Bluelight GmbH Data Privacy Statement

I. Controller’s name and address

Under the General Data Protection Regulation and other national data protection laws in the Member States as well as other data protection regulations, the controller is:

Bluelight GmbH
Motorstraße 25
70499 Stuttgart
Germany
Tel.: +49 (0) 711-887724200
email: info@bluelight-gmbh.de
Website: wwwbluelight-gmbh.de

 

II. General information on data processing

1. Scope of processing of personal data

We only ever process our users' personal data where this is necessary for providing a functioning website and for our contents and services. As a rule our users' personal data are only processed with their consent. Exceptionally this is not the case if it is not possible to obtain prior consent for material reasons and the processing of such data is permitted by law.

2. Legal basis for the processing of personal data

The processing of personal data is lawful in accordance with Article 6(1) a) of the EU General Data Protection Regulation (GDPR) if we have obtained the data subject’s consent.
The processing necessary for the performance of a contract to which the data subject is a contracting party is lawful in accordance with Article 6(1) b) of the GDPR. This also applies to processing which is necessary prior to entering into a contract.
The processing of personal data necessary for compliance with a legal obligation to which our company is subject is lawful in accordance with Article 6(1) c) GDPR.
The legal basis for processing which is necessary in order to protect the vital interests of the data subject or of another natural person is Article 6(1) d) GDPR.
Processing which is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, is lawful in accordance with Article 6(1) f) GDPR.

3. Erasure of data and period of storage

The data subject's personal data will be erased or made unavailable as soon as the reasons for which they have been stored no longer apply. Personal data may also be stored if required by European or national laws, European Union regulations, laws or other legal provisions to which the controller is subject. Data are also erased or made unavailable if a period of storage stipulated in the stated norms expires, unless the data must continue to be stored for the purpose of entering or fulfilling a contract.

 

III. Provision of the website and generation of log files

1. Description and scope of data processing

Our system automatically retrieves data and information from the requesting computer system every time our website is visited.
The following data are then collected:

          (1) Information about the type and version of browser used
          (2) The user’s operating system
          (3) The user’s internet service provider
          (4) The user’s IP address
          (5) The date and time of access
          (6) Websites from which the user’s system accessed our website
          (7) Websites which are accessed by the user’s system via our website.

These data are also stored in the log files. These data are not stored together with the user’s other personal data.

2. Lawfulness of data processing

The legal basis for the temporary storage of data and log files is Article 6(1) f) GDPR.

3. Purposes of data processing

The system must temporarily store the IP address to enable the website to be sent to the user’s computer. This requires that the user’s IP address is stored for the duration of the session.

Storage in log files occurs to ensure the functionality of the website. The data are also used to optimise the website and to ensure the security of our information technology systems. The data are not assessed for marketing purposes in this connection.

We also have a legitimate interest in accordance with Article 6(1) f GDPR for these purposes.

4. Period of storage

The data are erased as soon as they are no longer required to achieve the specific purpose for which they have been collected. In the case in which data are collected for the purpose of providing the website this is the case when the session has come to an end.

In the case in which the data are stored in log files this is the case after 30 days.

5. Right to object and right to removal

It is absolutely essential for the purposes of operating the website that the data that are required for provision of the website are collected and stored in log files. The user cannot therefore object.

 

IV. Use of cookies

a) Description and scope of data processing

Our website uses cookies. Cookies are text files which are stored in the internet browser or on the user’s computer system by the internet browser. A cookie may be stored on the user’s operating system when a website is accessed. These cookies contain a string of characters which unequivocally identify the browser the next time it accesses the website.

We use cookies to make our website more user-friendly. Some of the elements on our website require that the retrieving browser can also be identified after it has moved to another page.

The cookies store and transmit the following data:

          (1) Language settings
          (2) Article in a shopping basket
          (3) Log-in information

We also use cookies on our website which enable the user’s surfing behaviour to be analysed.

In this way the following data can be transmitted:

          (1) Search terms entered
          (2) Frequency with which pages are requested
          (3) Use of website functions

Technical precautions are taken to pseudonymise the user data collected. This means that the data can no longer be attributed to the requesting user. The data are not stored with the user’s personal data.

