal basis for this is Art. 6 I 1 lit. f of the GDPR. We have a legitimate interest in protecting our internet offers from abusive automated scanning and from spam. For more information about reCAPTCHA, and for Google’s data privacy statement, please see the following links:
https://policies.google.com/privacy?hl=en and https://www.google.com/recaptcha/intro/android.html.
2.2.6 Microsoft Advertising
We use Microsoft Advertising on our website, a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft"). By clicking on an ad placed by Microsoft, a cookie for conversion tracking is set on your device.
With the help of conversion tracking, we can find out whether a previously defined action has taken place after clicking on the ad, e.g. purchase of one of our products in our online store.
In this way, we obtain non-personal data (length of stay on the website, areas of the website ac-cessed, ad from which the user accessed the website). Information about your identity is not col-lected. The cookie itself has only limited validity and is not used for personal identification.
The collected data may be transferred to the USA.
The collection of data for advertising purposes is a legitimate interest on our part and has its legal basis in Art. 6 I 1 lit. f GDPR.
You can find more information about Microsoft Advertising at: https://privacy.microsoft.com/en-US/privacystatement
2.2.7 AB Tasty
We use the web analytics service AB Tasty, a service of AB Tasty GmbH, Lebacherstr. 4, 66113 Saarbrücken, Germany, for A/B and multivariate testing on our website. This service uses cookies to identify a website visitor's browser and analyze the use of our website.
More information about the data processing by AB Tasty, as well as instructions on how to deactivate tracking, can be found at: AB Tasty - Privacy Policy
2.2.8 Google Maps
We use Google Maps, a map service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This service is intended to facilitate route planning to our shops and is therefore based on Art. 6 I 1 lit. f of the GDPR, as we have a legitimate interest in making our shops as easily accessible as possible.
To enable you to use the functions of Google Maps, your IP address must be stored. This is usually transferred to a Google server in the USA and stored there. We have no influence on that. For more information about the use and collection of your data in connection with Google Maps, please see Google’s data privacy statement:
https://policies.google.com/privacy?hl=en.
2.2.9 Google Web Fonts
We use Web Fonts, a service provided by Google, to ensure a consistent display of fonts. When you invoke the Website, the Web Fonts required for your browser are loaded into your browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using connects to Google’s servers. Google thus obtains the knowledge that the Website has been accessed from your IP address. This is done based on Art. 6 I 1 lit. f of the GDPR, as we have a legitimate interest in a uniform and appealing presentation of the Website. If your browser does not support Web Fonts, a standard font of your computer will be used. The following links will give you more information about Web Fonts and Google’s data privacy statement:
https://developers.google.com/fonts/faq and https://policies.google.com/privacy?hl=en.
2.3 Orders / Conclusion of contract
2.3.1 Orders in the online shop, by phone or by fax
For an order, we need your master data, communication data and payment data so that we can confirm receipt of your order, communicate with you, and process the order. The term “master da-ta” is here used to refer to your name, address and date of birth. We need your date of birth to ensure that you are over 18 years of age, and to distinguish between duplicate names. Communica-tion data are your email address and, where entered, your telephone number. Your telephone number will be used only for customer service queries during contract processing and not for mar-keting purposes. Your payment details consist of your name combined with an IBAN number. The processing is based on Art. 6 I 1 lit. b of the GDPR. In case of an order placement in the online shop, the recording of your email address is legally necessary in order to be able to send you an electron-ic order confirmation, and therefore required pursuant to Art. 6 I 1 lit. c of the GDPR.
2.3.2 Customer account
For a more convenient shopping experience in our online shop, you can register by entering your personal data on the Website and set up a customer account. This means that you do not have to re-enter your data every time you place an order.
For initial registration, we collect master data (e.g. name, address), communication data (e.g. email address), as well as access data (user name and password).
To ensure your proper registration and prevent unauthorized registrations by third parties, after your registration you will receive an activation link by email to activate your account. Only after suc-cessful registration will we permanently store the data disclosed by you in our system. For the ad-ministration and processing of your data, we use the system of a third party service provider. Agreements have been made with this third party regarding technical and organizational measures to protect your personal data.
Once you have created a customer account, you can have us delete it at any time. We will then erase your stored personal data unless we need to store them further for the processing of orders or due to legal retention obligations. The legal basis is Art. 6 I 1 lit. a and lit. b of the GDPR.
2.4 Payments
If you make your payment via Instant Bank Transfer (Klarna), PayPal or credit card, we may work with the payment service provider Adyen N.V. (hereinafter "Adyen"), Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam, The Netherlands. Adyen is a full payment service provider that, among other things, handles payment processing.
