Privacy policy

Privacy policy

Version: 1.0 |  Status: 02.06.2025

 

Preamble

The protection of your personal data is important to us, TEKTRO Europe GmbH (hereinafter "TEKTRO", "we" or "us"). We process your personal data responsibly, confidentially and in strict compliance with the applicable data protection laws, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) as well as the Telecommunications Digital Services Data Protection Act (TDDDG). This privacy policy informs you about how we collect, process and use your personal data when you visit our website https://eu.trpcycling.com/ (hereinafter "online store") and place orders through it.

 

1.     Name and contact details of the controller

 

The controller pursuant to Art. 4 No. 7 GDPR is:

TEKTRO Europe GmbH

August-Bebel-Straße 10

67454 Hassloch

Germany

 

Represented by the managing director Thomas Lattke.

 

Data Protection Officer pursuant to § 13 GDPR:

You can contact the data protection officer at info@tektro.eu (subject: To the data protection officer) or by post to the company address with the addition "Data protection officer".

 

 

2.     General principles of data processing

We only process our users' personal data to the extent necessary to provide a functional website and our content and services.

 

The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law. All processing of personal data is carried out in accordance with the principles of Art. 5 GDPR:

 

  • Lawfulness, processing in good faith, transparency: Data processing requires a valid legal basis and is carried out transparently.
  • Purpose limitation: Data may only be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.
  • Data minimization: Only data that is necessary for the respective purpose is processed.
  • Accuracy: Personal data must be factually correct and, if necessary, up to date.
  • Storage limitation: Data is only stored for as long as is necessary for the purposes for which it is processed or as required by statutory retention periods.
  • Integrity and confidentiality: Appropriate technical and organizational measures are taken to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.  

 

Automated decision-making and profiling

Automated decision-making or profiling does not take place within the scope of our services or when purchasing products. If individual service providers used by us (e.g. marketing tools) carry out profiling for advertising purposes, this is done on the basis of your consent and within their area of responsibility. We refer to this in section 7 of the respective services and link to their privacy policies for further information

 

3.     Data processing when visiting our website (server log files)

 

Each time our online store is accessed, our system (or the system of our hosting provider Shopify, see section 7) automatically collects data and information from the computer system of the accessing computer. The following data is collected (server log files):

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which the access is made (referrer URL)
  • Browser used and, if applicable, the operating system of your computer and the name of your access provider
  • Amount of data transferred
  • Notification of successful retrieval

 

This data is temporarily stored in the log files of our system. This data is not stored together with other personal data of the user.

 

Purposes of data processing: The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the website, to guarantee the security of our information technology systems and to optimize our website. The data is not analyzed for marketing purposes in this context.

 

Legal basis: The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR. Our legitimate interest follows from the purposes for data collection listed above.

 

Storage period: The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, this is usually the case after seven days at the latest; storage beyond this is possible, whereby the IP addresses are then anonymized or alienated so that it is no longer possible to assign the calling client.

 

Recipients: This data may be passed on to our hosting service provider (Shopify and its sub-service providers such as Cloudflare, see section 7), which acts on our behalf as part of order processing.

4.     Cookies and similar technologies (consent management)

Our online store uses cookies and, where applicable, comparable technologies (e.g. local storage, tracking pixels). Cookies are small text files that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your end device and do not contain any viruses, Trojans or other malware. Information is stored in the cookie that results in each case in connection with the specific end device used. However, this does not mean that we gain direct knowledge of your identity.

 

We use different types of cookies:

  • Technically necessary (essential) cookies: These cookies are absolutely necessary for the operation of the website and the provision of basic functions (e.g. shopping cart function, login status). Without these cookies, you cannot use our online store or can only use it to a limited extent.
  • Functional cookies: These cookies enable us to offer you enhanced functionalities and a personalized user experience (e.g. storage of preferences).
  • Analysis/performance cookies: These cookies help us to understand how visitors interact with our website by collecting and analyzing information anonymously. They enable us to analyze the use of the website and optimize our offers.
  • Marketing/tracking cookies: These cookies are used to follow visitors across websites. The aim is to serve ads that are relevant and engaging to the individual user and therefore more valuable to publishers and third party advertisers.

