This Privacy Policy is intended to inform you about the data protection-related features of our website. It explains what data we collect and how it is used, and informs you of your rights.
Click on the respective heading to go directly to the corresponding section:
1. General Information
2. Definitions
3. Information pursuant to Article 13 of the GDPR
Data transmission over the Internet may occasionally be subject to security vulnerabilities, so absolute protection cannot be guaranteed. You may therefore choose to submit your data by other means, such as by phone.
Our website uses SSL encryption. This is a system designed to protect data transmission; as a result, third parties are generally unable to read the data. You can recognize an encrypted connection by the small padlock displayed in your browser’s address bar and the change from “http” to “https.”
Every time you visit our site, a range of general data and information is automatically collected. This data is stored in the server’s log files. The following information may be collected:
This data is collected anonymously. We do not draw any conclusions about the data subject based on this data. Information about the applications and features used on our site that are relevant to data protection can be found in the section “Information about the applications on our site”.
To help you better understand the privacy policy below, we’d like to start by defining a few terms that we consider important:
GDPR stands for General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of April 27, 2017).
Personal data refers to any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
A data subject is any identified or identifiable natural person whose personal data is processed by the controller.
Processing means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution, or any other form of making available, alignment or combination, restriction, erasure, or destruction.
Restriction of processing means the marking of stored personal data with the aim of limiting their future processing.
A controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.
A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
A recipient is a natural or legal person, public authority, agency, or other body to whom personal data is disclosed, regardless of whether or not that body is a third party. However, public authorities that may receive personal data in the course of a specific inquiry under Union law or the law of the Member States are not considered recipients.
A third party is a natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the personal data.
Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
A third country is any state that is neither a member of the European Union nor of the European Economic Area.
Schnick-Schnack-Systems GmbH
Mathias-Brüggen-Straße 79
50829 Cologne, Germany
Phone: +49 221/99 20 19-0
Fax: +49 221/16 85 09-73
Email: info@schnickschnacksystems.com
Visitors and users of our website or our online services.
The following types of data are processed:
Processing is carried out for the following purposes:
Unless the legal basis is specified in the Privacy Policy, particularly in the section “Information about the applications on our site” the following applies:
We process and store personal data only for the period necessary to achieve the purpose of storage or, if required by law or regulation, for the period specified therein. If the purpose of storage no longer applies or the legally prescribed retention period expires, the personal data is routinely deleted in accordance with legal requirements.
If we transfer data to other individuals or companies or otherwise grant them access to the data, we do so only on the basis of legal authorization. If we engage third parties to process data under a so-called “data processing agreement,” this is done in accordance with Article 28 of the GDPR.
If we process data in a third country or if this occurs in connection with the use of third-party services, this is done only to the extent permitted by law. If we process data in a third country or have it processed by third parties (data processing), this is done in accordance with Article 44 et seq. of the GDPR. If the applications we have implemented on this website transfer data to third countries, this is noted accordingly in the relevant section.
Right of access (Art. 15 GDPR)
You have the right to request information from us regarding whether we process your personal data and, if so, you also have the right to request information regarding the following:
If your personal data is transferred to a third country or to an international organization, you also have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer. In response to your request for access, we will provide you with a copy of the personal data being processed in accordance with Article 15(3) of the GDPR. We may charge a reasonable fee for each additional copy. If you submit the request electronically, we will provide the data in an electronic format unless you specify otherwise.
Right to Rectification (Art. 16 GDPR)
You have the right to request that we rectify any inaccurate personal data concerning you. You also have the right to request the completion of incomplete personal data, taking into account the purpose of the processing.
Right to erasure (so-called “right to be forgotten”; Art. 17 GDPR)
You have the right to request that we erase your personal data if the following applies and provided that the processing of the personal data is not necessary:
If we have made the personal data public and, as the controller, are required under Article 17(1) of the GDPR to erase the personal data, we will take reasonable steps, including technical measures, taking into account available technology and the cost of implementation, to inform other controllers processing the published personal data that you have requested from these other data controllers the deletion of all links to this personal data or of copies or replicas of this personal data, insofar as the processing is not necessary.
Right to restriction of processing (Art. 18 GDPR)
You have the right to request that we restrict processing if one of the following conditions is met:
If the processing of your personal data has been restricted in accordance with the above conditions, we may process it—apart from storage—only with your consent or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of an important public interest of the Union or a Member State. We will notify you before any restriction is lifted.
Right to Object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR (processing in the public interest or to safeguard a legitimate interest); this also applies to profiling based on these provisions. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims. If personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
Right to Withdraw Consent (Art. 7(3) GDPR)
If you have given us consent to process your personal data, you have the right to withdraw this consent at any time without providing a reason. The lawfulness of the data processing carried out prior to the withdrawal remains unaffected by the withdrawal.
Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract between you and us, or is authorized by Union or Member State law to which we are subject, and such laws provide for appropriate measures to safeguard your rights and freedoms as well as legitimate interests, or is based on your explicit consent. If the decision is necessary for the conclusion or performance of a contract between you and us or is made with your explicit consent, we will take appropriate data protection measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to request our intervention, to present your point of view, and to challenge the decision.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and the processing is carried out by automated means.
You have the right to have us transmit the data directly to another controller, provided this is technically feasible and does not infringe upon the rights and freedoms of others.
Right to lodge a complaint (Art. 77 GDPR)
Irrespective of other administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority if you believe that we are processing your personal data in violation of the GDPR. The supervisory authority may, in particular, be the one in the Member State of your residence, your workplace, or the place of the alleged infringement. An overview of German supervisory authorities can be found, for example, on the website of the Federal Commissioner for Data Protection.
A plugin designed to defend against malicious attacks (Wordfence) is installed on our website; this plugin stores IP addresses. The provider is Defiant Inc., 800 5th Ave Ste 4100, Seattle, WA 98104, USA (hereinafter “Wordfence”).
The use of the plugin is justified by the legitimate interest pursuant to Art. 6(1)(f) GDPR to protect our online presence from unauthorized access; this simultaneously protects the user from suffering harm themselves following an attack on our site.
Wordfence also processes data in the USA; standard contractual clauses are in place for this purpose.
To save your cookie consent and allow you to manage your consent settings, we use Borlabs Cookie, which sets a technically necessary cookie (borlabs-cookie). However, Borlabs Cookie does not process any personal data. The cookie set by Borlabs stores the consent you provided when you first visited the website. If you wish to revoke these consents, simply delete the cookie in your browser. When you re-enter or reload the website, you will be asked again for your cookie consent. Borlabs is a service provided by Borlabs – Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg.
The data you enter in the contact form is processed to handle your inquiry; we do not share this data with third parties and delete it once it is no longer needed.
The processing of data entered into the contact form is based on our legitimate interest (Art. 6(1)(f) GDPR) and for the purpose of taking steps prior to entering into a contract (Art. 6(1)(b) GDPR). Our legitimate interest lies in responding to your inquiry and addressing your request. The foregoing applies accordingly to emails you send to us at the email address provided on our website, as well as to any personal data contained therein.
If you contact us by phone using one of the numbers listed on our website, your phone number will be displayed in full on our devices, provided you have caller ID enabled. It is also stored in our telephone system as an incoming call along with the call duration; the stored data is accessible only to a small, designated group of individuals and is regularly deleted. Storage is based on legitimate interest (Article 6(1)(f) GDPR), which serves to review the cost-effectiveness of our communication structure.
On our website, we use UpdraftPlus, a backup and security system provided by Updraft WP Software Ltd., 11 Barringer Way, St. Neots, PE19 1LW, Cambridgeshire, United Kingdom.
The legal basis for this use is the legitimate interest in protecting our website from malicious attacks and ensuring its recoverability. Based on the European Commission’s adequacy decision pursuant to Article 45 of the GDPR regarding data transfers to the United Kingdom—which determines that the United Kingdom offers an adequate level of protection compared to the GDPR—the use of this tool is permitted. Further information on data processing by Updraft can be found in the Privacy Policy at https://updraftplus.com/data-protection-and-privacy-centre/.
We use HubSpot services on our website, a digital marketing tool. The service provider is HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA, USA. Our use of HubSpot services is based on our legitimate interest in targeted, efficient digital marketing and the use of appropriate tools. When using these applications, data is also transferred to the United States. This is permitted under the agreement between the EU and the US, the EU-US Data Privacy Framework. HubSpot is certified accordingly. HubSpot also has standard contractual clauses in accordance with Article 46(2) and (3) of the GDPR, which also include the necessary provisions regarding data processing. Both the Data Privacy Framework and the Standard Contractual Clauses (https://legal.hubspot.com/dpa) ensure that your data complies with European data protection standards, even when processed in third countries. Information on HubSpot’s own data protection practices can be found at https://legal.hubspot.com/privacy-policy.
We use HubSpot to send our newsletter. In this regard, please refer to the information provided regarding HubSpot. You may revoke your consent to the storage of your data and its use for sending the newsletter at any time, e.g., via the unsubscribe link in the newsletter.
We use the WooCommerce shop system on our website. It is a plugin based on the WordPress content management system and is provided by Automattic Inc. (60 29th Street #343, San Francisco, CA 94110, USA).