The data required for the respective payment method is transmitted to Adyen, unless this data is collected directly by the respective payment service (e.g. PayPal) itself.
The purpose of the transmission is identity verification, payment administration, credit assessment and fraud prevention. To the extent necessary for the fulfillment of contractual obligations, Adyen also discloses the personal data to service providers or subcontractors. The legal basis for the pro-cessing is Art. 6 I p. 1 lit. b and f GDPR. For more information on how Adyen handles your data, please visit: https://www.adyen.com/policies-and-disclaimer/privacy-policy
2.4.1 PayPal
If you use PayPal for payment, we will forward the payment data in the course of the payment han-dling to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg (hereinaf-ter referred to as “PayPal”). The legal basis for this is Art. 6 I 1 lit. b of the GDPR.
When certain payment methods (credit card, direct debit, “Purchase on account via PayPal”) are selected, PayPal reserves the right to obtain credit information for the purpose of deciding whether to provide the respective payment method. This may comprise so-called score values (probability values). The score values are based on a scientifically recognized mathematical-statistical procedure, if and insofar as they affect the credit rating information. Data such as the customer’s address are then included into the calculation. Further information about the data processing at PayPal can be found in their Privacy Notice at the following location:
https://www.paypal.com/myaccount/privacy/privacyhub
2.4.2 Credit card payment
If you have chosen to pay by credit card, we will forward the contract data to the payment service provider Adyen as part of the payment processing. The legal basis for this is Art. 6 I p. 1 lit. b GDPR. You can find more information about data processing at Adyen in their privacy policy at https://www.adyen.com/policies-and-disclaimer/privacy-policy.
2.4.3 Instant bank transfer
If you have chosen to pay via instant bank transfer, we will forward the contract data directly or indirectly via Adyen to Klarna Bank Ab (publ) Sveavägen 46, 11134 Stockholm Sweden, hereinafter ("Klarna"). For more information about Klarna's data processing, please refer to their privacy policy: https://www.klarna.com/international/privacy-policy/
2.4.4 Purchase on invoice
If you decide to pay on invoice, we will send you an invoice, which you then pay. In this process, we do not collect any data. However, we regularly check your creditworthiness when concluding con-tracts and, in certain cases where there is a legitimate interest, also for existing customers. For this purpose, we cooperate with Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss ("Creditreform"), from which we receive the data required for this purpose. For this purpose, we transmit your name and contact details to Creditreform. The information pursuant to Art. 14 of the GDPR on the data processing taking place at Creditreform can be found here: EU GDPR | Boniversum
We do not collect any payment data as part of the online ordering process. Your data such as name and e-mail address will be forwarded to the relevant credit institution depending on the payment method. This is done on the basis of Art. 6 I p. 1 lit. b GDPR.
2.5 Data processing for advertising purposes
2.5.1 E-mail-marketing/ Newsletter
You can register for the newsletter via various actions. Afterwards, we will send you an activation email and ask you to confirm that you would like to receive our newsletter by clicking on a link contained in this email (double opt-in procedure). We will process your data for this purpose until you withdraw your consent. For this purpose, you can send us an informal message or click on the unsubscribe link in each newsletter. The lawfulness of the data processing results from Art. 6 I 1 lit. a of the GDPR (con-sent).
2.5.2 Postal mailings
We use your data for marketing purposes to send you attractive offers by post. Here, we process your first name, surname, postal address and year of birth.
In addition, we store further data, e.g. your last purchases, in order to send you advertising based on your actual or perceived needs. The lawfulness of the data processing results from Art. 6 I 1 lit. f of the GDPR.
2.5.3 Sweepstakes
If you participate in a Sweepstake offered by Kneipp, we may collect, store and process your name, address, e-mail address and telephone number in order to conduct the sweepstake. This also includes communication for any prize notifications.
After the sweepstakes has been completed and all prizes have been sent out, we delete your data within three months.
The lawfulness of the data processing results from Art. 6 I 1 lit. b of the GDPR.
2.5.4 Customer relationship management (CRM) system
To enable us to manage your data in one place and to access one source for the respective advertising measures described herein, we use the Marketing Cloud of salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany (hereinafter "Salesforce"). This CRM platform enables customer interaction in compliance with the framework you have specified for this purpose. The legal basis for this is Art. 6 I 1 lit. b, f GDPR. For more information about data processing at Salesforce, please refer to their privacy policy at https://www.salesforce.com/company/privacy/
2.6 Data processing in the context of the Kneipp® Family
We will store the mandatory information you provide when registering (e.g. name, address and date of birth) for the purpose of managing your membership, corresponding with you, and granting benefits (e.g. bonus programs). Mandatory information during registration is marked accordingly (*). In addition, you have the option to voluntarily enter your e-mail address, whereby the entry of an e-mail address is necessary for the management of your online customer account and for the use of the bonus program or is mandatory for online registrations.