 

Consent requirement: According to Section 25 (1) of the Telecommunications Digital Services Data Protection Act (TDDDG), the storage of information in the end user's terminal equipment or access to information already stored in the end user's terminal equipment is only permitted if the end user has consented on the basis of clear and comprehensive information. An exception to this consent requirement only exists in accordance with Section 25 (2) No. 2 TDDDG if the storage or access is absolutely necessary for the provider of a digital service to provide a digital service expressly requested by the user. We require your active consent for all cookies and technologies that are not absolutely necessary.  

 

Cookie consent tool (cookie banner): In order to obtain and manage your consent in accordance with the law, we use a cookie consent tool (cookie banner). When you visit our online store for the first time, this banner informs you about the cookies and similar technologies we use and asks for your consent.

 

Legal basis for cookies:

  • The legal basis for technically necessary cookies is Section 25 (2) No. 2 TDDDG. If personal data is processed by these cookies, this is done on the basis of Art. 6 para. 1 lit. f GDPR (our legitimate interest in providing a functional and user-friendly online store).
  • For all other cookies and technologies (functional, analysis, marketing cookies), the legal basis for storing and accessing information on your end device is Section 25 (1) TDDDG. The subsequent processing of personal data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.

 

Detailed information on the individual cookies and services we use, their purposes, the categories of data processed, the legal basis, the storage period and the providers can be found in the following sections of this privacy policy, in particular under section 7, as well as in the settings of our cookie consent tool.

 

5.     Data processing when contacting us

If you contact us (e.g. by e-mail via the e-mail address stated in section 1 or in the imprint, by telephone or via a contact form that may be available), the data you provide (your e-mail address, possibly your name and telephone number and the content of your request) will be stored by us in order to answer your questions and process your request.

 

Purposes of data processing: Processing and answering your contact request.

Legal basis: The legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR, provided that your request is related to the initiation or fulfillment of a contract. In all other cases, the legal basis is Art. 6 para. 1 lit. f GDPR (our legitimate interest in processing inquiries and communicating with users and customers).

 

Storage period: We delete the data collected in this context after storage is no longer necessary for processing your request, or restrict processing if there are statutory retention obligations.

 

6.     Data processing for orders and contract processing

When you place an order in our online store, we collect and process your personal data required for the conclusion and processing of the purchase contract. This includes in particular

  • Title, first name, last name
  • Billing and delivery address
  • E-mail address
  • Telephone number (optional, for queries or delivery notification)
  • Order data (products ordered, quantities, prices)
  • Payment information (depending on the selected payment method, for details see section 7 of the respective payment service providers)

 

Purposes of data processing: Initiation, conclusion and execution of the purchase contract, delivery of the ordered goods, invoicing, processing of payments, processing of returns and complaints, customer communication in connection with the order.

 

Legal basis: The legal basis for this processing is Art. 6 para. 1 lit. b GDPR (fulfillment of contract or implementation of pre-contractual measures).

 

Storage period: We store the data collected for the execution of the contract until the expiry of the statutory or possible contractual warranty and guarantee rights. After expiry of these periods, we retain the information required under commercial and tax law for the contractual relationship for the periods specified by law (regularly six to ten years from conclusion of the contract, §§ 147 AO, 257 HGB).

 

7.     Data processing through services and tools used

We use various services and tools in our online store to offer you an optimal shopping experience, to operate and optimize our website and to advertise our products. Below we inform you in detail about these services, the data processed, the purposes and legal bases of the processing and any data transfers to third parties and third countries.

