PRIVACY POLICY

1. Name and contact details of the data controller 

This data protection information applies to data processing by:

Responsible Person:

Jessica and Nisha Stockmann

Harvestehuder Weg 7

20148 Hamburg

office@stockmann3.com

For further information about us, please refer to the imprint on our homepage https://stockmann3.com/legalnotice

2. General definitions

In accordance with the model of Art. 4 GDPR, this privacy policy is based on the following definitions:

• "Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to their physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability can also be achieved by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).
• "Processing" (Art. 4 No. 2 GDPR) means any operation which is performed on personal data, whether or not by automated means (i.e. using technical specifications). This includes, in particular, the collection (i.e. acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed.
• "Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• "Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorized to process the personal data; this also includes other legal entities belonging to the group.
• "Processor" (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
• "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. Legal bases for data processing

In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justifications:

• -Art. 6 para. 1 sentence 1 lit. a GDPR ("consent"): If the data subject has voluntarily, in an informed and unambiguous manner, by means of a statement or other unambiguous affirmative act, indicated that they consent to the processing of their personal data for one or more specific purposes;
• -Art. 6 para. 1 sentence 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• -Art. 6 para. 1 sentence 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to retain data);
• -Art. 6 para. 1 sentence 1 lit. d GDPR: If processing is necessary in order to protect the vital interests of the data subject or another natural person;
• -Art. 6 para. 1 sentence 1 lit. e GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
• -Art. 6 para. 1 sentence 1 lit. f GDPR ("Legitimate interests"): If the processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or rights of the data subject (in particular where the data subject is a minor). 

The storage of information in the end user's terminal equipment or access to information that is already stored in the terminal equipment is only permitted if it is covered by one of the following justifications:

• -§ 25 para. 1 TDDDG: If the end user has consented on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;
• -§ 25 para. 2 no. 1 TDDDG: If the sole purpose is the transmission of a message via a public telecommunications network or
• -§ 25 para. 2 no. 2 TDDDG: If the storage or access is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user.

For the processing operations we carry out, we indicate the applicable legal basis in each case below. Processing can also be based on several legal bases.

4. Duration of data storage and data deletion

For the processing operations carried out by us, we indicate below how long the data is stored by us and when it is deleted or blocked. Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage no longer applies. Your data will only be stored on our servers in Germany, subject to any disclosure in accordance with the provisions of sections 8 and 9.

However, data may be stored beyond the specified period in the event of an (impending) legal dispute with you or other legal proceedings or if storage is provided for by statutory provisions to which we are subject as the controller (e.g. § 257 HGB, § 147 AO). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

5. Collection and storage of personal data and the nature and purpose of their use

a) When visiting the website

When you visit our website https://www.stockmann3.com/ , the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. The following information is collected without any action on your part and stored until it is automatically deleted:

• IP address of the requesting computer, without the possibility of personal reference
• Date and time of access,
• Name and URL of the retrieved file,
• Website from which the access is made (referrer URL),
• the browser used and, if applicable, the operating system of your computer and the name of your access provider.
• Amount of data transferred
• Message as to whether the call was successful (access status/http status code)
• GMT time zone difference

We process the aforementioned data for the following purposes:

• Ensuring a smooth connection to the website,
• To ensure a comfortable use of our website,
• Evaluation of system security and stability and
• for further administrative purposes.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. a GDPR (consent) or Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest). Our legitimate interest follows from the purposes for data collection listed above. Under no circumstances do we use the data collected for the purpose of drawing conclusions about your person. 

We also use cookies when you visit our website. You can find more detailed explanations on this in section 6 of this privacy policy and in our cookie policy www.stockmann3.com

b) When using our contact form

For questions of any kind, we offer you the opportunity to contact us via a form provided on the website. It is necessary to provide a valid e-mail address and your name so that we know who sent the enquiry and can answer it. Further information can be provided voluntarily.

Data processing for the purpose of contacting us is carried out in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR on the basis of your voluntarily given consent.