The customer number on the card is assigned to your customer account and stores your purchases made online and in the stores (using the card). This serves to improve our offer for you.
The legal basis for the processing of your data are the implementation of the Kneipp® Family Contract and the pursuit of our legitimate interests (Art. 6 I 1 lit. b and lit. f of the GDPR). With your signature under the registration form, or by checking the box for online registration, you consent to the processing of your data. Our legitimate interest is to provide our customers with attractive offers within the framework of a customer program.
When using the analog application form, you can also give your revocable consent to the use of data for the Kneipp® newsletter and further information about products, competitions, etc. This consent is voluntary and forms the legal basis according to Art. 6 I 1 lit. a of the GDPR for data processing in the context of the newsletter (see also 3.4.1). You can also become a member of the Kneipp® Family without this consent.
We store your data as long as it is legally required and permitted. In the event of a revocation on your part, or when storage is no longer necessary for the fulfilment of the purpose pursued with the storage, or is inadmissible for legal reasons, your data will be deleted. You do not have the option to change the data stored in your customer account by yourself. If your card is not activated and the customer status “Member of the Kneipp® Family” is subsequently blocked, we will delete the data required to apply for membership of the Kneipp® Family. The data collected for other purposes (e.g. newsletter) will not be deleted in this case.
In principle, we only use your personal data within our company. If and insofar as we involve third parties into the fulfilment of contracts (such as logistics service providers), they will only receive personal data to the extent that the tranfer is necessary for the corresponding service.
We outsource certain parts of the data processing to our contractual data processors and contractually oblige them to use personal data only in accordance with the requirements of the data protection laws and to ensure the protection of the rights of the data subject.
2.7 Data processing in the context of the Kneipp® VIP Author community
We store the mandatory information you provide when applying for Kneipp® VIP Author status (e.g. name, email, date of birth) for the purpose of managing your membership, corresponding with you, and granting benefits. Fields mandatory during the registration are marked accordingly (*). In addition, you have the option of voluntarily entering your user name for any of your existing social media accounts. The legal basis for this is both Art. 6 I 1 lit. b of the GDPR and Art. 6 I 1 lit. c of the GDPR. The data will be stored for up to 5 years for later participation and then deleted if and insofar as legally permissible.
If you have given your consent to contact (including for advertising purposes), this is based on Art. 6 I 1 lit. a of the GDPR. You may withdraw your consent at any time.
2.8 Customer interactions
2.8.1 Email contact
Whenever you contact us (e.g. via contact form or email), we store your details for processing the inquiry and any follow-up questions that may arise. We store and use further personal data only if you give your consent, or if this is legally permissible without special consent. The legal basis is therefore on the one hand your consent (Art. 6 I 1 lit. a of the GDPR) and our legitimate interest in contacting you in accordance with Art. 6 I 1 lit. f of the GDPR on the other. As soon as your request has been dealt with from our point of view, we will delete your data.
2.8.2 Contact Form
For inquiries via contact form, your data entered into the contact form will be stored by us for the purpose of processing the inquiry and any follow-up questions. These data will not be disclosed without your consent. The legal basis for the processing is Art. 6 I 1 lit. a GDPR. You may revoke your consent at any time. We only store the data until the purpose for storing the data no longer applies (e.g. after processing your request has been completed), until you request us to delete it, or until you revoke your consent to store it.
For the latter two purposes, we use Salesforce (see section 2.5.4)
2.8.3 Product reviews
You have the option to rate our products. This is done via a separate form on which you are asked to provide further personal data. To ensure your anonymity, it is sufficient to provide a "nickname", so you do not have to provide a clear name. However, if you do, your rating will also be published with your given name. Your e-mail address will not be published.
This data processing takes place on the legal basis of Art. 6 I 1 lit. a, lit. b and lit. f of the GDPR. Our legitimate interest is to create a more attractive offer for users through customer feedback from other users. If you voluntarily provide information about your health in your product review (e.g. skin diseases), this is health data, the processing of which you explicitly consent to by voluntarily providing and sending the review in accordance with Art. 9 II lit. a of the GDPR.