 

We have concluded data processing agreements (DPAs) or data processing addenda (DPAs) in accordance with Art. 28 GDPR with service providers who process personal data on our behalf (processors). These contracts ensure that your data is only processed on our instructions and in accordance with data protection laws. In the case of services where there is joint responsibility with the provider (e.g. Meta Pixel), we have concluded corresponding agreements in accordance with Art. 26 GDPR or accepted the terms and conditions provided by the provider, which regulate the essentials of this agreement.  

The following table gives you an overview of the main services and tools we use:

 

a)     Store platform: Shopify

Provider (name, registered office): Shopify International Ltd, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (main contractual partner for EU);

Parent company: Shopify Inc., 151 O'Connor Street, Ground floor, Ottawa, Ontario K2P 2L8, Canada

Purposes of data processing: Hosting of the online store, order processing, payment processing (via Shopify Payments), provision of store functions, security, performance analysis, possibly marketing by Shopify (e.g. Shopify Audiences, if used and consented to)

Processed data categories: IP address, device data (type, operating system), browser data (type, version), order data (name, address, e-mail, telephone), payment data (masked, for details see Shopify Payments), shopping cart information, surfing behavior in the store (pages visited, length of stay, clicks), cookies set by Shopify (essential, functional, analysis, marketing cookies)

Legal basis: Art. 6 para. 1 lit. b GDPR (fulfillment of contract for store operation and order processing); Art. 6 para. 1 lit. f GDPR (legitimate interest in a secure, functional and high-performance online store); § 25 para. 2 no. 2 TDDDG (for strictly necessary cookies); Art. 6 para. 1 lit. a GDPR in conjunction with. § Section 25 (1) TDDDG (consent for all other, non-essential cookies and tracking technologies from Shopify)

Role of the provider: Shopify International Ltd: Processor

AVV/DPA/Art. 26 agreement available: Shopify Data Processing Addendum (DPA) is part of the contract terms.

Data transfer: Canada (adequacy decision of the EU Commission for Shopify Inc.); USA (various subcontractors of Shopify, e.g. for cloud hosting such as Google Cloud, Amazon Web Services, or CDN services such as Cloudflare; protection through DPF certification of subcontractors and/or standard contractual clauses (SCCs) as part of the Shopify DPA)

Storage period/criteria: Data is stored for as long as is necessary for the fulfillment of the purposes (e.g. contract processing, operation of the store) or as required by legal retention periods. Details in the Shopify DPA.

Link to the provider's DSE: https://www.shopify.com/legal/privacy; https://www.shopify.com/legal/dpa

 

b)    Payment service provider: Shopify Payments (processed via Stripe)

Provider (name, registered office): Shopify International Ltd (as contractual partner for Shopify Payments);

technical payment processing by Stripe Payments Europe, Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland

Purposes of data processing: Secure processing of online payments (e.g. credit card, Apple Pay, Google Pay, Klarna Sofortüberweisung, etc., depending on configuration)

Processed data categories: Name, billing/delivery address, e-mail address, telephone number, order data (value of goods, order number), payment data (credit card number masked, expiry date, CVC - these are processed directly by Stripe and not stored), IP address, device information.

Legal basis: Art. 6 para. 1 lit. b GDPR (fulfillment of contract)

Role of the provider: Stripe Payments Europe, Ltd. acts as a processor for Shopify International Ltd. which in turn acts as a processor for the store operator.

AVV/DPA/Art. 26 agreement in place: order processing by Stripe is covered by the Shopify DPA or the terms and conditions of Stripe, which Shopify complies with, apply.

Data transfer: Ireland (EU); USA (Stripe, Inc. as parent company, DPF-certified; data transfers can also take place on the basis of SCCs)

 

Storage period/criteria: Data is stored in accordance with the requirements for payment processing and statutory retention periods. Details in the DSE of Stripe.

