Privacy Policy

This privacy policy explains how I use information about you and how I protect your privacy. SWD Anja Kreutel will be what is known as the ‘Controller’ of the personal data you provide to me. The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to SWD Anja Kreutel. The privacy policy details how and why I collect any of your data, which kinds of personal data are collected when you use this website or contact me, and your rights regarding your personal data stored by SWD Anja Kreutel.

1 Responsibility

Anja Kreutel
Rothkreuz 75
88138 Weissensberg
Germany

Phone: +49 8389 45 77 81 8
E-Mail: info@swd-kreutel.de

2 Definitions

The data protection declaration of SWD Anja Kreutel is based on the terms used in the General Data Protection Regulation (GDPR) of the EU. It should be clear and understandable for the general public, customers and business partners. To ensure this, you can find explanations of the terminology used below.
In this data protection declaration, we use, among others, the following terms:

  • Consent: Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
  • Controller or Controller responsible for the processing: The Controller or Controller responsible for the processing is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided by Union or Member State law.
  • Data subject: A data subject is any identified or identifiable natural person, whose personal data is processed by the Controller responsible for the processing.
  • Personal data: Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Processing: Processing is any operation or set of operations, automated or not, which is performed on personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion, or destruction.
  • Processor: A Processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
  • Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • Pseudonymization: Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Recipient: A Recipient is a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
  • Restriction of processing: Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
  • Third party: A third party is a natural or legal person, public authority, agency, or body other than the data subject, Controller, Processor, and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data.

3 Legal basis for processing

Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which I obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as for example when processing is necessary for the provision of services, the processing is based on Article 6(1) lit. b GDPR. The same applies to any processing necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning my services. According to Art. 6(1) lit. c GDPR, processing may also be necessary if I am subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. Processing under such circumstances is covered by Art. 6(1) lit. d GDPR. Art. 6(1) lit. f GDPR further allows for data processing to pursue my legitimate business interests, unless overridden by the data subject's interests or fundamental rights and freedoms.

4 Security measures

I employ suitable technological and organizational measures to ensure a reasonable, risk-appropriate level of security for all data stored and processed by me, as stipulated in Art. 32 GDPR. This includes mechanisms for access restriction to protect the confidentiality, integrity, and availability of data; for ensuring proper separation and anonymization of data; and for preventing unauthorized data transfers. Furthermore, the protection of personal data is an important factor in my choices regarding software, hardware, and procedures in order to provide an inherently secure and user-friendly environment for data protection.
I do not guarantee the availability of this website at any given time, since downtimes or issues cannot be fully precluded. Back-ups of the server used to provide this website are made regularly.

5 General purposes of data processing

I use personal data for the purpose of operating this website, replying to contacts and queries, communicating with clients, and for security measures.

6 Types of data collected

6.1 Hosting

I use hosting services to provide the following services as part of the operation of this website: infrastructure and platform services, computing power, storage and database services, security services, and technical maintenance.
In the interest of efficient and secure availability of this website, I and/or my hosting provider may process contact information, content data, contractual information, usage data, and meta and communication data of clients, interested parties, and website visitors according to Art. 6(1) lit. f GDPR and Art. 28 GDPR.

6.2 Access data

The website SWD Anja Kreutel collects some general access data anytime a data subject or automated system calls up the website. This general data and information are stored in the server log files. It may include, among others:

  • name and URL of the accessed files
  • date and time of access to the site
  • transferred amount of data
  • browser type and version used
  • operating system used
  • referrer URL (website from which an accessing system reaches my website)
  • sites visited from my website
  • the Internet service provider of the accessing system
  • the Internet protocol address (IP address)

When using these general data and information, I do not draw any conclusions about or create profiles on the data subjects. Rather, this information is needed to deliver the content of this website correctly, optimize the content of my website, ensure the long-term viability of my information technology systems and website technology, and provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. I may analyze anonymously collected data and information statistically, with the aim of increasing the data protection and data security of my enterprise and to ensure optimal protection for the personal data I process. The anonymous data in the server log files are stored separately from all personal data provided by a data subject.

6.3 Data required to fulfill contractual obligations

I process personal data as required to fulfill my contractual obligations, e.g. names, addresses, e-mail addresses, services ordered, and invoice and payment information. Collecting this data is necessary when a contract is concluded.
These data are deleted after potential warranty times and statutory retention periods expire.
Such data are processed under Article 6(1) lit. b GDPR, since they are necessary for me to fulfill my duties under a contract.

6.4 Communication

If you decide to contact me (e.g. via e-mail), I will process your personal data in order to respond to you and in case of subsequent communication.
Any data processing for the purpose of pre-contractual measures or, if you are already a client, of fulfilling contractual obligations is covered by Article 6(1) lit. b GDPR.
I only process further personal data with your explicit consent (Art. 6(1) lit. a GDPR) or if I have a legitimate business interest in processing such data (Art. 6(1) lit. f GDPR), such as replying to an e-mail.

7 Storage period

I will only process and store the personal data of the data subject for the period necessary to achieve the purpose of storage or as long as required by the laws to which I and my business are subject.
If the storage purpose is no longer applicable or if all statutory retention periods under EU or other relevant legislation have expired, the personal data are deleted in accordance with the legal requirements.

8 Your rights

The GDPR grants you numerous explicit rights to ensure that you have control over what happens with your personal data. These rights, their meaning and their scope are explained below. If you want to make use of any of these rights, please contact me as the Controller using the channels listed in section 1.

8.1 Right to confirmation and access

You have the right to obtain confirmation from the Controller as to whether or not personal data concerning you are being processed.
You also have the right to obtain information about your personal data stored and a copy of this information from the Controller at any time for free. Furthermore, the European directives and regulations grant you access to the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the Recipients or categories of Recipients to whom the personal data have been or will be disclosed, in particular Recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the Controller rectification or erasure of personal data, or restriction of processing of personal data concerning you, or to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from you, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for you.