For product reviews, we work together with our data processor Bazaarvoice Inc, 10901 Stonelake Blvd, on whose servers the submitted product reviews are stored. For more information, you can read the privacy policy of Bazaarvoice under the following link: https://www.bazaarvoice.com/legal/privacy-policy/
2.8.4 User-generated Content (UGC)
If you send us digital image material (photos, videos, images), you consent to its use in accordance with the respective purpose described. The purpose of the processing is defined in the respective description of the action, possibly concretized by the conditions of participation. You submit the image material with the intention of making it public.
You are aware that by posting the material and processing it by us in the anniversary film, you have made your material public and from then on your consent to use it can be waived, according to Art. 9 II lit. e of the GDPR.
2.8.5 Chatbot (LoyJoy)
On our website, we offer you the opportunity to ask questions in a chatbot and take advantage of offers. You can use the chatbot to take part in competitions or surveys, register for the newsletter or sign up for the Kneipp Family, either immediately or later. We use the chatbot of our service provider LoyJoy GmbH, Kapuzinerstr. 20, 48149 Münster, Germany, for this purpose. The chatbot uses the cookies required for the service. Data is stored in accordance with legal requirements. If you use the chatbot for offers, you may be required to provide an email address. This will only be used for the purpose of the respective offer. The general chat data is aggregated and used anonymously for sta-tistical evaluations in order to measure success. The legal basis for processing is your consent and our legitimate interest pursuant to Art. 6 I lit. a and lit. f GDPR. LoyJoy uses "Cloudflare" services in the USA for DDoS mitigation. Cloudflare operates a content delivery network (CDN) and provides pro-tection functions for the LoyJoy web application (web application firewall). The data transfer be-tween the browser and the LoyJoy servers flows via Cloudflare's infrastructure and is analyzed there to ward off attacks. Cloudflare uses technically necessary cookies to enable access to LoyJoy. The use of Cloudflare is in the interest of secure use of LoyJoy and defense against harmful attacks from out-side. Further information can be found in the Cloudflare privacy policy: https://www.cloudflare.com/de-de/privacypolicy
2.9 Booking of treatments
For our treatment rooms in the outlet Rottendorf you can book online various treatments via a form. In doing so, we request your data (first name, last name, e-mail and address data). This data is used exclusively for the purpose of processing the booked treatment and the resulting contractual relationship in accordance with Art. 6 I 1 lit. b of the GDPR and is deleted 6 months after completion of the treatment. For the technical provision of the booking portal, we use a service provider who processes the data on our behalf.
2.10 Applications
If you apply online for a Kneipp position, you will be taken to the Kneipp Career website of our parent company Paul Hartmann AG. You can create a user account here and apply for one or more of the listed positions. Please note the information on data protection provided there.
Applications submitted outside our applicant management system will not be considered and will be destroyed in accordance with data protection regulations.
2.11 Purposes to meet legal requirements (cf. Art. 6 I lit. c GDPR or purposes in the public interest (cf. Art. 6 I lit. e GDPR)
Like everyone who is involved in the economic process, we are also subject to a variety of legal obligations. These are primarily legal requirements (e.g. according to the Works Constitution Act, Social Security Code, commercial and tax laws or the German Fiscal Code), but also, where applicable, regulatory or other official requirements (e.g. employers' liability insurance association). The purposes of processing may include in particular identity and age verification, fraud and money laundering prevention (e.g. comparison with European and international anti-terrorist lists), company health management, and ensuring work safety. In addition, the disclosure of personal data may become necessary within the scope of official/judicial measures for the purpose of gathering evidence, criminal prosecution or the enforcement of civil law claims.
3. Categories and origin of the personal data we process
Insofar as it is necessary for the decision on the establishment of a contractual relationship with you, we process, in addition to the personal data received directly from you, any legally obtained personal data from third parties (see Art. 14 GDPR).
We process in particular the following data categories:
• Stock data (e.g. title, first and last name, title, residential address, country, company ad-dress, date of birth, full legal capacity, industry);
• Contact data (e.g. e-mail address, telephone number fixed/mobile, fax number);
• Content data (e.g. text input contact form, photographs, videos);
• Contract data (e.g. subject matter of the contract, duration, customer category, user name), in particular for the fulfilment of our contractual obligations and services in accord-ance with Art. 6 I lit. b GDPR, for the implementation of marketing measures based on our legitimate interests in accordance with Art. 6 I lit. f GDPR and on the basis of your consent in accordance with Art. 6 I lit. a GDPR (e.g. in the context of customer satisfaction surveys
• Payment data (e.g. bank details, account details, credit card details, payment history);
• Health data (e.g. severely disabled status, general physical condition, diagnosis).
