PRIVACY POLICY
Data Protection Policy, Version: 17/05/2018
A. General
I. Information about the collection of personal data
1. Name and address of the responsible party
This document was prepared by Philosophy Brands GmbH, In der Aue 4, 69118 Heidelberg, Germany, phone: +49 (6221) 65 66 410, fax: +49 (6221) 65 66 422, email: info@philosophy-brands.de (shortened to “Philosophy Brands” below) – acting as the responsible party in the sense of the General Data Protection Regulation (GDPR), national data protection laws by member states, and other national data protection legislation – to inform you about the collection of your personal data conducted as you browse any of the web pages accessible under www.bilou.de (collectively referred to as the “website” below). The term “personal data” includes any data that can be associated with a data subject, e.g. name, address, email address, user behaviour.
2. General information about data processing
This section provides general information about our data processing. More detailed information about each of the features offered on the website and any technologies relevant to data protection used by these features can be found in Section B.
2.1 Scope of our processing of personal data
We only collect and use personal data to the extent required to ensure that our website remains functional and to provide our content and services. Your personal data are collected and used at regular intervals, but only after you have given your consent. Exceptions only exist when obtaining prior consent is not possible for practical reasons and the relevant data processing steps have been established as legally admissible.
2.2 Legal basis for our processing of personal data
Whenever the consent of a data subject is requested for the processing of personal data, the legal basis for our processing of these data is given by Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR). Whenever the processing of personal data is necessary to fulfil a contract with a data subject, the legal basis for data processing is given by Art. 6(1)(b) GDPR. This also applies to any processing steps towards pre-contract activities. Whenever the processing of personal data is necessary to fulfil a legal obligation imposed upon our company, the legal basis for this processing is given by Art. 6(1)(c) GDPR. If the processing of personal data is necessary for the vital interests of the data subject or another natural person, the legal basis for this processing is given by Art. 6(1)(d) GDPR. If the processing of personal data is necessary to safeguard the legitimate interests of our company or a third party, and provided that the interests, fundamental rights, and freedoms of the data subject do not overrule these interests, the legal basis for this processing is given by Art. 6(1)(f) GDPR.
2.3 Data deletion policy and storage duration
The personal data of data subjects are deleted or blocked as soon as the purposes for which these data were stored expire. Data may be stored for longer if subject to any EU regulations, laws, or other legislation by European or national legislative authorities imposed upon the responsible party. Personal data are also blocked or deleted after the relevant storage periods specified by these regulations expire, unless continued storage of the data is necessary to conclude or fulfil a contract.
2.4 Service providers
Any transactions involving third-party service providers, or instances in which your data may be used for advertising purposes in connection with specific aspects or features of our services, are presented in detail below. Your consent will be requested separately at a suitable moment wherever necessary. The criteria that determine the storage duration are specified in each case.
3. Your rights
3.1 Summary
You have the following rights in connection with your personal data:
- the right to access your information,
- the right to rectification or erasure,
- the right to restrict processing,
- the right to object to processing,
- the right to data portability.
You also have the right to submit a complaint to the data protection authorities regarding our processing of your personal data.
3.2 More details about your rights
Whenever we process your personal data, you are the data subject in the sense of the GDPR, which means that you have the following rights:
3.2.1 Right to information
You may request a statement from us specifying whether we are processing any of your personal data. If we are processing your personal data, you may request the following from us:
(1) the purposes for which the personal data are being processed;
(2) the categories of personal data that are being processed;
(3) the recipients or categories of recipients to whom your personal data have been disclosed or will be disclosed;
(4) the planned storage duration of your personal data; if this information cannot be specified concretely, the criteria which determine the storage duration;
(5) information about your right to rectify or erase your personal data, your right to restrict our processing of your data, and your right to object to processing;
(6) information about your right to appeal to the authorities;
(7) any available information regarding the source of your personal data if you did not provide these data yourself;
(8) information about the use of automated decision-making processes including profiling in accordance with Art. 22(1,4) GDPR and – at least in cases where this provision applies – meaningful insight into the logic involved and the scope and intended impact of this processing from the perspective of the data subject.
You may also request information about whether your personal data were disclosed to any third countries or international organizations, as well as information about any guarantees provided by Art. 46 GDPR in connection with this disclosure.
3.2.2 Right to rectification
You have the right to rectify and/or complete your personal data whenever the data we process are incomplete or inaccurate. We have an obligation to implement this rectification immediately.
