Data PrivacyStatement

Contents

1. General Information
   1. Purpose and Responsibility
   2. Legal Bases
   3. Rights of Data Subjects
   4. Deletion of Data and Duration of Storage
   5. Security of Processing
   6. Transfer of Data to Third Parties, Subcontractors and Third Party Providers
2. Processing activities within the scope of our online services
   1. Registration in the web shop
   2. Registration for Heinemann & Me
   3. Data processing within in order to process orders
   4. Collection information on website usage
   5. Usage analysis and offer optimization
   6. Contact form and contact via email
   7. Newsletter
   8. Information about Google Services
   9. Google Tag Manager
   10. Facebook Connect
   11. Google Analytics
   12. Google remarketing or "similar target audiences”
   13. Google AdWords conversion tracking 
   14. YouTube
   15. DoubleClick
   16. DoubleClick Floodlight
   17. Meta retargeting with the "Meta-/Facebook-Pixel"
   18. DoubleClick Ad Exchange
   19. Spotify
   20. Localization Function
   21. Push News 
   22. Market Research
   23. Heinemann & Me Wallet Card
   24. Integration of the Trusted Shops Trustbadge
   25. UserCentrics Consent Management
   26. Outbrain
   27. Noibu
   28. Hotjar
   29. Friendly Captcha

• Processing activities in our brick and mortar shops
  1. Video surveillance
  2. Compliance with customs and tax regulations during the sales process
• Cookies
  1. General Information
  2. Objections
  3. Cookie Policy
• Changes to the Data Privacy Statement

1. General Information
   1. Purpose and Responsibility
      1. This Data Privacy Statement is intended to inform you about the nature, scope and purpose of the processing of personal data in relation to our website https://www.heinemann-shop.com and the related pages, features and contents (hereinafter collectively referred to as the ‘online service’ or ‘website’). Details on these processing activities can be found in section 2.
      2. Details on data processing in our brick and mortar stores are described in section 3.
      3. The website is provided by Gebr. Heinemann SE & Co. KG (Koreastraße 3 – 5, 20457 Hamburg, Germany) – hereinafter referred to as ’Heinemann’, the ‘provider’, ‘we’ or ‘us’ - who is also legally considered the controller under data protection law.
      4. You can get in touch with our Data Protection Officer at the email address dataprotection@gebr-heinemann.de
      5. The term ‘user’ encompasses all customers, stakeholders, employees and visitors to our website.
   2. Legal Bases

      We collect and process personal data based on the following legal grounds:

      1. Consent in accordance with article 6 paragraph 1 lit. a of the General Data Protection Regulation (GDPR). Consent means any freely given, specific, informed and unambiguous indication of agreement, which could be in the form of a statement or any other unambiguous confirmatory act, given by the data subject consenting to the processing of their personal data.
      2. Necessity for the performance of a contract or in order to take steps prior to entering into a contract according to article 6 paragraph 1 lit. b GDPR, meaning the data is required in order for us to fulfill our contractual obligations towards you or to prepare to conclude a contract with you.
      3. Processing  comply with a legal obligation in accordance with article 6 paragraph 1 lit. c GDPR, meaning, for instance, that the data processing ois required by law or other regulations.
      4. Processing in order to protect legitimate interests in accordance with article 6 paragraph 1 lit. f GDPR, meaning that the processing is necessary to protect legitimate interests pursued by us or by a third party, unless such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data.
   3. Rights of Data Subject 

      You have the following rights with regards to the processing of your data by us:

      1. The right to lodge a complaint with a supervisory authority in accordance with article 13 paragraph 2 lit. d GDPR and article 14 paragraph 2 lit. e GDPR.
      2. Right of access in accordance with article 15 GDPR
      3. Right to rectification in accordance with article 16 GDPR
      4. Right to erasure (‘right to be forgotten’) in accordance with article 17 GDPR
      5. Right to restrict processing in accordance with article 18 GDPR
      6. Right to data portability in accordance with article 20 GDPR
      7. Right to object accordance with article 21 GDPR

      Notice: Users may object to the processing of their personal data in accordance with law at any time with effect for the future. Objections may in particular be lodged against processing for the purposes of direct marketing.

      Without prejudice to any other administrative or judicial remedy, you shall have the right to submit complaints to a supervisory authority, in particular in the member state where you reside, where you are employed or where the alleged infringement occurred, if you believe that the processing of your personal data violates the GDPR.

   4. Deletion of Data and Duration of Storage

      The personal data of the data subject will be deleted or blocked as soon as the purpose for which it was stored no longer applis Data may be stored for longer if such storage is required by the European or national legislation in EU regulations, laws or other regulations to which the controller is subject. Data may also be blocked or deleted when a retention period mandated by the standards mentioned expires, unless the continued storage of data is required to conclude a contract or to fulfill contractual obligations.

   5. Security of Processing
      1. We have implemented appropriate and state-of-the-art technical and organizational security measures (TOMs). That means that the data we process is protected against accidental or intentional manipulation, loss, destruction and unauthorized access.
      2. These security measures include in particular the encrypted transfer of data between your browser and our server.
   6. Transfer of Data to Third Parties, Subcontractors and Third Party Providers
      1. Personal data is only transferred to third parties within the framework of legal requirements. We only disclose personal data of users to third parties, if this is required e.g. for billing purposes or other purposes or if the disclosure is necessary to ensure contractual obligations toward the users are fulfilled.
      2. If we engage subcontractors for our website, we have made appropriate contractual arrangements and taken adequate technical and organizational measures with these companies.
      3. 3. If we use content, tools or other means from other companies (hereinafter collectively referred to as 'third party providers’) whose registered offices are located in a third country, we assume that data is transferred to the home countries of these third party providers. Personal data is trandferred to third countries takes place exclusively only, if an adequate level of data protection, the user’s consent or another legal permission is present.
2. Processing activities within the scope of our online services
   1. Registration in the web shop

      In the context of an order or a pre-order, our General Terms and Conditions (GTC) apply in addition to this data protection declaration; these are available at https://www.heinemann-shop.com/en/global/terms-and-conditions

   2. Registration for Heinemann & Me

      If you are a member of our customer loyalty program, the General Conditions of Participation for the Heinemann & Me program apply in addition to this data protection declaration.