Furthermore, you have a right to obtain information as to whether personal data are transferred to non-EU countries or international organizations. Where this is the case, you have the right to be informed of the appropriate safeguards relating to the transfer in accordance with Article 46 GDPR.
If you wish to avail himself of this right of access, you may contact the Controller at any time.

8.2 Right to have your data corrected

You have the right to have the Controller correct inaccurate personal data concerning you without undue delay. According to the purposes of the processing, you also have the right to have incomplete personal data completed, if necessary by providing a supplementary statement.
If you wish to exercise this right to rectification, you may contact the Controller at any time.

8.3 Right to have your data deleted (“right to be forgotten”)

You have the right to have the Controller delete personal data concerning you without undue delay, and the Controller has the obligation to delete personal data without undue delay where at least one of the following reasons applies, as long as the processing is not necessary:

  • The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  • You withdraw consent to the processing according to Article 6(1) lit. a GDPR or of Article 9(2) lit. a GDPR, and there is no other legal ground for the processing.
  • You object to the processing in accordance with Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
  • The personal data have been unlawfully processed.
  • The personal data must be deleted in compliance with a legal obligation in EU or Member State law to which the Controller is subject.
  • The personal data have been collected in relation to services offered in the information society, referred to in Article 8(1) GDPR.

If at least one of the aforementioned reasons applies and you wish to request the deletion of personal data stored by SWD Anja Kreutel, you may contact the Controller at any time. I will ensure that the delete request is complied with promptly.
Where I have made personal data public and is required to delete the personal data in accordance Article 17(1) GDPR, I shall take reasonable steps, including technical measures, to inform other Controllers processing the personal data that you have requested deletion by such Controllers of any links to or copy or replication of those personal data, as far as processing is not required. SWD Anja Kreutel will arrange the necessary measures in individual cases.

8.4 Right to restriction of processing

You have the right to demand the restriction of the processing of your personal data from the Controller if at least one of the following applies:

  • The accuracy of the personal data is contested by you, in which case processing shall be restricted while the Controller verifies the accuracy of the personal data.
  • The processing is unlawful and you oppose the deletion of the personal data, instead requesting the restriction of processing.
  • The Controller no longer needs the personal data for the original processing purpose, but the data are required by you for the establishment, exercise, or defense of legal claims.
  • You have objected to processing in accordance with Article 21(1) GDPR, pending verification whether the legitimate interests of the Controller override yours.

If at least one of the aforementioned conditions is met and you wish to request the restriction of the processing of personal data stored by SWD Anja Kreutel, you may contact the Controller at any time. I will promptly restrict processing as requested.

8.5 Right to data portability

You have the right to receive the personal data concerning you which was provided to a Controller, in a structured, commonly used and machine-readable format. They have the right to transfer those data to another Controller without hindrance from the Controller to which the personal data have been provided, as long as the processing is based on consent pursuant Article 6(1) lit. a GDPR or Article 9(2) lit. a GDPR, or on a contract pursuant to Article 6(1) lit. b GDPR, and the processing is carried out by automated means.
Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) GDPR, you have the right to have personal data transmitted directly from one Controller to another where technically feasible and if doing so does not adversely affect the rights and freedoms of others.
In order to assert the right to data portability, you may contact the Controller at any time.

8.6 Right to object

You have the right to object at any time to the processing of personal data concerning you based on Article 6(1) lit. e GDPR or Article 6(1) lit. f GDPR, on grounds relating to your particular situation. This also applies to profiling based on these provisions.
SWD Anja Kreutel shall no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights, and freedoms, or processing is necessary for the establishment, exercise, or defense of legal claims.
If SWD Anja Kreutel processes personal data for direct marketing purposes, you have the right to object to such use of your personal data at any time. This also applies to profiling where it is related to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, SWD Anja Kreutel will no longer process the personal data for these purposes.
In addition, you have the right, on grounds relating to your particular situation, to object to the processing of personal data concerning you by SWD Anja Kreutel for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In order to exercise the right to object, you may contact the Controller at any time.

8.7 Automated decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
I do not use any form of automated decision-making or profiling.

8.8 Right to withdraw data protection consent

You have the right to withdraw your consent to the processing of your personal data at any time.
If you wish to exercise the right to withdraw consent, you may contact the Controller at any time.

8.9 Right to complain to regulatory authorities

You have the right to make a complaint to the relevant regulatory authorities, especially in your country of residence, the country where you work, or the country where the potential infraction took place, if you believe that your data are being processed illegally.

9 Transmission of data to third parties or to non-EU countries

I generally only use your personal data within my business.
If and where I have to involve third parties in order to fulfill contractual obligations (e.g. shipping providers), they only receive the minimum data required for their involvement.
If I have to outsource parts of data processing (“processing on behalf”), I contractually oblige the Processors to use personal data only in accordance with legal data protection requirements and ensure proper protection of the rights of the data subjects.
Should I have to process data in a third country (i.e. outside the European Union or the European Economic Area) or should that be necessary in order to use third-party services or disclose/transmit data to a third party, I will only do so in order to fulfill my (pre-)contractual obligations, or with your explicit consent, or to comply with a legal stipulation, or if necessary to pursue my legitimate business interests. Precluding any legal or contractual permission, I will only process personal data or have it processed in a third country if the special conditions in Art. 44 ff. GDPR are met, i.e. processing is based on special guarantees, such as an officially recognized data protection level matching EU standards (e.g. “Privacy Shield” for the US) or the observance of officially recognized specific contractual obligations (“standard clauses”).