3.2.3 Right to restrict processing
You may request restrictions to the processing of your personal data under any of the following conditions:
(1) if you contest the accuracy of your personal data; the restriction then applies for an appropriate period that enables us to verify the accuracy of your personal data;
(2) if the processing is unlawful and you wish to only request restrictions on the use of your personal data instead of exercising your right to have these data deleted;
(3) if we no longer require the personal data for processing, but you still need these data to assert, exercise, or defend your legal rights;
(4) if you submit an objection to the processing in accordance with Art. 21(1) GDPR and it has not yet been established whether our legitimate interests override your own interests.
Once the processing of your personal data has been restricted, we may only process your personal data – excluding the storage of these data – either (i) with your consent; (ii) in order to assert, exercise, or defend legal claims or protect the rights of another natural or legal person; (iii) if there exist important public interests for the EU or a member state. If the processing of your personal data has been restricted as outlined above, we will notify you before the restrictions are lifted.
3.2.4 Right to erasure
3.2.4.1 Obligation of erasure
You have the right to request that we delete your personal data with immediate effect. We have an obligation to comply with this request immediately whenever any of the following circumstances apply:
(1) if your personal data are no longer required for the original purposes for which they were collected or otherwise processed;
(2) if you revoke the consent given as the legal basis for processing in accordance with Art. 6(1)(a) or Art. 9(2)(a) GDPR and there is no other legal basis for continuing to process your data;
(3) if you object to processing in accordance with Art. 21(1) GDPR and there are no other justifiable grounds for continuing to process your personal data that can be established to overrule this objection, or if you object to processing in accordance with Art. 21(2) GDPR;
(4) if your personal data were processed unlawfully;
(5) if the erasure of your personal data is required to fulfil a legal obligation imposed upon the party responsible for your data by legislation from either the EU or the member states;
(6) if your personal data were collected for information society services in accordance with Art. 8(1) GDPR.
3.2.4.2 Notification of third parties
If we disclosed your personal data publicly and are subsequently required to delete the data in accordance with Art. 17(1) GDPR, we will take reasonable measures subject to available technological means and implementation costs, including any relevant technical measures, to inform the parties responsible for processing your personal data that you, in your capacity as the data subject, have requested the deletion of all links to your personal data, as well as any copies or replications of these data.
3.2.4.3 Exceptions
Your right to erasure does not apply if the processing is necessary
(1) to exercise a right to freedom of expression and information;
(2) to fulfil a legal obligation imposed on the party responsible for your data by the EU or member states, to perform tasks in the public interest, or to exercise any official authority delegated to the party responsible for your data;
(3) for reasons of public interest in the context of public health in accordance with Art. 9(2)(h-i) and Art. 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Art. 89(1) GDPR whenever the right cited in paragraph a) is anticipated to prevent or seriously obstruct the purposes of such processing;
(5) in order to assert, exercise, or defend legal claims.
3.2.5 Right to notification
Whenever you exercise your right to rectify, erase, or restrict our processing of your personal data, we have an obligation to notify any recipients to whom your personal data were disclosed of the rectification, erasure, or restriction, unless this proves impossible or would involve unreasonable effort. You have the right to request information about these recipients from us.
3.2.6 Right to data portability
You have the right to request a copy of any personal data that you previously disclosed to us in a structured, standard, and machine-readable format. You may also transfer these data to any other responsible party to whom the same data were previously disclosed without hindrance from us whenever both
(1) the processing is based on consent given in accordance with Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or a contract established in accordance with Art. 6(1)(b) GDPR;
(2) the processing is performed by automatic systems.
When exercising this right, you may furthermore request that your personal data be transmitted directly by us to another responsible party whenever this is technically possible. This may not infringe upon the freedoms and rights of other persons. The right to data portability does not apply to any processing of personal data necessary to perform tasks in the public interest or to exercise any official authority delegated to the party responsible for your data.
3.2.7 Right to objection
You have the right to object at any time to any processing of your personal data conducted on the legal basis of Art. 6(1)(e-f) GDPR for personal reasons; this also applies to any profiling conducted on the basis of these provisions.
If you object, we will no longer process your personal information, unless either (i) we can establish compelling legitimate reasons for this processing that override your own interests, rights, and freedoms; (ii) the purpose of processing is to assert, exercise, or defend legal claims. If your personal data are processed for purposes associated with direct marketing, you have the right to object at any time; this also applies to any profiling associated with direct marketing activities. If you object to processing for purposes associated with direct marketing, your personal data will no longer be processed in connection with any such purposes. For information society services – independently from Directive 2002/58/EC – you may exercise your right to objection via an automated procedure that implements the relevant technical specifications.