   3. Data processing within in order to process orders
      1. During the ordering process in our online store, you have the option to select a payment method. Payments are processed via the payment service provider Adyen (Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands). We have concluded an order processing agreement with Adyen in accordance with Article 28 GDPR.
      2. We transmit your IP address to Adyen for the purpose of fraud prevention and detection. All data is transmitted in encrypted form. Adyen collects and stores the data and only passes it on to the companies involved in the payment process. We do not collect or store the payment data.
      3. We offer the following payment options:
         1. Payment by credit card
            1. When you select the payment method "credit card", personal data will automatically be transmitted to Adyen. By selecting this payment option, you consent to the transmission of personal data to our payment service provider as required for payment processing and for identity and credit checks.
            2. The personal data transmitted to Adyen usually includes the card type (Mastercard or VISA), name of the card holder, card number, security code and expiration date.
            3. In the case of credit card payment, the "3-D Secure" procedure is used to confirm the identity of the buyer via two-factor authentication.
            4. You can revoke the consent you granted to us to process your personal data at any time with effect for the future.
            5. Information on data protection at Adyen is available at https://www.adyen.help/hc/en-us/categories/360002679940-Adyen-on-my-bank-statement.
         2. Payment on account
            1. When you select the payment option "Klarna purchase on account", personal data is automatically transmitted to Klarna (Klarna Bank AB (publ) (Sveavägen 46, 111 34 Stockholm, Sweden). By selecting this payment option, you consent to the transmission of personal data required for payment processing and for identity and credit checks.
            2. (2) The personal data transmitted to Klarna is usually your first and last name, title, address, date of birth, gender, email address, IP address, telephone number, cell phone number, as well as data necessary for the processing of the purchase on account and data related to the order, such as number of items, item number, invoice amount and taxes as a percent, billing information, bank details, card number, expiration date, CCV code, information about goods/services, historical information, information about your previous purchases, payment history, any rejections, financial information, information about any credit obligations and payment notes, information about the interaction between you and Klarna Checkout, page load times, download errors and methods used to leave the displayed page, electronic communication information, receipt confirmations, device information, and geographical information.
            3. Transmission of the data is necessary in prder to process your purchase with the Klarna billing processing you requested, in particular to confirm your identity, to administer your payment and customer relationship, for customer analysis, to administer Klarna's services and for internal processes, including troubleshooting, data analysis, internal testing, development, statistical purposes, to improve Klarna's services, to ensure, that the necessary information is displayed as effectively as possible for you and your device, to prevent misuse or improper use of Klarna's services, as part of Klarna's efforts to make the Services as secure as possible, to assess which payment methods we can make available to you through Klarna, to conduct internal credit assessments, to conduct risk analysis and risk management, for business development and to comply with applicable law. In doing so, Klarna has a legitimate interest in the transmission of the buyer's personal data and requires said transmission in order to obtain information from credit reporting agencies for the purpose of identity and credit checks. In addition, Klarna may provide your personal data to other companies within the Klarna Group, service providers and subcontractors to the extent necessary to fulfill its contractual relationships with you or with them. A list of the credit agencies used by Klarna is available at https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/credit_rating_agencies.
            4. As part of a decision to establish, execute or terminate a contractual relationship, Klarna collects and uses information on the past payment behavior of the buyer and probability values ralated to this behavior in the future. Klarna calculates this score based on scientifically recognized mathematical and statistical methods.
            5. You have the option to revoke your consent to the processing of your personal data at any time with effect for the future towards Klarna. Klarna's applicable data protection provisionsare available at https://cdn.klarna.com/1.0/shared/content/legal/terms/0/en_gb/privacy.
         3. Payment via PayPal
            1. If you select the payment method "PayPal", personal data will be automatically transmitted to PayPal (PayPal (Europe) S.à r.l. & Cie, S.C.A., 5th floor, 22-24 Boulevard Royal, L-2449 Luxembourg). By selecting this payment option, you consent to the transmission of personal data required for payment processing and for identity and credit checks.
            2. The personal data transmitted to PayPal usually includes your first name, last name, address, email address, IP address, telephone number, cell phone number or other data required for payment processing. Personal data telated to the order in question is also necessary to process the purchase contract.
            3. PayPal may transmit the personal data exchanged between our company and PayPal to credit agencies. The purpose of this transmission is to check the purchaser's identity and creditworthiness. PayPal may pass on the personal data to affiliated companies and service providers or subcontractors, insofar as this is necessary to fulfill contractual obligations or if the data is processed by a contractor.
            4. (4) You can revoke your consent to the processing of your personal data at any time with effect for the future towards PayPal. The applicable data protection provisions of PayPal are available at https://www.paypal.com/uk/webapps/mpp/ua/privacy-full.
         4. We transmit data to AZ Direct GmbH (Carl-Bertelsmann-Straße 161 S, 33311 Gütersloh, Germany) for address validation purposes.
         5. Flight data verification: You must be in possession of a valid flight ticket in order to make a purchase from us. During the purchase process, we will check your flight number and flight date in our online service to verify your eligibility to make a purchase. We use the services of FlightStats Inc. (522 SW 5th Ave., Portland, OR 97204, USA).
   4. Collecting Information on website usage
      1. When user accesses our website, information may be transferred automatically from their device to us; this information includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
      2. This information is processed as part of legitimate interests in accordance with article 6 paragraph 1 lit. f GDPR (e.g. to optimize the website) as well as to ensure the security of processing in accordance with article 5 paragraph 1 lit. f GDPR (e.g. for the defense and clarification in case of cyber attacks)
      3. This information will be automatically deleted 30 days after the connection is terminated, unless any other retention periods require otherwise.
      4. The data collection and storage in log files are essential to provide the website. Therefore users are not entitled to the options of deletion, objection or correction.
   5. Usage analysis and offer optimization

      Our goal is to always be able to offer our customers relevant products, offers and promotions and to meet their individual needs. For this reason, it is important that we get to know our customers better. The customer data described below helps us to improve our processes and offers in general, as well as to tailor our website to the needs of our customers and to provide the most relevant services and products at every point of contact with Heinemann.