4. Your rights as a person affected by the data processing
In order to exercise your rights, we would like to point out that in the case of an advertising objection, for example, you may still receive mail from us 2 - 6 weeks after the advertising objection. This is due to technical and organizational reasons.
If you exercise your right to object to advertising, we will store this objection under your customer number. If you have been completely deleted due to inactivity in accordance with the deletion pe-riods, we will no longer have any information stored about your having issued an advertising objection. If you then order again, you must declare the objection again.
4.1 Right to object (Art. 21 of the GDPR):
When data processing is carried out based on Art. 6 I 1 lit. e or f GDPR, you have the right to enter at any time an objection to the processing of your personal data for reasons arising from your particular situation. This also applies to profiling carried out on the same legal basis.
You can learn from the present data privacy statement which legal basis is relevant for the respective data processing.
If you enter an objection, we will no longer process your relevant personal data unless we can prove the existence of compelling legitimate reasons for such processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defend-ing legal claims (objection according to Art. 21 I of the GDPR).
Where your personal data are processed for direct advertising purposes, you have the right to enter at any time an objection to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling if and insofar as it is related to such direct adver-tising. If you object, your personal data will then no longer be used for direct advertising purposes (objection according to Art. 21 II of the GDPR).
If you wish to object pursuant to Art. 21 of the GDPR to the collection, processing or use of your data by us in accordance with these data protection regulations as a whole or for individual measures, you can address your objection to the responsible person. The objection must be based on reasons relating to the particular situation of the data subject.
4.2 Right of revocation
A consent to data processing can be revoked without giving reasons. An email to datenschutz[at]kneipp.de is sufficient for this.
4.3 Other rights
In addition to the aforementioned rights of revocation and objection, you furthermore have the following rights:
• Right to be informed, against the person responsible for personal data (Art. 15 of the GDPR)
• Right to rectification (Art. 16 of the GDPR)
• Right to erasure (Art. 17 of the GDPR)
• Right to restrict processing (Art. 18 of the GDPR)
• Right to data portability (Art. 20 of the GDPR)
• Right to appeal to a supervisory authority (Art. 77 of the GDPR)
If you wish to assert your rights, please send your inquiry by email or by post to the address stated in section 1, clearly identifying yourself (name and address).
5. Data security
We make every effort to ensure maximum security of your data in the context of the applicable data privacy laws and technical possibilities.
Your personal data for your orders will be transmitted encrypted. This applies to your orders as well as for the customer login. We use the SSL (Secure Socket Layer) coding system for this purpose, but point out that data transmission over the internet (e.g. communication by email) may suffer from security flaws. Complete protection of data against access by third parties is not possible.
To secure your data, we maintain technical and organizational security measures in accordance with Art. 32 of the GDPR, which we constantly adapt to the state of the art.
Furthermore, we do not guarantee that our offer will be available at certain times; disruptions, in-terruptions or failures cannot be ruled out. The servers we use are regularly and carefully backed up.
6. Recipients or categories of recipients of your personal data
We only process your personal data within the company. As a 100% subsidiary of PAUL HARTMANN AG, we also use the systems or contractual partners of PAUL HARTMANN AG for processing. Within our company, those internal departments or organizational units receive your personal data, insofar as they need it to fulfil the purpose and within the scope of processing. Internal data recipients are obliged in each case to use your personal data only to the aforementioned extent.
If we transfer your personal data to other persons and companies (third parties) or grant them other access to the personal data, this is only done on the basis of a legal permission. If we commission third parties to process personal data on the basis of a so-called "contract processing agreement" and thereby secure the necessary powers of influence or control with regard to the processing and use of the personal data, this is done on the basis of Art. 28 GDPR. However, we remain responsible to you for the legality of the data processing.
7. Processing of your personal data in a third country
A transfer of data to bodies in countries outside the European Economic Area EU/EEA (so-called third countries) occurs in particular if it is necessary for the decision on the establishment of a contractual relationship.
In this context, the processing of your personal data in a third country may also take place in the context of the involvement of service providers as part of contract processing. If there is no EU Commission decision on an adequate level of data protection for the country in question, we will ensure – in accordance with Article 13 (1) (f) of the GDPR – that your rights and freedoms are protected in the case of transfers pursuant to Articles 46, 47 or 49 (1) (2) of the GDPR by means of suitable and adequate safeguards. Information on the suitable or adequate safeguards and how and where to obtain a copy of them is available upon request at the Data Protection Department.
8. Reservation of unilateral changes
There may also be occasions in the future that will necessitate changes to the data privacy statement. We therefore reserve the right to adapt the present data privacy statement to changes in the legal situation. On the Website, you will always find the respectively current version.