3.2.8 Right to revoke previous given consent regarding data protection
You have the right to revoke consent regarding matters of data protection at any time. Revoking your consent does not retroactively affect the legality of any processing conducted on the basis of this consent before the moment of revocation.
3.2.9 Automated case-by-case decision-making including profiling
You have the right for any decisions with legal or similarly significant effects – including profiling – to be conducted with human involvement and not on the sole basis of automated processing procedures. This does not apply to decisions in any of the following cases:
(1) if they are necessary for the conclusion or fulfilment of a contract between you and us;
(2) if they are permitted by applicable legislation from the EU or member states whenever this legislation contains appropriate measures to safeguard your rights, freedoms, and legitimate interests;
(3) if you have given express consent for the automated processing of these decisions.
However, these decisions may not be based on special categories of personal data in accordance with Art. 9(1) GDPR unless appropriate measures have been taken to safeguard your rights, freedoms, and legitimate interests in accordance with Art. 9(2)(a,g) GDPR. In the cases outlined in (1) and (3), we shall undertake appropriate measures to safeguard your rights, freedoms, and legitimate interests, including implementing your right to request human involvement from us, the right to submit arguments to support your position, and the right to challenge the decision.
3.2.10 Right to submit complaints to the authorities
Without affecting any of your other administrative or judicial rights, you have the right to submit a complaint to the supervisory authorities – in particular the authorities in the member state of your place of residence, your place of work, or the place of the alleged infringement – if you believe that our processing of your personal data is in violation of the GDPR. The authority to which the complaint is submitted will keep the complainant informed of the status and results of the complaint, including any options of judicial remedy in accordance with Art. 78 GDPR.
II. Objection to data processing or revocation of consent
1. Revocability of consent
If you give consent for processing your personal data, you may revoke this consent at any time. Any such revocation only affects the admissibility of processing your personal data after you have communicated it to us.
2. Notice of objection to data processing in the event of a balance of interests
If a balance of interests serves as the legal basis for our processing of your personal data, you may submit an objection to this processing. In particular, this applies whenever the processing is not necessary to fulfil a contract with you, as described below for each of the specific features of our website services. If you wish to submit this type of objection, please give reasons justifying why we should stop processing your personal data. After receiving your objection and arguments, we will examine the situation and either (i) discontinue the data processing; (ii) respond to you with a statement of compelling legitimate reasons for the continuation of data processing.
3. Notice of objection to direct marketing
You may of course object to the processing of your personal data for purposes associated with advertising and data analysis at any time. You can submit any objections relating to advertising via the following contact details: Philosophy Brands International GmbH, In der Aue 4, 69118 Heidelberg, Germany, phone: +49 (6221) 65 66 410, +49 (6221) 65 66 422, email: privacy@philosophy-brands.com
B. Collection of personal data when visiting our website
I. Creation of log files
As you browse our website – even without registering or providing other similar information – our system automatically collects data and information about the devices that request web pages. The following data are collected:
- information about browser type, language, and version
- the operating system and interface of the user
- the internet service provider of the user
- the IP address of the user
- the date and time of requests
- content of the requests (which specific web pages were requested)
- the websites that referred the user’s system to our website
- websites that are accessed by the user’s system via our website
- the amount of data transmitted for each request
- time zone differences relative to Greenwich Mean Time (GMT)
- access status and HTTP status codes
The log files contain IP addresses and other data that may be associable with specific users. For example, the referring link used to access our website or any links followed by the user from our website may contain personal data.
These data are stored in our system log files. They are never stored together with any other personal data associated with the user.
1. Legal basis for data processing
The legal basis for the temporary storage of these data and log files is given by Art. 6(1)(f) GDPR.
2. Purpose of data processing
The system needs to temporarily store IP addresses in order to deliver the website to the user’s device. This requires the user’s IP address to be stored for the duration of their session.
The purpose of storing these data in log files is to ensure the proper functionality of the website. The data are also used to optimize our website and secure our IT systems. These data are never analysed for marketing purposes.
We therefore have a legitimate interest in processing these data in accordance with Art. 6(1)(f) GDPR.
3. Duration of storage
The data are deleted as soon as they are no longer necessary for the purpose for which they were originally stored. For the data collected in order to deliver the website, this occurs at the end of each user session.
For the data stored in the log files, this occurs after seven days at the latest. In some cases, the data may be stored for longer. If so, the user IP addresses are deleted or anonymized so that they can no longer be associated with the clients that requested each web page.