      1. Customer account and order data: Heinemann will use data collected during the registration process in the Heinemann web shop (creation of the customer account) as well as data collected during orders (e.g. payment method, date, subject and sales value of purchases, advantages and discounts applied for the customer) will be used for the purpose of personalized usage analysis and offer optimization by Heinemann. By registering in the Heinemann webshop, the customer consents to the use of its their personal data. The processing is based on article 6 paragraph (1) lit. a GDPR (consent).
      2. Usage data: In addition, after the user grants their separate consent to marketing cookies, their surf behavior in the web shop (e.g. (product) pages viewed, products added to the shopping cart, shopping carts abandoned, successful check outs) is collected, stored and used in a personalized manner to determine customer interests.
      3. Advertising with a personal touch: Heinemann will use the data specified in the previous paragraphs for personalized advertising via digital channels (in accordance with Article 6 paragraph (1) lit. a GDPR) for the purpose of advertising products, promotions and offers, subject to separate consent. If users do not grant such consent or revoke such consent to advertising, this will have no effect on their ability to use the website. Right of revocation: Consent to advertising is voluntary and can be revoked at any time (directly on the respective digital channel, by mail to: Gebr. Heinemann SE & Co. KG, Service, P.O. Box 111 661, 20416 Hamburg, by fax to: 00800 222 44 223 (fees may apply depending on the country or network provider), by e-mail to: service@heinemann-and-me.com or by telephone to 00800 222 44 224 (fees may apply depending on the country and network provider).
   6. Contact form and contacting via email
      1. When a user contacts us (via online form or e-mail), the data provided by the user will be processed exclusively for processing and handling the inquiry.
      2. The data will only be used in some other manner if the user grants their consent to such use.
      3. The users' data will be stored in our Customer Relationship Management System (‘CRM System’) or a comparable software/database. The legal retention periods for business letters apply.
   7. Newsletter
      1. The following section informs you about consenting to receive and registering for our newsletter, as well how the newsletter is sent out, the statistical analysis procedures we use and your right to object. By subscribing to our newsletter you agree to receive it and to the described procedures.
      2. Double opt-in and logging

         We use a so-called double opt-in procedure during registration for ur newsletter, i.e. after registration you will receive an e-mail in which you will be asked to confirm your registration. This confirmation is necessary so that no one can log in with another person's e-mail address. Registrations for the newsletter are recorded so we can fulfill of legal verification obligations. This includes storing the time of registration and confirmation as well as the IP address.

      3. Shipping service provider

         The newsletter is sent using the ‘SAP Intelligent Notification 365’ tool provided by SAP Deutschland SE & Co. KG (Hasso-Plattner-Ring 7, 69190 Walldorf, Deutschland) - hereinafter referred to as the ‘shipping service provider’. The data protection regulations of the shipping service provider are available here: https://www.sap.com/corporate/en/legal/privacy.html

      4. Statistical survey and analyses

         The newsletters contain a so-called ‘pixel’, i.e. a file which is retrieved from the server of the shipping service when the newsletter is opened. Technical information, such as information about your browser, your system, your IP address and the time of retrieval are collected during the retrieval. This information is used to make technical improvements to our services based on the technical data or the target audiences and their behaviour in relation to their retrieval locations (which can be determined using the IP address) or access times.

         The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links users click on. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is not our intention, nor that of the shipping service provider, to monitor individual users. Insetad, we us the anlyses to recognize the reading habits of our users and to adapt our content to them or to send different content according to the user's interests.

      5. Legal bases

         Our use of the shipping service provider, performance of statistical surveys and analyses as well as logging of the registration process are based on our legitimate interests in accordance with article 6 paragraph (1) lit. f GDPR. We have an interest in using a user-friendly and secure newsletter system that serves our business interests and meets the expectations of our users.

      6. Termination/Revocation

         You can cancel your registration to receive our newsletter, (i.e., revoke your consent) at any time. You will find a link to unsubscribe from the newsletter at the end of each newsletter. If a user has unsubscribed from the newsletter, the user's personal data used to send out the newsletter will be deleted.