The personal data collected by us for the use of the contact form will be automatically deleted after your enquiry has been dealt with.

c) Other

If the processing of the data requires the storage of information in your terminal equipment or access to information that is already stored in the terminal equipment, Section 25 para. 1, para.2 TDDDG is the legal basis for this.

6. Cookies

We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive by means of a characteristic character string and through which certain information flows to the location that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the website more user-friendly and effective overall, i.e. more pleasant for you.

Cookies can contain data that makes it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable. However, cookies cannot directly identify a user. 

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. In terms of their function, a distinction is made between cookies:

• Technical cookies: These are strictly necessary to move around the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes or store which websites you have visited;
• Performance cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur when using the website; they do not collect any information that could identify you - all information collected is anonymous and is only used to improve our website and to find out what interests our users;
• Advertising cookies, targeting cookies: These are used to offer the website user customized advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
• Sharing cookies: These are used to improve the interactivity of the website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

The legal basis for cookies that are absolutely necessary to provide you with the expressly requested service is § 25 para. 2 no. 2 TDDDG. Any use of cookies that is not absolutely technically necessary for this purpose constitutes data processing that is only permitted with your express and active consent in accordance with § 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 sentence 1 lit. a GDPR. This applies in particular to the use of performance, advertising, targeting or sharing cookies. In addition, we only pass on your personal data processed by cookies to third parties if you have given your express consent to this in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

The data processed by cookies are necessary for the purposes mentioned to protect our legitimate interests and those of third parties in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website.

For more information about which cookies we use and how you can manage your cookie settings and disable certain types of tracking, please see our cookie policy www.stockmann3.com.

7. Integration of Google Maps

This website uses the map service of Google Maps. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. If you use the Google Maps function, personal data will also be collected. By using the "Directions" function, you consent to the collection, processing and use of the automatically collected data and any additional data entered by you by Google or one of its representatives. To use the Google Maps functions, it is necessary to save your IP address. This information is usually transmitted to a Google server in the USA and stored there. In these cases, the provider has, according to its own information, imposed a standard that corresponds to the former EU-US Privacy Shield and has promised to comply with applicable data protection laws when transferring data internationally. You have the option of objecting to this use by deactivating the JavaScript function in your browser. Please note, however, that in this case you will no longer be able to use the map display.

The use of Google Maps is in the interest of making it easy to find the locations specified by us on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR. Nevertheless, we obtain your prior consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

The terms of use and privacy policy for Google Maps can be found at www.google.com/intl/de_de/help/terms_maps.html and https://policies.google.com/privacy?hl=de&gl=de . 

8. Cooperation with processors

As with any large company, we also use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). These service providers only act in accordance with our instructions and are contractually obliged to comply with data protection regulations within the meaning of Art. 28 GDPR.

We work together with the following service provider:

Ionos SE, Elgendorfer Str. 57, 56410 Montabaur, www.ionos.de

9. Requirements for the transfer of personal data to third countries

As part of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively to fulfil contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit. b or lit. f in each case in conjunction with Art. 44 et seq. GDPR). We will inform you about the respective details of the transfer at the relevant points below.

The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en ). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data pursuant to Art. 46 para. 1, 2 lit. c GDPR (the standard contractual clauses of 2021 are available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en ), certificates or recognized codes of conduct. 

10. Integration of social media components and plugins

We use social plug-ins from the social networks Instagram and LinkedIn on our website on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR in order to make us better known. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Responsibility for data protection-compliant operation must be guaranteed by their respective providers. 

a) Instagram

Our website also uses social plugins ("plugins") from Instagram, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. ("Instagram") is operated. The plugins are labelled with an Instagram logo, for example in the form of an "Instagram camera".