4. Objection and erasure
The data collected in order to deliver the website and the data stored in the log files are essential for the proper operation of the website. As a result, it is not possible to object to this data collection.
II. Use of cookies
1. Functionality and scope
In addition to the data mentioned above, cookies are stored on your device while you browse our website. Cookies are small text files saved on your hard drive and associated with your browser. They are created by websites or similar services (in this case, us) to manage certain types of information. Our cookies contain a characteristic string that uniquely identifies your browser when you return to our website. Cookies are not capable of running programs or transmitting viruses to your device.
We use cookies in order to make our website more user-friendly. Some parts of our website need to be able to identify the browser that requested them after loading a new page. The cookies store and transmit the following information:
- language settings
- items in your shopping cart
- login information (email, name, etc.)
- cookie expiration date
Our website also uses other cookies to analyse user browsing behaviour. This allows us to track the following information:
- search terms submitted
- page view frequencies
- usage of website features
- server name
The user data collected in this way are stored pseudonymously with technical precautions. This prevents the data from being associated with specific users. These data are never stored together with the personal data of users. Any users who access our website are notified about our use of cookies for analytic purposes by a banner that includes a reference to this privacy policy. Users are also informed that they can prevent cookies from being stored by changing their browser settings.
Any users who access our website are notified about our use of cookies for analytic purposes and their consent is requested for processing the relevant personal data. The notification includes a reference to this privacy policy.
2. Legal basis for data processing
The legal basis for the processing of personal data via cookies is given by Art. 6(1)(f) GDPR.
3. Purpose of data processing
The purpose of the technically necessary cookies is to make the website more user-friendly. Some of the features of our website cannot be provided without cookies. These features need to be able to identify the user’s browser after loading a new page. The following applications on our website require cookies:
- shopping cart
- persistence of language settings
- search term history
- login information
The user data collected by the technically necessary cookies are not used to establish user profiles.
The purpose of the analytic cookies is to improve the quality of our website and its content. The analytic cookies provide us with information about how the website is used, which allows us to continuously optimize the content and services provided.
We therefore have a legitimate interest in processing these personal data in accordance with Art. 6(1)(f) GDPR.
4. Duration of storage, objection and erasure
4.1 General
Cookies are stored on the user’s device, which forwards them to our web page. Accordingly, users have full control over the usage of cookies. By changing your internet browser settings, you can disable or restrict the transmission of cookies. Any previously stored cookies can be deleted at any time. This can also be configured to occur automatically. If you choose to deactivate cookies for our website, some of the features of the website may not function as intended.
4.2 Flash cookies
Flash cookies are not managed directly by your browser but instead by your Flash plugin. The transmission of Flash cookies cannot be prevented by changing your browser settings and must be configured in the Flash player settings. We also use HTML5 storage objects, which are stored on your device. These objects store data independently from your browser and do not have an automatic expiration date. If you wish to prevent the processing of Flash cookies, you need to install an add-on, e.g. “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/), or the Adobe Flash Cookie Killer for Google Chrome. You can prevent the storage of HTML5 objects by using your browser’s private navigation mode. We also recommend regularly deleting your cookies and browser history manually.
III. Other features and services on our website
Other than the regular browsing content hosted on our website, we offer various optional services. To take advantages of these services, you typically need to provide additional personal data. We require these data in order to provide the relevant services. The general principles of data processing outlined above apply.
1. Data processing by third-party contractors
In some cases, we use third-party service providers in order to process your data. These service providers are carefully selected and have contractual relationships with us; they have an obligation to follow our instructions and are regularly inspected.
2. Disclosure to third parties
We may also disclosure your personal data to third parties whenever campaign participations, competitions, contracts, or similar services are offered collaboratively with our partners. More detailed information about these disclosures are provided in the description of each specific service either when you enter your personal data or in the paragraphs below.
3. Data transfer to outside the EEA
If any of our service providers or partners are based in a country from outside the European Economic Area (EEA), you will be informed about any relevant ramifications in the description of each specific service.
IV. Use of email contact information
1. Functionality and scope of data processing
Our website lists an email address that you can use to contact us. If you contact us by email, any personal data transmitted with the email will be stored. These data will not be disclosed to any third parties. They are exclusively used to respond to and process the subject matter of the email.
2. Legal basis for data processing
The legal basis for processing data with the consent of the user is given by Art. 6(1)(a) GDPR. The legal basis for processing the data associated with emails is given by Art. 6(1)(f) GDPR. If the purpose of the email is to conclude a contract, then Art. 6(1)(b) GDPR serves as an additional legal basis for data processing.