   8. Information about Google services
      1. We use various services of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland on our website. For more information on the individual Google services that we use on this website, please refer to the remaining sections of the privacy policy.
      2. If the service is deactivated at the domain or cookie level, it will remain valid for all tracking tags implemented with Google Tag Manager.
      3. Beacause our site has integrated Google services, Google may collect information (including personal data) and process it. It is possible that Google will transmit the information to a server in a third country. Whether data is tansmitted n to the USA depends on the function through which personal data is transmitted. As the controller, we ourselves may transfer data to Google in the USA for further use. Currently, there is no adequacy decision in place pursuant to Art. 45 GDPR. However, the transfer can be carried out based on standard contractual clauses. Google has committed to comply with the standard contractual clauses for the transfer of personal data to third countries (Standard Contractual Clauses - SCC).
         More information about the Standard Contractual Clauses is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and at https://policies.google.com/privacy/frameworks?hl=en
      4. We ourselves have no influence over which data Google actually collects and processes. However, Google states that, in principle, the following information (including personal data) may be processed, among other types of information:
         • Log data (in particular the user's IP address)
         • Location-related information
         • Unique application numbers
         • Cookies and similar technologies
         Information on the types of cookies Google uses is available at https://policies.google.com/technologies/types.
      5. If you are logged into your Google account, Google may add the processed information to your account depending on your account settings and treat it as personal data.
      6. Google has made the following statement about this processing: "If you are not signed into a Google Account, we store the data we collect with unique identifiers associated with the browser, app, or device you are using. This allows us to ensure, for example, that your language settings are maintained across all browser sessions. If you are logged into a Google account, we also collect data that we store in your Google account and consider to be personal data." (https://privacy.google.com/take-control.html.)
      7. You can prevent this data from being added directly by logging out of your Google account or by changing the appropriate account settings in your Google account. Furthermore, you can change your cookie settings (e.g. delete cookies, block cookies, etc.).
      8. You can find more detailed information in Google's privacy policies, which you can access here: https://www.google.com/policies/privacy/.
      9. You can find information on Google's privacy settings at https://privacy.google.com/take-control.html.
   9. Google Tag Manager
      1. We use the Google Tag Manager on our website. The Google Tag Manager is a service of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
      2. The Google Tag Manager allows aus to integrate various codes and services on our website in an orderly and simplified manner. The Google Tag Manager implements the tags or "triggers" the embedded tags. When a tag is triggered, Google may collect information (including personal data) and process it. In doing so, it is possible that Google may transmit the information to a server in a third country.
      3. In particular, the following personal data is processed by the Google Tag Manager:
         • Online identifiers (including cookie identifiers)
         • IP address
      4. You can find more detailed information about the Google Tag Manager on the website https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/) as well as at https://www.google.com/intl/de/policies/privacy/index.html (see the section "Data we receive based on your use of our services").
      5. Furthermore, we have concluded an order processing contract with Google for the use of the Google Tag Manager (Art. 28 GDPR). Google processes the data on our behalf in order to trigger the stored tags and display the services on our website. Google may transfer this information to third parties if required by law or if third parties process this data on behalf of Google.
      6. If you have deactivated individual tracking services (e.g. by setting an opt-out cookie), the deactivation remains valid for all affected tracking tags that are integrated by the Google Tag Manager.
      7. Our purpose in integrating the Google Tag Manager is to able to clearly simply integrate a variety of services. In addition, integrating the Google Tag Manager optimizes the loading times of the various services.
      8. The legal basis for the processing of personal data described here as part of the analysis process is your consent which you have expressly granted in accordance with Art. 6 para. 1 lit. a GDPR.
      9. The legal basis for the processing of data in the context of obtaining consent is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. We have a legitimate interest in being able to prove that you have given your consent to the analysis procedure (Art. 7 (1) GDPR).
   10. Facebook Connect
       1. If a so-called ‘Facebook Connect Button‘ is integrated on our website, you can log in to our website with your Facebook user data. In addition, Facebook Connect can automatically include information about your activities on our website in your Facebook profile. In this respect, when you activate the button, you will be given both the opportunity to expressly consent to access your Facebook user data and to publish information and activities on your Facebook profile. Any further data is only used (e.g. contacting you via your email address) with your prior express consent.
       2. Please note that Facebook receives information about the website via Facebook Connect, including what you are doing. To personalize the connection process, Facebook may in some cases receive a limited amount of information prior to authorizing the online service.
       3. The purpose and scope of data collection and the further processing and use of the data by Facebook as well as your rights in this regard and setting options to protect of your privacy are prov in the data protection declaration at: https://www.facebook.com/privacy/explanation 
   11. Google Analytics
       1. We use Google Analytics, a web analytics service of Google Ireland Limited (Gordon House Barclays Dublin Ireland - hereinafter "Google"), on the basis of your consent for the analysis, optimization and economic operation of our online offer pursuant to Art. 6 para. 1 lit. a. GDPR. Google uses cookies and other technologies. The information generated by the service about the use of the online offer by the users is transmitted to a Google server in the USA and processed there.
       2. Google acts on our behalf within the framework of order processing in accordance with Article 28 GDPR. We have concluded a data protection agreement with Google that contains the EU standard data protection clauses.
       3. We use Google Analytics with IP anonymization enabled.
       4. 4. Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID that can be used to recognize you during future website visits. Users can prevent cookies from being stored by changing their browser settings accordingly; users can also prevent Google from collecting data generated by the cookie and related to their use of the website, as well as processing of this data by Google, by downloading and installing the browser plug-in available at the following link: https://tools.google.com/¬dlpage/gaoptout?hl=en.
       5. The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 26 months. Other data remains stored in aggregated form indefinitely.
       6. 6. For more information on data usage by Google, settings and revocation options, please visit Google's websites:
          https://policies.google.com/technologies/partner-sites?hl=de ("Data use by Google when you use our partners' websites or apps")
          https://policies.google.com/¬technologies/ads ("Data use for advertising purposes")
          https://adssettings.google.com/¬authenticated ("Manage information Google uses to serve ads to you").
   12. Google remarketing or "similar target audiences” 
       1. This online service uses the remarketing or ‘similar target group’ function of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (‘Google’).
       2. You can be targeted with personalized and interest-based ads when you visit other websites in the so-called ‘Google Display Network’. ‘Google Remarketing’ or the function ‘Similar target groups’ uses so-called ‘cookies’, text files which are stored on your device and which enable an analysis of your use of the website. These text files are used to record your visits and anonymous data about the use of the online service. Personal data will not be stored. If you visit another website in the so-called ‘Google Display Network’, you may see advertisements that most likely take into account product and information areas previously accessed on our online Service.
       3. Google's privacy policy for remarketing with further information can be found here: http://www.google.com/privacy/ads/.
   13. Google AdWords Conversion-Tracking
       1. This online service uses the ‘Google AdWords Conversion Tracking’ function of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (‘Google’).
       2. Google AdWords Conversion Tracking uses ‘cookies’, which are text files placed on your device, to help the website analyze how users use the online service when they click on a Google ad. The cookies are valid for a maximum of 90 days. Personal data will not be stored. As long as the cookie is valid, Google and we as operator of this website can recognize that you clicked on an ad and accessed a specific target page (e.g. order confirmation page, newsletter registration). These cookies cannot be tracked across multiple websites by different AdWords participants. The cookie creates conversion statistics in ‘Google AdWords’. These statistics record the number of users who clicked on one of our ads. It also counts how many users have accessed a target page that has been provided with a ‘conversion tag’. However, the statistics do not contain any data with which you can be identified.