When our website is visited users see a banner with information about how cookies are used for analysis purposes and which refers to this Data Privacy Statement. In this respect a reference is also made to ways in which browser settings can be changed to prevent the storage of cookies.

b) Lawfulness of data processing

The legal basis for the processing of personal data with the use of cookies is Article 6(1) f) GDPR.

c) Purposes of data processing

Technically essential cookies are used to make the website easier for users to use. Some of the functions on our website can only be offered in conjunction with the use of cookies. These functions require that the browser is recognised again when it switches to a new page.

The user data collected by technically essential cookies are not used to create user profiles.

Analysis cookies are used with the aim of improving the quality of our website and its contents. The analysis cookies inform us about how the website is used and can in this way continuously improve our offer.

We also have a legitimate interest in these purposes in accordance with Article 6(1) f GDPR.

d) Period of storage, rejection and removal options

Cookies are stored on the user’s computer and then sent to our website. This means that you, the user, have complete control of the way in which cookies are used. You can also change your browser settings to disable or restrict the transmission of cookies. Cookies which have already been stored can be erased again at any time. This can be done automatically. If you disable cookies for our website, you may no longer be able to use all the website functions in full.

 

V. Techniques for the operation of websites

Data privacy statement with the use of Facebook and LinkedIn

Our website includes links to the external social networks Facebook and LinkedIn. These sites are operated exclusively by Facebook and LinkedIn.

These links are identified on our website by the Facebook and LinkedIn logos or with the “Like” button (no Facebook or LinkedIn plugins are used).

If these links are clicked, your browser establishes a direct connection with the Facebook or LinkedIn servers. By clicking on these buttons you grant your consent.

If you follow the links during your visit to our website while you are logged in to your personal Facebook or LinkedIn user accounts, the information that you have visited our website is passed on to Facebook or LinkedIn. The visit to the website can then be assigned to your account by Facebook or LinkedIn.

This information is sent to and stored by Facebook or LinkedIn. If you wish to prevent this, you must log out of your Facebook or LinkedIn account before you click the link. The assigned Facebook or LinkedIn functions, including but not limited to the transfer of information and user data, are not activated simply by visiting our website but only after the corresponding links have been clicked.

The purpose and scope of data collection by Facebook and LinkedIn and further processing and use of the data by both as well as your rights and settings options for the protection of your privacy are detailed in the Facebook or LinkedIn data privacy policies.

 

VI. email contact / Online shop

1. Description and scope of data processing

Our email address is provided on our website. Any personal data the users sends with his or her email will be stored.

No data are passed on to third parties in this connection. The data are used solely to process the conversation.

We store the following data on our online shop:

          (1) Family name, first name
          (2) Address
          (3) Company name
          (4) Phone number
          (5) email:
          (6) Tax number
          (7) IP address for purchase order
          (8) Last login/logout

2. Lawfulness of data processing

The legal basis for the processing of data is the user’s consent in accordance with Article 6(1) a) GDPR.

The legal basis for the processing of data sent with the transmission of an email is Article 6(1) f GDPR. If contact is made by email for the purpose of entering a contract, a further legal basis for the processing is Article 6(1) b GDPR.

The legal basis for the processing of data arising from the collection of data in the online shop is Article 6(1) b GDPR.

3. Purposes of data processing

We use the processing of the personal data from the input screen solely to process the contact approach. The legitimate interest which is necessary for the processing of data exists if contact is made by email.
Other personal data processed during the transmission operation are used to prevent the contact form from being misused and to secure the safety of our information technology systems.
Personal data are processed on the online shop for the purpose of performing the purchase agreement.

4. Period of storage

The data are erased as soon as they are no longer required to achieve the specific purpose for which they have been collected. The data entered in the input screen for the contact form and data sent by email are no longer required as soon as the conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the issue in question has been conclusively clarified.

Other personal data collected during transmission are erased after a period of seven days at the latest.

The data relating to the purchase agreement with the online shop are stored in compliance with statutory retention periods.

5. Right to object and right to removal

The user is able at any time to withdraw his or her consent to his or her personal data being processed. The user can email us at any time to object to the storage of his or her personal data. In this case the conversation cannot be continued.

All personal data stored in the course of making contact are in this case erased.

This objection period does not apply to data which are required for the purpose of implementing the purchase agreement and which are subject to statutory retention periods.