3. Purpose of data processing
In the event of contact by email, this contact itself represents our legitimate interest for processing the data.
4. Duration of storage
The data are deleted as soon as they are no longer necessary for the purpose for which they were originally stored. For any personal data transmitted by email, this occurs when the conversation with the user has been concluded. The conversation is considered concluded once the specific circumstances of the conversation imply that any relevant matters have been definitively resolved.
5. Objection and erasure
Users may revoke their consent for the processing of personal data at any time. If the user initiates email contact with us, he/she may object to the storage of his/her personal data at any time. In this case, the conversation must be terminated and cannot be continued.
You can inform us of any objections via the following contact details: Philosophy Brands International GmbH, In der Aue 4, 69118 Heidelberg, Germany, phone: +49 (6221) 65 66 410, fax: +49 (6221) 65 66 422, email: info@philosophy-brands.com
Any personal data stored over the course of this contact will then be deleted.
V. Web Analytics
1. Use of ajax.googleapis.com / jQuery
Our website uses the JavaScript library jQuery. To improve the loading speed of our website and hence improve your user experience, we take advantage of the Content Delivery Network (DCN) offered by Google to load this library. It is extremely likely that you have already downloaded jQuery from the Google CDN via another website. If so, your browser can use its cached copy and does not need to re-download the library. If your browser does not have a cached copy of the library or needs to re-download it from the Google CDN for any other reason, then your browser will transfer some data to Google. For exceptional cases where personal information needs to be transferred to the US, Google has enrolled in the EU-US Privacy Shield framework – https://www.privacyshield.gov/EU-US-Framework. The legal basis for our use of Google Analytics is given by Art. 6(1) sent. 1(f) GDPR. Third-party service provider details: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms of use:
http://www.google.com/analytics/terms/de.html, privacy policy overview:
http://www.google.com/intl/de/analytics/learn/privacy.html, full privacy policy:
http://www.google.de/intl/de/policies/privacy.
VI. Social media
1. Integration of YouTube videos
Our online content features integrated YouTube videos, which are stored at http://www.YouTube.com/ and can be played directly from our website. [The videos are in “extended privacy mode”, which means that none of your user data are transmitted to YouTube if you do not play the video. Only if you choose to play the videos will any of the data outlined in Paragraph 2 be forwarded. We do not have any control over this data transfer.] When you visit our website, YouTube is informed that you have accessed the relevant web page of our website. The data outlined in Section B. I. of this privacy policy are also forwarded to YouTube. This occurs regardless of whether you own a YouTube account and regardless of whether you are logged in to YouTube. If you are logged in to Google, your data will be associated directly with your Google account. If you do not wish for these data to be associated with your YouTube profile, you must log out of your Google account before pressing the play button. YouTube stores your data as part of a user profile and uses these data for purposes of advertising, market research, and/or custom website generation. In particular, analysis is performed to generate custom advertising and to inform other social network users about your activities on our website (even for users who are not logged in). You have the right to object to these user profiles being established, but you must direct any objections directly to YouTube to exercise this right. You can find more information about the purpose and scope of the collection and processing of your personal data by YouTube in their privacy policy, which also details your rights and privacy settings:
https://www.google.de/intl/de/policies/privacy. Google may process your personal data from locations based in the US and has accordingly enrolled in the EU-US Privacy Shield framework,
https://www.privacyshield.gov/EU-US-Framework.
2. Integration of Vimeo videos (with Google Analytics)
Our website uses services offered by the video portal Vimeo, operated by Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA. Interacting with the Vimeo plugin (e.g. by clicking the play button) establishes a direct connection between your browser and a Vimeo server based in the USA. Information about your visit and your IP address is stored on this server. If you have a Vimeo user account but wish to prevent Vimeo from collecting your data and associating it with your Vimeo profile when you use our website, you need to log out of Vimeo before visiting our website. The “iFrame” containing the video is also used by Vimeo to load the Google Analytics web analysis service. This tracking system is fully operated by Vimeo and we do not have any control over it. You can prevent tracking by Google Analytics (see Section XI. 1. above) by installing the deactivation tools offered by Google for specific internet browsers. You can also prevent Google from collecting, processing, and associating the data generated by Google Analytics (including your IP address) with your use of this website by downloading and installing the browser plugin available from the following link: https://tools.google.com/dlpage/gaoptout?hl=de. For more information about how Vimeo collects and uses your private data, or to view Vimeo’s privacy policy, please visit: https://vimeo.com/privacy.