       3. For more information on how Google uses conversion data and Google's privacy policy, please visit: https://support.google.com/adwords/answer/93148?ctx=tltp or http://www.google.de/policies/privacy/.
   14. YouTube
       1. We use the video portal "YouTube" of the company Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "Google") on our internet pages (videos) in order to achieve smooth integration of the videos and ensure our website has an appealing design. The legal basis for this data processing is your consent in accordance with Art. 6 (1) a GDPR.
       2. We use the "extended data protection mode" option provided by Google for this purpose.
       3. When you access a page that has an embedded video, a connection is established to the Google servers and the content is displayed on the website by informing your browser.
       4. According to satements provided by Google, in "extended data protection mode" your data - in particular which of our Internet pages you have visited as well as device-specific information including your IP address - is only transmitted to the YouTube server in the USA when you watch the video. By clicking on the video, you consent to this transmission.
       5. If you are logged in to Google at the same time, this information will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website.
       6. In some cases, information is transmitted to the parent company Google Inc. based in the USA, to other Google companies and to external partners of Google, each of which may be located outside the European Union. Google uses standard contractual clauses approved by the European Commission for this purpose and relies on the adequacy decisions issued by the European Commission with regard to certain countries.
       7. For more information on data protection in connection with YouTube, please refer to Google's privacy policy.
       8. When you use the video portal, the domains googlevideo.com ("Google Video") and ggpht.com ("Google Photos") are accessed. Your consent forms the legal basis for this accesst. This also applies to Google's "DoubleClick" advertising network; see section 2.15 "DoubleClick".
   15. DoubleClick
       1. DoubleClick by Google is a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’).
       2. DoubleClick by Google uses cookies to display ads that are relevant to you. Your browser is assigned a pseudonymous identification number (ID) to check which ads have been displayed in your browser and which ads you clicked on. The cookies do not contain any personal information. The use of DoubleClick cookies only allows Google and its partner websites to display ads based on your previous visits to our site or other websites. The information generated by the cookies is transmitted by Google to a server in the USA for analysis and stored there. Under no circumstances will Google merge your data with other data collected by Google.
       3. For more information about DoubleClick by Google and privacy, please visit: https://policies.google.com/technologies/ads?hl=en
       4. The legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You consent to the processing of your data collected by Google in the manner and for the purposes set out above.
       5. You can prevent the storage of cookies by selecting the appropriate settings in your browser software. Furthermore, you can prevent Google from collecting and processing the data generated by the cookies and related to your use of the websites by downloading and installing the browser plug-in available at the following link under "Extension for DoubleClick deactivation".
   16. DoubleClick Floodlight
       1. Our website uses the DoubleClick Floodlight service, an online advertising program from Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’).
       2. Google Floodlight allows us to track and document the actions of users who visit our website after they have seen or clicked on one of our ads. So-called floodlight tags or visitor pixels and cookies are set on our website (so-called DoubleClick cookie) for this purpose. We use Google Floodlight to determine the efficiency of our online campaigns in terms of sales and user activity on our website. These cookies and tags do not contain any personal data and are therefore not used for personal identification. For example, we can determine the number of users who have purchased a product or completed an online form and evaluatethis information for statistical purposes, but we cannot identify you personally.
       3. For more information about Google Floodlight and Google's privacy policy, please visit: http://www.google.com/privacy/ads/.
   17. Meta Retargeting with the "Meta-/Facebook-Pixel"
       1. We use the so-called Meta/Facebook Pixel of Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland ("Meta Ireland") on our website. Heinemann and Meta Ireland are joint controllers with respect to the pixel pursuant to Article 26 DSGVO.
       2. Based on the event data collected on this website (e.g. information about content viewed), you may be shown interest-based advertisements ("ads") on Facebook, Instagram and the connected advertising network (Audience Network) for the purpose of retargeting. For more information on personal data processed when using the pixel, please visit: https://www.facebook.com/legal/terms/businesstools_jointprocessing.
       3. The legal basis is your consent pursuant to Article 6(1)(a) GDPR.
       4. You can revoke your consent at any time by deactivating the "Facebook Pixel" in the cookie settings in our consent management tool. For more information on the processing of personal data at Meta, please visit https://de-de.facebook.com/privacy/explanation.
   18. DoubleClick Ad Exchange
       1. DoubleClick Ad Exchange is a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’).
       2. DoubleClick Ad Exchange uses cookies to display advertisements on our website. The information stored in this way can be collected, stored and processed by Google or its partners. In addition, so-called ‘web beacons’ (small graphics) are used to collect information about visitors to our website (e.g. browser, operating system, previously visited site, IP address, date/time). The collected data is transferred to a Google server in the USA and stored there. This data is used by Google for statistical analysis of user behavior in connection with advertisements placed with DoubleClick Ad Exchange. If necessary, the data will be passed on to third parties if this is required by law or if third parties process the data on behalf of Google.
   19. Spotify
       1. We use plugins from the music streaming service Spotify (Spotify GmbH, Münzstraße 15, 10178 Berlin, Germany). These plugins establish a direct connection between your browser and Spotify as soon as you navigate our website. In this way Spotify recognizes that you have visited our website with your IP address. If you are logged into your Spotify account and click the green Spotify button on our pages, you can link the content on your Spotify profile - so your visit to our website can be assigned on your Spotify user account.
       2. Detailed information are available in Spotify's privacy policy at https://www.spotify.com/uk/legal/privacy-policy/
       3. If you do not wish Spotify to associate your visit to our website with your Spotify account, please log out while you are visiting our website.
   20. Localization Function
       1. We offer a localization function, when you use our website. Using this function requires your consent.
       2. If you agree to the localization function, the required location data will be determined and you will receive location-specific offers from us. Depending on availability, your IP address, GPS data or data from wireless networks (WLAN) can be used to determine your location data.
       3. The location data will neither be stored nor transmitted to third parties.
   21. Push Notifications
       1. We offer a push notification function, when you use our website. Using this function requires your consent.
       2. If you agree to the push notification function, we can send you information about promotions, special offers and news on your device (e.g. PC, laptop or smartphone).
       3. The push notifications are displayed in the lower right corner of your Internet browser. You do not need to visit our websites to receive push notifications. You can withdraw your consent at any time via the settings in your customer account. You will not receive any more push notifications.
   22. Market Research
       1. concept m research + consulting GmbH (Konrad-Adenauer-Ufer 39, 50668 Cologne, Germany) - hereinafter referred to as "concept m" - conducts market research for us on the development of our brand and our range of products and services - hereinafter referred to as the "survey".
       2. You will receive an invitation from us to participate in the survey by email. After you complete the survey, we will only receive statistical analyses, i.e. anonymized data, from concept m.
       3. concept m is considered the controller in the sense of data protection legislation for carrying out the survey as well as for the data that is collected from you in the context of the survey. Details on data protection at concept m are available at conceptm.eu/datenschutzerklaerung.
   23. Heinemann & Me Wallet Card
       1. SimplySoft GmbH (Englisch-Gruss-Strasse 38, 3902 Brig-Glis, Switzerland) provides a service to us that enables you as a Heinemann & Me Member to store your Membership Card as a Wallet Card.
       2. After you complete your registration, if you want to have a Wallet Card, we offer you a link, to voluntarily load your Membership Card as a Wallet Card and store it on your smartphone.
       3. By using this service, you agree that your Heinemann & Me membership number as well as your first and last name may be transferred to the web-based solution  PassSlot SimplySoft GmbH in order to create a Wallet Card there. You can then download your membership card to your personal mobile wallet on your Android or IOs mobile device or send it to yourself by e-mail.
       4. SimplySoft GmbH is considered the controller responsible under data protection law for the providing the service and for the data collected and processed in the context of the Wallet service. Details on data protection at SimplySoft GmbH are available at https://www.passslot.com/privacy.
   24. Integration of the Trusted Shops Trustbadge