VII. Rights of the data subject

If your personal data is processed you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information

You can ask the controller to confirm whether or not we process your personal data.

If we do process your personal data, you have the right to be provided with the following information by the controller:

(1) the purposes for which personal data are processed;

(2) the categories of personal data which are processed;

(3) the recipients and/or the categories of current or future recipients of your personal data;

(4) the period for which it is planned that your personal data will be stored or, if no specific data are available in this respect, criteria for the stipulation of such period;

(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(6) the right to lodge a complaint with a supervisory authority;

(7) all available information about the origin of data if the personal data are not collected from the data subject;

(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to ask for information about whether the relevant personal data are transferred to an international organisation or third country. In this connection you have the right to demand information about the suitable guarantees in accordance with Article 46 GDPR in connection with such transfer.

2. Right to rectification

You have a right to require that the controller rectify and/or complete any of your personal data which are incorrect or incomplete. The controller must rectify incorrect data immediately.

3. Right to restriction of processing

In the following circumstances you have the right to demand that the processing of your personal data is restricted:

(1) if you dispute the accuracy of the personal data relating to you for long enough for the controller to verify whether or not the personal data are correct;

(2) the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;

(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or

(4) you have objected to processing pursuant to Article 21(1) GDPR pending verification of whether the legitimate grounds cited by the controller override the grounds cited by you.

If the processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent, for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

You will be informed that processing has been restricted in compliance with the above requirements before such restriction is lifted.

4. Right to erasure

a) Obligation to erase data

You have the right to obtain from the controller the immediate erasure of your personal data and the controller is then obliged to erase this personal data immediately where one of the following grounds applies:

(1) Your personal data are no longer required for the purposes for which they were collected or otherwise processed.

(2) You withdraw the consent on which the processing is based in accordance with Article 6(1) a) or Article 9(2) a) GDPR and there are no other legal grounds for the processing.

(3) You object to processing in accordance with Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Article 21(2) GDPR.

(4) Your personal data have been unlawfully processed.

(5) Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

(6) Your personal data have been collected in relation to the offer of information society services in accordance with Article 8(1) GDPR.

b) Information to third parties

Where the controller has made your personal data public and is obliged in accordance with Article 17(1) GDPR to erase the personal data, the controller must take reasonable steps, taking account of available technology and the cost of implementation, including technical measures to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copies or replications of such personal data.

c) Exemptions

There is no right to erasure if the processing is necessary

(1) for exercising the right of freedom of expression and information;

(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for reasons of public interest in the area of public health in accordance with Article 9(2) h) and i) as well as Article 9(3) GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5) for the establishment, exercise or defence of legal claims.

5. Right to be informed

If you have asserted your right to rectification, erasure or restriction of processing to the controller, the controller must communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed by the controller about these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided

(1) the processing is based on consent in accordance with Article 6(1) a) GDPR or Article 9(2) a) GDPR or a contract in accordance with Article 6(1) b) GDPR and

(2) the processing is carried out by automated means.

In exercising this right you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This right must not adversely affect the rights and freedoms of others.

The right to data portability does not apply to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right of objection

You have the right to object at any time, based on grounds relating to your particular situation, to the processing of your personal data in accordance with Article 6(1) e) GDPR; this also applies to any profiling based on these provisions.

The controller may then no longer process the personal data relating to you unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or demonstrates that the data must be processed for the establishment, exercise or defence of legal claims.

If your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing purposes; this also includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to withdraw the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. Withdrawal of consent does not affect the lawfulness of any processing conducted on the basis of the consent up to the point of withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for entering into or performing a contract between you and the controller;

(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3) has been made with your explicit consent.

However, such decisions must not be based on special categories of personal data referred to in Article 9(1) GDPR unless Article 9(2) a) or g) GDPR applies and suitable measures to safeguard your rights and freedoms and your legitimate interests are in place.

In the cases referred to in (1) and (3), the controller must implement suitable measures to safeguard your rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to appeal to a supervisory authority

Regardless of another legal remedy under administrative law or through the courts, you have the right to appeal to a supervisory authority, in particular in the Member State of your place of residence, your workplace or the place of the suspected infringement if you are of the opinion that the processing of the personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged must inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.