We use WooCommerce to present our products and prices on our website in the best possible way and to enable you to order samples. No payment service is integrated. Data that you enter in our online shop may be processed by Automattic, in particular stored. This typically includes your email address, name, and address. Automattic stores your IP address, browser information, language settings, and the date and time of your visit in server logs. We use WooCommerce based on legitimate interest (Article 6(1)(f) of the GDPR), which is to provide a user-friendly and easy-to-use online shop solution that interacts optimally with WordPress from a technical standpoint.
Automattic also processes data in the United States, among other places. Automattic is certified under the Data Privacy Framework and thus guarantees a level of data protection equivalent to that in the EU. In addition, Automattic has adopted the standard contractual clauses under Article 46 of the GDPR, thereby ensuring an adequate level of data protection as well as the legal basis for data processing.
We maintain publicly accessible profiles on Facebook, Instagram, Xing, and LinkedIn. However, no data is transferred from our website to these platforms, as the integration is done via a link to the respective social media sites.
Nevertheless, we would like to point out that social networks generally analyze your user behavior extensively. Thus, visiting our social media pages triggers numerous data processing operations relevant to data protection. If you are logged into your social media account and visit our presence there, the operator can associate this visit with your user account. However, your personal data may also be processed even if you are not logged in or do not have an account on the respective platform—in such cases, data may be collected, for example, via cookies stored on your device or by recording your IP address.
The legal basis is specified for each respective application.
To the extent that the relevant application sets cookies, your consent (Art. 6(1)(a) GDPR) serves as the legal basis, provided you have given it via the Cookie Consent Tool. Additionally, data processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR, which is further detailed for the respective application.
When using Google tools, data is generally transferred by Google to the United States, a third country within the meaning of the GDPR. This is permitted under the agreements between the EU and the United States, the EU-US Data Privacy Framework. Google is certified accordingly. Google also has standard contractual clauses in accordance with Article 46(2) and (3) of the GDPR. Both the Data Privacy Framework and the standard contractual clauses ensure that your data complies with European data protection standards, even when processed in third countries. You can find Google’s own privacy policy at https://policies.google.com/privacy?hl=en.
We use the Google Analytics analytics tool on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: Google Analytics). The tool uses cookies stored on your computer for tracking purposes. When you visit our website, personal data such as your IP address and your user behavior are transmitted to Google Ireland Limited. This allows us to analyze website usage and the browsing behavior of site visitors. We use this service to optimize our online offering and to detect whether third parties are attacking our website. This processing is based on the legal basis of legitimate interest.
With the help of this information, we can take effective measures that also serve to protect your data. Google stores the data relevant for web tracking in an anonymized form for as long as necessary to fulfill the booked web service.
You can prevent the processing of your personal data or its transmission to Google by disabling script execution in your browser or by enabling the “Do Not Track” setting. You can also prevent Google from collecting and processing your data by downloading and installing the following browser plug-in: https://tools.google.com/dlpage/gaoptout?hl=en
We use Google’s reCaptcha tool to prevent abuse and spam through form submissions.
reCaptcha is a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
reCaptcha is used to verify whether an entry is made by a human or by an automated system. To ensure that the entry is made by a human and not by an automated bot, the IP address of the device used, the browser used, the data regarding the website visit or the entry, and the operating system are transmitted to Google. This may also involve a transfer to Google’s servers in the United States. The use of reCaptcha on our website serves our legitimate interest in preventing spam and malicious attacks on our site.
We use the Google Tag Manager service provided by Google Ireland Ltd., Gordon House, Barrow Street, 4 Dublin, Ireland, on our website.
This service allows us to centrally manage other web tools and tracking programs using “tags.” To do this, cookies are stored on your computer and analyzed. The data is processed by Google Tag Manager, specifically aggregated and stored. When you use our website, provided you have consented in the cookie consent banner, data such as your IP address and user activities is transmitted to Google. IP anonymization of the source code ensures that the IP address is anonymized by Google Tag Manager prior to transmission. Tag Manager allows metrics from various service providers (Google and third-party providers) to be linked and evaluated based on so-called tag management.
The use of this tool is in our legitimate interest to aggregate and track web activities in order to tailor our activities, particularly marketing activities, to specific goals.
Our website uses Google Fonts from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to display fonts.
Google Fonts are so-called web fonts. These are provided by Google. They are stored locally on our own servers, so no data is transferred to Google.
If you submit application documents to us via our website or by email, we process the personal data for the purpose of handling the application process. If no employment contract is concluded between you and us, we will delete the application documents six months after notifying you of the rejection, provided that no other legitimate interests prevent such deletion. One such legitimate interest is, for example, the burden of proof in proceedings under the General Equal Treatment Act (AGG). If an employment contract is concluded, we process the personal data for the purpose of carrying out the employment relationship; you will then be informed separately again upon conclusion of the contract in accordance with Art. 13 GDPR.