Link to the DSE of the provider: https://stripe.com/de/privacy

 

c)     Payment service provider: PayPal

Provider (name, registered office): PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

Purposes of data processing: Processing of online payments, fraud prevention, own credit check if necessary, marketing purposes of PayPal if necessary

Processed data categories: PayPal account data (e-mail address, name), transaction data (shopping cart value, order number, amount), delivery address, IP address if applicable, device data, credit check data (if carried out by PayPal)

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment); Art. 6 para. 1 lit. f GDPR (legitimate interest of PayPal in fraud prevention, risk management, credit checks and, if applicable, direct marketing)

Role of the provider: PayPal acts as its own responsible party

GCU/DPA/Art. 26 Agreement in place: No (no DPA required as PayPal acts as an independent controller)

Data transfer: USA (parent company PayPal Inc., DPF-certified; transfers can also take place on the basis of Binding Corporate Rules or SCCs)

Storage period/criteria: Data is stored in accordance with PayPal's terms of use and privacy policy as well as statutory retention periods

Link to the DSE of the provider: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

 

d)    Analysis tool: Google Analytics 4

Provider (name, registered office): Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland

Purposes of data processing: Website analysis for reach measurement, analysis of user behavior to optimize the website and offers, creation of reports, measurement of the effectiveness of marketing measures if necessary, creation of target groups (Google Signals)

Processed data categories: Online identifiers (cookie IDs, user IDs, device IDs), IP address (anonymized in GA4), website interaction data, approximate geolocation, browser and device information, possibly demographic characteristics and interests (for Google Signals, aggregated and anonymized)

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) in conjunction with. § Section 25 (1) TDDDG (for cookies/information on the end device)

Role of the provider: Google Ireland Ltd. as processor for analysis reports. Google is responsible for its own purposes (e.g. improving services, Google Signals).

GCU/DPA/Art. 26 Agreement in place:  Google Ads Data Processing Terms concluded

Data transfer: USA (Google LLC, DPF-certified, supplementary SCCs)

Storage duration/criteria: User and event data in GA4: configurable (default: 2 months, max. 14 months), aggregated reports longer

Link to the provider's DSE: https://policies.google.com/privacy; https://privacy.google.com/businesses/processorterms/

 

e)     Advertising tool: Google Ads Conversion Tracking & Remarketing

Provider (name, registered office): Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland

Purposes of data processing: Measuring the success of Google Ads, displaying targeted advertising, remarketing, creating target groups (e.g. Customer Match)

Processed data categories: Online identifiers (cookie IDs, mobile advertising IDs), IP address, data on interactions with ads and website, information on pages visited and products for remarketing, hashed email addresses/telephone numbers (customer match) where applicable

 

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) in conjunction with. § Section 25 (1) TDDDG

Role of the provider: Google Ireland Ltd. as processor for conversion data, partly responsible for remarketing

GCU/DPA/Art. 26 Agreement in place: Google Ads Data Processing Terms concluded

Data transfer: USA (Google LLC, DPF-certified, additional SCCs where applicable)

Storage duration/criteria: Cookies for Google Ads: usually 30-90 days (conversion), remarketing cookies longer; data in Google Ads according to settings and guidelines

Link to the provider's DSE: https://policies.google.com/privacy; https://privacy.google.com/businesses/processorterms/

 

f)      Advertising tool: Meta Pixel (Facebook & Instagram Ads)

Provider (name, registered office): Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Purposes of data processing: Measurement of the effectiveness of Facebook/Instagram Ads, optimization of ads, creation of user-defined target groups (custom audiences), display of targeted advertising

Processed data categories: HTTP header information (e.g. IP address, browser, referrer URL), pixel-specific data (pixel ID, Facebook cookie data), button click data, optional values (conversion value, page type, product IDs), form field names (if Advanced Matching and consent is available)

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) in conjunction with. § Section 25 (1) TDDDG

Role of the provider: Joint responsibility pursuant to Art. 26 GDPR (Meta and store operator); Meta subsequently processes data as its own controller

AVV/DPA/Art. 26 agreement available: Controller Addendum (Meta Business Tools)

Data transfer: USA (Meta Platforms, Inc., DPF-certified, additional SCCs where applicable)