       The Trusted Shops Trustbadge is integrated on this website to display Trusted Shops services (e.g. Trustbadge and collected reviews) as well as to offer Trusted Shops products to buyers after they place an order.

       This is necessary to safeguard our legitimate prevailing interests in an optimal marketing by ensuring the security of your purchase according to Article 6 (1) f GDPR. The Trustbadge and the services advertised with it are offered by Trusted Shops AG, Subbelrather Str. 15C, 50823 Cologne, Germany. We and Trusted Shops AG are considered joint controllers responsible for data protection pursuant to Art. 26 GDPR. In the following section, we inform you about the essential contractual contents pursuant to Art. 26 (2) GDPR within the scope of this data privacy notice.

       The Trustbadge is made available by a USA-based CDN provider (Content-Delivery-Network). An adequate level of data protection is ensured by standard data protection clauses and other contractual measures. You can find further information on the data security at Trusted Shops AG are available in their privacy policy.

       When the Trustbadge is accessed, the web server automatically saves a server log file which contains, for example, your IP address, the date and time of access, the amount of data transferred and the requesting provider (access data) and which documents the access. The IP address is anonymized immediately after collection so that the stored data cannot be assigned to your personally. The anonymized data is used in particular for statistical purposes and for error analysis.

       After the order is complete, your email address, which is hashed by cryptological one-way function, is transmitted to Trusted Shops GmbH. The legal basis for this is Art. 6 para. 1 p. 1 lit. f GDPR. The purpose is to check whether you are already registered for services with Trusted Shops GmbH. This is necessary to fulfill our and Trusted Shops' overriding legitimate interests in providing the buyer protection linked to the specific order in each case and the transaction analysisservices pursuant to Art. 6 para. 1 p. 1 lit. f GDPR. If this is the case, further processing will be carried out in accordance with the contractual agreement between you and Trusted Shops. If you have not yet registered for the services, you will be given the opportunity to do so. Further processing after registration is also basedon the contractual agreement with Trusted Shops AG. If you do not register, all transmitted data will be automatically deleted by Trusted Shops AG and can no longer be associated with you personally.

       Trusted Shops uses hosting, monitoring and logging service providers. The legal basis is Art. 6 (1) lit. f GDPR for the purpose of ensuring fault-free operation. Processing may take place in third countries (USA and Israel). An adequate level of data protection is ensured in the case of the USA by standard data protection clauses and further contractual measures, and in the case of Israel by an adequacy decision.