When you access a page on our website that contains such a plugin, your browser establishes a direct connection to Instagram's servers. The content of the plugin is transmitted by Instagram directly to your browser and integrated into the page. Through this integration, Instagram receives the information that your browser has accessed the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram. This information (including your IP address) is transmitted from your browser directly to an Instagram server in the USA and stored there. The data transfer to the USA is based on the standard contractual clauses of the EU Commission, which can be viewed at https://www.facebook.com/legal/EU_data_transfer_addendum , https://privacycenter.instagram.com/policy/ and https://de-de.facebook.com/help/566994660333381 . If you are logged in to Instagram, Instagram can directly associate your visit to our website with your Instagram account. If you interact with the plugins, for example by clicking the "Instagram" button, this information is also transmitted directly to an Instagram server and stored there. The information is also published on your Instagram account and displayed to your contacts there.

If you do not want Instagram to assign the data collected via our website directly to your Instagram account, you must log out of Instagram before visiting our website.

You can find further information on the handling of your data at https://help.instagram.com/155833707900388 and https://privacycenter.instagram.com/policy/  

b)LinkedIn

We have also integrated components of the website www.linkedin.com on our website. LinkedIn is operated outside the USA by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter: "LinkedIn"). LinkedIn is a social network especially for business contacts.

You can recognize the LinkedIn plugins by the buttons with the LinkedIn logo or by the designation "in". This is an offer from LinkedIn.

By accessing pages of this website on which LinkedIn plugins have been integrated, your browser establishes a direct connection with the LinkedIn servers. The content of the plugin is transmitted by LinkedIn directly to your browser, which integrates it into the website. By integrating the plugins, LinkedIn receives the information that your browser has accessed the corresponding page of our website.

If you are logged in to LinkedIn with your own profile, LinkedIn can assign your visit to our website, the subpages you visit and the duration of your visit directly to your LinkedIn account. This takes place regardless of whether you use a LinkedIn button. If you interact with the plugins, for example by clicking the "Share" button, the corresponding information is also transmitted directly to a LinkedIn server and stored there. Depending on your settings, the information may also be published on linkedin.com and displayed to your contacts. The data transfer to the USA is based on the standard contractual clauses of the EU Commission, which can be viewed at https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs .

If you do not want LinkedIn to associate the data collected via our website with your LinkedIn account, you must log out of LinkedIn before visiting our website. The applicable data protection provisions of LinkedIn, including the option of deactivating cookies from LinkedIn, can be found in LinkedIn's privacy policy, available at https://www.linkedin.com/legal/privacy-policy?  

LinkedIn also uses advertising cookies. You can find out how to deactivate these at https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out .

11. Further links on the website

You will also find links to the following offers on our website:

• Spotify

https://www.spotify.com/de/legal/privacy-policy/

• Apple Podcast

https://www.apple.com/de/legal/privacy/data/de/apple-podcasts/

• YouTube

https://policies.google.com/privacy and  https://www.youtube.com/intl/ALL_de/howyoutubeworks/user-settings/privacy/  

• Podigee.com

https://www.podigee.com/de/ueber-uns/datenschutz/ 

With regard to the use of these links by you, the operators listed above are responsible for data processing. The corresponding data protection notices can be found in the links.

12. No automated decision-making (including profiling)

We do not intend to use personal data collected from you for automated decision-making (including profiling).

13. Rights of data subjects

You have the right:

• to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
• to demand the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
• in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller;
• in accordance with Art. 7 para. 3 GDPR, to revoke your consent once given to us at any time. The consequence of this is that we may no longer continue the data processing that was based on this consent in the future and
• to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office.

Responsible data protection supervisory authority:

The Hamburg Commissioner for Data Protection and Freedom of Information

Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany

Telephone: (040) 428 54 - 4040 (Hamburg Telephone Service)

E-mail: mailbox@datenschutz.hamburg.de

Link to the homepage https://datenschutz-hamburg.de/

14. Right of objection

If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.

If you wish to exercise your right of cancellation or objection, simply send an e-mail to office@stockmann3.com

15. Data security

We use the widespread SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser when you visit our website. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can recognize whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

16. Topicality and amendment of this privacy policy

This privacy policy is currently valid and was last updated in September 2024. Due to the further development of our website or due to changes in legal or official requirements, it may become necessary to amend this privacy policy. The current privacy policy can be viewed at any time on the website at www.stockmann3.com/privacypolicy and printed out at any time.