Storage duration/criteria: Data is stored at Meta in accordance with their data policy, no direct influence on storage duration; cookies with limited lifespan

Link to the DSE of the provider: https://www.facebook.com/privacy/policy/

 

g)    Email marketing: Klaviyo

Provider (name, registered office): Klaviyo, Inc., 125 Summer St, Floor 6, Boston, MA 02110, USA

Purposes of data processing: Sending newsletters and marketing emails, automation of email campaigns, segmentation, analysis of campaign success

Processed data categories: E-mail address, name, order data and history, surfing behavior in the store (if linked), interactions with e-mails (openings, clicks, unsubscribes), IP address, device data, preferences if applicable

Legal basis: Art. 6 para. 1 lit. a GDPR (consent for advertising emails and tracking); Art. 6 para. 1 lit. b GDPR (for transactional emails)

Role of the provider: Klaviyo, Inc. as processor

GCU/DPA/Art. 26 Agreement in place: Data Processing Addendum (DPA) concluded

 

Data transfer: USA (Klaviyo, Inc. DPF-certified; DPA contains SCCs)

Storage period/criteria: Data is stored for as long as the newsletter subscription exists or until consent is withdrawn or for as long as is necessary for contractual/statutory retention obligations. Details in the DPA.

Link to the provider's DSE: https://www.klaviyo.com/legal/privacy-notice; https://www.klaviyo.com/legal/data-processing-addendum

 

h)    Content Delivery Network (CDN) / Security: Cloudflare

Provider (name, registered office): Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA (as part of Shopify)

Purposes of data processing: Acceleration of website loading times, protection against DDoS attacks and malicious access, web application firewall, bot management, security and availability of the store

Processed data categories: IP addresses of website visitors, request metadata (HTTP headers), traffic patterns, cookies set by Cloudflare (primarily for security and performance functions)

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in security and availability),

§ Section 25 (2) no. 2 TDDDG (strictly necessary cookies)

Role of the provider: Cloudflare as sub-processor of Shopify; Shopify is the processor

AVV/DPA/Art. 26 Agreement in place: regulated via Shopify DPA

Data transfer: USA (Cloudflare DPF-certified; SCCs between Shopify and Cloudflare where applicable)

Storage duration/criteria: Data is generally only stored for a short time (log data for a few days), longer storage possible for security reasons. Details in the DSE.

Link to the DSE of the provider: https://www.cloudflare.com/de-de/privacypolicy/

 

i)      Shipping service provider: DHL

Provider (name, registered office): DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany

Purposes of data processing: delivery of the ordered goods, shipment tracking, parcel notification by e-mail or SMS if necessary

Processed data categories: Name, delivery address; e-mail address/telephone number if applicable (only with consent)

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment for delivery), Art. 6 para. 1 lit. a GDPR (consent for forwarding e-mail/telephone to DHL for parcel notification)

Role of the provider: DHL Paket GmbH as its own responsible party

AVV/DPA/Art. 26 agreement available: No (no AVV required)

Data transfer: Germany/EU

Storage period/criteria: Data is stored in accordance with DHL data protection and statutory retention obligations

Link to the DSE of the provider: https://www.dhl.de/de/toolbar/footer/datenschutz.html

 

j)      ERP system: Xentral

deleted ex. 9/2/2025

 

k)     ERP system: SAP

Provider (name, registered office): SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

Purposes of data processing: order processing, warehouse management, invoicing, customer management, accounting, merchandise management

Processed data categories: Customer master data (name, address, contact details such as e-mail and telephone), order data (items ordered, quantities, prices, order history), invoice data, delivery data, payment information (e.g. payment status, but not complete credit card data)

Legal basis: Art. 6 para. 1 lit. b GDPR (fulfillment of contract), Art. 6 para. 1 lit. c GDPR (legal obligations)

Role of the provider: When using SAP Cloud Services, SAP acts as a processor

AVV/DPA/Art. 26 agreement in place: a Data Processing Agreement (DPA) has been concluded with SAP for the cloud services used