       If you have any questions related to data privacy or wish to assert your rights within the framework of the joint controller responsibility existing between us and Trusted Shops AG, we request that you contact Trusted Shops AG using the contact information provided in the data privacy information linked above. You can, however, always contact the controller of your choice. If necessary, your inquiry will be forwarded to the other controller for a response.

   25. Usercentrics Consent Management
       1. We use the Usercentrics Consent Management Platform as a consent management tool as part of analytics activities on our website. The Usercentrics Consent Management Platform collects log files and consent data using JavaScript. This JavaScript enables us to inform users about their consent to certain tags on our website and to obtain, manage and document this consent.
       2. We process the following data in this context:
          • Consent data or data related to consent (anonymized log data (consent ID, processor ID, controller ID), consent status, timestamp)
          • Device data (e.g. truncated IP addresses (IP v4, IP v6), device information, timestamp)
          • User data (e.g. eMail, ID, browser information, SettingIDs, Changelog)

          The ConsentID (contains the above data), the consent status incl. timestamp are stored in the local memory of your browser and simultaneously on the cloud servers used. Further processing will only take place if you submit a request for information or revoke your consent. In this case, the relevant information is provided to us in a compact data format in an easily readable text form for the purpose of data exchange (JSON file).

       3. No user information is stored to obtain statisticson whether consent is granted and used or not. Only the frequency and locations of clicks are stored.
       4. The personal data is stored on a Google Cloud server located in the EU (Brussels, Belgium or Frankfurt am Main, Germany).
       5. The purpose of data processing is to analyze and manage the consents granted, in order to comply with our obligation to maintain GDPR-compliant consent management. We use Usercentrics to verify whether consent is granted or not granted and for consent management.
       6. The legal basis of managing your consent to process your personal data is Art. 6 para. 1 lit. f GDPR. We have a legal interest in maintanining legally secure documentation and verifying consent, controlling marketing measures based  consents granted and optimizing consent rates.
       7. The data is deleted as soon as it is no longer required. The associated cookie has a term of 60 days. The revocation document for a previously granted consent is kept for a period of three years. This retention period is based on our accountability pursuant to Art. 5 para. (2) GDPR.
   26. Outbrain
       1. This site uses behavioral targeting by the company Outbrain (Outbrain Inc., 39 West 13th Street, 3rd floor, New York, NY 10011. USA) under joint controllership with Gebr. Heinemann SE & Co. KG.
       2. Outbrainworks to provide users with relevant recommendations based on their interests. For this purpose Outbrain concludes agreements with:
          • Online publishers and partners who want to recommend relevant content to their readers (Outbrain Engage); and
          • • Advertisers who want readers to view their content (Outbrain Amplify). )
       3. Questions about privacy should be sent mailed to Outbrain Inc., 39 West 13th Street, 3rd floor, New York, NY 10011, Attn: Privacy Questions, or emailed to PrivacyQuestions@outbrain.com. If Outbrain does not answer your questions or concerns to your satisfaction, you may also contact Outbrain's external data protection officer (ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer).
       4. Data subjects:
          Users interacting with the Outbrain widget via Outbrain's network of publishers.
       5. Purpose of tracking:
          Outbrain collects information on user behavior in order to offer personalized recommendations. Processing of personal data: Cookie IDs, user IDs and IP addresses are processed in truncated form (non-personalized).
       6. Storage period:
          Outbrain stores individual data in a user's profile for a maximum of 13 months.
       7. Legal basis:
          Insofar as consent has been given, the corresponding data processing is based on Art. 6 para. 1 lit. a) GDPR.
          You can revoke your consent at any time by accessing the privacy settings in our consent management platform.
          There is also an option to prevent processing (opt-out): https://my.outbrain.com/recommendations-settings/home
       8. Data transfers outside the EU/EEA:
          If Outbrain transfers personal data from the European Economic Area to other countries whose applicable laws do not have the same level of data protection as in the European territories, Outbrain will ensure an appropriate level of data protection through its own measures. Your data will therefore still be subject to your rights and data protection. For example, Outbrain uses the currently applicable EU standard contractual clauses for this purpose.
       9. Data retention:
          The storage period for each cookie used by Outbrain can be found in the cookie overview at https://www.outbrain.com/legal/privacy#cookies.
   27. Noibu
       1. We use the service Noibu to identify and prioritize e-commerce errors. The provider is Noibu Technologies Inc (979 Bank Street #500 Ottawa ON K1S 5K5 Canada).
       2. The following data in particular is processed: IP address, browser data, device type
       3. The legal basis is the balancing of interests in accordance with Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in detecting, analyzing and eliminating errors in the software.
       4. The storage period for the collected data is 90 days.
       5. Data processing by Noibu is carried out in Canada.
       6. Details on data privacy at Noibu are available here: https://noibu.com/privacy-policy/
   28. Hotjar
       1. We use the service Hotjar to better understand the needs of our users and to optimize our offers and the experience of using our website.
       2. Hotjar works with cookies and other technologies to collect data about the behavior of our users and about their devices, in particular the IP address of the device (whch is collected and stored only anonymously during your website use), screen size, device type (unique device identifiers), information about the browser used, location (country only), and preferred language for viewing our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.
       3. The legal basis is your consent pursuant to Art. 6 para. 1 lit. a GDPR.
       4. For more information about Hotjar, please see the 'about Hotjar' section at: https://help.hotjar.com/hc/en-us/categories/115001323967-About-Hotjar
   29. Friendly Captcha
       1. We use the Friendly Captcha service of Friendly Captcha GmbH on our website.
       2. Friendly Captcha is a cryptography-based solution to make it more difficult for automated programs and scripts (so-called "bots") to misuse our website. Friendly Captcha does not set any cookies on the end devices of the users.
       3. The legal basis for data processing is our legitimate interest pursuant to Art. 6 (1) lit. f DSGVO. Our legitimate interest is based on protecting our website from spam attacks and other misuse. Due to these compelling reasons justifying protection, an objection to the processing is excluded.
       4. Further information on data protection when using Friendly Captcha can be found athttps://friendlycaptcha.com/legal/privacy-end-users/.
3. Processing activities in our brick and mortar shops
   1. Video surveillance

      In the following section, you will find our data privacy notice in accordance with Article 13 GDPR for the processing of personal data within the framework of our video surveillance.