Data transfer: Germany/EU (primary SAP data centers in the EU), data transfers to sub-processors in third countries (including the USA) are possible; secured by SAP DPA and typically DPF certification and/or standard contractual clauses (SCCs)

Storage period/criteria: Data is stored in accordance with the requirements of the SAP DPA and for the duration required to fulfill contractual obligations and to comply with legal retention periods

Link to the DSE of the provider: https://www.sap.com/germany/about/legal/privacy.html

 

 

8.     Your rights as a data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis us as the controller:

Under the legal requirements, you have the following data protection rights:

-      Right to information (Art. 15 GDPR): You can request information about the personal data processed by us and further information such as processing purposes and recipients.

-      Right to rectification (Art. 16 GDPR): You have the right to demand the immediate correction of incorrect or incomplete personal data.

-      Right to erasure (Art. 17 GDPR): You can request the erasure of your personal data, in particular if the data is no longer required for the original purposes or if you have withdrawn your consent.

-      Right to restriction of processing (Art. 18 GDPR): Under certain circumstances, e.g. if you dispute the accuracy of the data, you can request the restriction of data processing.

-      Right to data portability (Art. 20 GDPR): You may request that your personal data be provided in a structured, commonly used and machine-readable format or transmitted to another controller.

-      Right to object (Art. 21 GDPR): You can object to the processing of your personal data at any time, in particular if the processing is based on legitimate interest.

-      Right to lodge a complaint with the supervisory authority (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR.

 

You can contact our data protection officer to exercise your rights. The contact details can be found in section "§ 1 - Scope and controller". Alternatively, you can also contact the competent data protection supervisory authority:

 

The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate, Hintere Bleiche 34, 55116 Mainz.

 

9.     Data security

We take all state-of-the-art technical and organizational security measures (TOMs) to protect your personal data from loss, unauthorized access or other improper processing.

 

Our employees are obliged to maintain data confidentiality. Our online store uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator.

 

10. International data transfers

As part of the use of some of the services mentioned in section 7, your personal data may be transferred to recipients in countries outside the European Union (EU) or the European Economic Area (EEA), so-called third countries. This applies in particular to service providers based in the USA or those who use servers in the USA.

For such data transfers, we ensure that an appropriate level of data protection is guaranteed.

 

This is done on the following legal bases:

  • Adequacy decisions of the EU Commission (Art. 45 GDPR): For some third countries, such as Canada (headquarters of the parent company of Shopify Inc.), the EU Commission has formally determined that they offer a level of data protection comparable to that of the EU. Data transfers to such countries do not require any further authorization or specific guarantees.  
  • EU-U.S. Data Privacy Framework (DPF): For data transfers to the USA to companies that have self-certified under the EU-U.S. Data Privacy Framework (DPF), there is an adequacy decision by the EU Commission (valid since July 2023). Many of the US service providers we use (e.g. Google LLC, Meta Platforms, Inc., Klaviyo, Inc., Cloudflare, Inc., Stripe, Inc.) are certified under the DPF. We refer to the DPF certification of the respective services.  
  • Standard Contractual Clauses (SCCs, Art. 46 para. 2 lit. c GDPR): For data transfers to third countries for which there is no adequacy decision, or as a supplementary protective measure to the DPF, we or our service providers use the standard contractual clauses approved by the EU Commission. These clauses oblige the data recipients in the third country to comply with a level of data protection that corresponds to that of the EU. Many of our service providers integrate SCCs into their data processing agreements (DPAs).  

 

We provide you with specific information on the legal basis for any third country transfers and the guarantees in section 7 of the respective services. Please note that despite the DPF and SCCs, data transfers to the USA may pose risks to the rights and freedoms of EU citizens due to the legal situation there (e.g. surveillance laws), which cannot be completely ruled out.

 

11. Up-to-dateness and amendment of this privacy policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g. when introducing new services. The new privacy policy will then apply to your next visit.