      1. On the basis of Article 6 (1) f GDPR, video recordings are processed as part of our legitimate interest for the following purposes:
         1. protection of our domiciliary right
         2. prevention and investigation of criminal offenses (in particular theft, attacks, fraud, damage and vandalism)
      2. Our legitimate interests are:
         1. the protection of property and assets
         2. the protection of customers, visitors and employees
      3. A use or transfer of the video recordings that goes beyond this shall only take place to the extent necessary in relation to possible criminal prosecution. In this case, the recipients shall be the competent law enforcement authorities.
      4. We employ external service providers to maintain the video surveillance system, whereby access to the video surveillance system or stored video recordings cannot be ruled out.
      5. The video recordings shall be deleted 10 days after they are made. They shall only be stored for a longer period if this is necessary in the specific individual case to enforce legal claims or prosecute criminal offenses.
      6. Data transmission to third parties (e.g. the police) shall only take place if necessary to investigate criminal offenses.
   2. Compliance with customs and tax regulations during the sales process
      1. Sales of goods to travelers is exempt from excise duties and sales tax under certain conditions. The tax exemption allows goods to be offered to travelers at low prices.

      In order to obtain the tax exemption, appropriate evidence must be provided to the tax and customs office and necessary measures must be taken to prevent tax evasion, avoidance or abuse (section 6 para. 4 VAT Act and Article 14 para. 3 VerbrStSystRL (2008/118/EC)). The transaction data for the sale in question (name and number of the airport store, date of the transaction, quantity and price of the goods sold, number of the cash register and the cash register receipt) must therefore be supplemented by both an export certificate (“Ausfuhrnachweis”) pursuant to section 4 no. 1 lit. a, section 6 para. 1 no. 2 VAT Act, sections 8 para. 1. 9 para. 1 VAT Implementing Regulation and an acquirer certificate (“Abnehmernachweis”) pursuant to section 6 para. 3a no. 1 VAT Act, section 17 VAT Implementing Regulation, Art. 147 para. 2 sub-para. 1 UStSystRL. The accounting evidence also requires that the conditions of the tax exemption are clear and easily verifiable (sec. 13 VAT Implementing Regulation).

      The three-stage data processing described below takes account of the tax regulations. The legal basis is Art. 6 (1) lit. c GDPR (legal obligation) in conjunction with Art. 6 (1) lit. f GDPR (balancing of interests).

      2. Scanning the boarding pass:

         The purpose of scanning the boarding pass is to check whether the goods sold are exported to a third country (export certificate). No personal data is processed during the scan. The fields "Check-in sequence no", "Flight no" and "Destination" are read out.

      3. Scanning proof of identity:

         The term "proof of identity" is used in this context as a synonym for any border crossing document / identification document; i.e. passport, ID card, identity card (Switzerland), among others.

         The purpose of scanning a proof of identity is to prove that the customer's place of residence is in a third country (proof of purchase). A proof of identity is scanned only if the customer provides a proof of identity from a non-EU country and a third country has been previously identified as the destination. As a rule, only the MRZ (machine-readable zone) of the proof of identity is read; if this is not possible, a pictorial copy is made.

         Case 1: Storing the following machine-readable data from the proof of identity: "number of the proof of identity", "first and last name" and "country of issue".

         Case 2: Saving the proof of identity as a JPG file (image saving) if the scanner does not recognize the MRZ (machine-readable zone).

         If, at the end of the transaction, the minimum tax exemption amount of 50 Euros is not reached, the data collected in this step will be discarded and not saved.

      4. Filling in the residence receipt:

         The purpose of the resident receipt as another part of the acquirer certificate and security measure against tax evasion is to confirm the customer's residence outside the EU. This must only be completed if a non-EU passport has been presented.

         The customer provides confirmation using a signpad; if this is not possible (e.g. technical problems), a receipt is printed. Both on the signpad and on the paper receipt, residence in the EU must be selected "Yes / No" and confirmed with the customer's signature. While the electronically generated receipt is archived directly, the paper receipt must first be scanned.

         We use the service providers Payone GmbH and ALPHA COM Deutschland GmbH to  complete this processing within the framework of order processing according to Art. 28 GDPR.

      5. Deletion of data

         In general, personal data will be deleted within ten years after the conclusion of the purchase contract at the end of a fiscal year in accordance with the retention periods under tax law (sec.147 Tax Code in conjunction with sec. 14b VAT Act, sec. 63 VAT Implementing Regulation).

4. Cookies
   1. General Information
      1. Cookies are information transmitted by our web server or third-party web servers to the users' devices where they are stored for later retrieval. Cookies can be small files or any other type of information storage.
      2. The legal basis for processing (personal) data in connection with marketing cookies (if any) is the user’s consent.
   2. Objections

      After giving consent, you may object to cookies that are used for measuring the range of coverage and promotional purposes via this link.

   3. Cookie Policy

      For more information, please see our cookie policy.

5. Changes to the Data Privacy Statement
   1. We reserve the right to change this Data Privacy Statement, in order to adapt it to changing legal situation, to changes to our website or of the changes to data processing.
   2. If the user's consents is required or if elements of the Data Privacy Policy contain provisions on the contractual relationship with the user, the changes will only be made with the consent of the user.
   3. Users are requested to keep themselves informed about the content of this Data Privacy Statement on a regular basis.

 

Last updated: December 2024