The data processing is also carried out on the basis of the legal provisions of Section 147 AO (Tax Code) (storage due to tax documentation obligations), Art 6 para. 1 lit. a (consent) and/or lit. b (necessary to fulfil the contract) of the GDPR.
In addition, we will only disclose this data to third parties with your express consent. We use SSL encryption to ensure a high level of security for particularly confidential data, such as for payment transactions or with regard to your enquiries to us.
The server on which our website is hosted is located in a data centre in the European Union and is operated by a German company. We have concluded an order data processing contract with the hosting provider that meets the requirements of Art. 28 et seq. GDPR and Art. 29 GDPR.
We would like to point out the general dangers of Internet use, over which we have no influence. In particular, any data sent by email is not secure unless further precautions are implemented, and it can, in some instances, be acquired by third parties. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone.
You can obtain information about the personal data we have stored about you, as well as about the origin, the recipient and the purpose of data collection and data processing, at any time. You also have the right to request the correction, blocking or deletion of your data. This does not include data that must be kept due to legal provisions or is required for the orderly settlement of business transactions.
In the following, we will inform you about the most important aspects of data processing on our website.
3.1 Principles of data processing
Art. 5 para. 1 GDPR lists the principles that apply to all data processing:
- Lawfulness of the processing (cf. Art. 6 GDPR): Data may only be processed if a statutory provision or valid consent exists.
- Processing in good faith
- Transparency (cf. Art. 12 et seq. GDPR): Data subjects should also be able to exercise their basic right. To do this, they particularly require information about the stored data.
- Earmarking: The purposes of the data processing must always be defined when the data is collected.
- Data minimization: In particular, data must be limited to what is necessary for the purposes of processing.
- Correctness of the data processing (see Art. 16, 17 GDPR)
- Storage limitation (see Art. 17 GDPR, “Right to be forgotten”)
- Integrity and confidentiality (see Art. 32 GDPR): Data security
3.2 Collection/storage of general information
When you access our website, information of a general nature is automatically recorded. This information contains e. g. your IP address, the type of browser, the operating system used, the name of your Internet service provider and similar information. It is exclusively information that cannot be connected to you as an individual. This information is produced automatically during Internet use and is required for technical reasons so that the requested web content can be correctly displayed.
3.3 Scope of the processing of personal data
Following the principles of data avoidance and data economy, we collect personal data only to the extent that and as long as it is necessary for the use of our website or is required by law We collect and utilize your personal data only insofar as this is necessary to provide an operating site, our content, and our services.
Our website can be used without disclosing personal data.
When we collect personal data—such as your name, address or email address—this data collection is voluntary. We regularly collect and use your personal data, but only with your consent. An exception applies in cases where circumstances prevent us from obtaining prior consent and the processing of the data is permitted by law.
3.4 Legal basis for processing personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for its processing.
When processing personal data that is necessary to fulfil an agreement to which the data subject is a party, Art. 6 para. 1 lit. b GDPR is the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR is the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or of a third party and if the interests, fundamental rights, and freedoms of the person concerned do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR is the legal basis for the processing. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not take priority. We are allowed to carry out such processing procedures because they have been specifically mentioned by the European legislator. In this respect, a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, clause 2, GDPR).
3.4.1 Types of data processed
- Inventory data (e.g. names, addresses).
- Contact data (e.g., email address, phone numbers).
- Content data (e.g. text input, photographs, videos).
- Usage data (e.g., websites visited, interest in content, access times).
- Meta/communication data (e.g. device information, IP addresses).
3.4.2 Business-related data processing
We also process
- Contract data (e.g. subject matter of the contract, term, customer category).
- Payment data (e.g., bank details, payment history)
from our customers, prospects and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.
3.4.3 Purpose of data processing
Some of the data is collected to ensure that the website is error-free and secure. Other data can be used to analyse how visitors use the site. We process your information for:
- Provision of the website, its functions and contents
- Response to contact requests and communication with users
- Security measures
- Range measurement/marketing.
3.5 Legal or contractual provisions for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision
We inform you that the provision of personal data is partly required by law (e.g., tax regulations) or may also result from contractual regulations (e.g., information on the contractual partner). In order for a contract to be concluded, it may sometimes be necessary for the data subject to provide us with personal data that we will then have to process. For example, the data subject is obligated to provide us with personal data when our company concludes a contract with them. Failure to provide personal data would mean the contract with the data subject could not be concluded. Before the data subject provides personal data, the data subject must contact our data protection team. Our data protection officer will inform the data subject on a case-by-case basis whether the provision of personal data is required by law or contract or is required for the conclusion of the contract, whether an obligation exists to provide the personal data, and about the consequences of failing to provide the personal data.
3.6 Data erasure and storage duration
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. In addition, the data may be stored if this has been provided for by the European or national legislators in EU regulations, laws, or other provisions to which the data controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned regulations has elapsed unless further storage of the data is necessary for the conclusion or fulfilment of a contract.
3.7 Transmission to government authorities
We transmit personal data to state authorities (including law enforcement authorities) if this is necessary to fulfil a legal obligation to which we are subject. The legal basis is Art. 6 para. 1 c GDPR or according to Art. 6 para. 1 f GDPR, if it is necessary to assert, exercise or defend legal claims.
3.8 Transfer to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or data disclosure or transfer to third parties, this will only take place to fulfil our (pre)contractual obligations, based on your consent, based on a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the particular requirements of Article 44 et seq. GDPR are met. This means data will be processed on the basis of, for example, special guarantees, such as the officially recognised determination of a level of data protection corresponding to that of the EU (for example, through “Privacy Shield” for the USA) or compliance with officially recognised special contractual obligations (standard contractual clauses).
3.9 Handling of contact details
If you contact the website operator using the contact options offered (email or contact form), your details will be saved so that they can only be used to process and answer your specific request. All details will be treated confidentially. This data will not be passed on to third parties without your consent.
The legal basis for such processing is Art. 6 para. 1 lit. b GDPR.
Your data will be deleted once we have fully answered your inquiry and there is no further legal obligation to store your data, such as if an order or contract resulted therefrom.
3.10 Handling of customer data
As soon as you have ordered/bought a product/service from WELLFLEX GMBH, we save your data for order processing in accordance with the legal requirements of the GDPR, the BDSG-neu, the HGB (German Commercial Code) and the AO (Tax Act). In this case, we also use your data within the framework of the statutory provisions, in order to send you advertisements for other products/services. Of course, you can object to such advertising use of your customer data at any time by phone, email or letter.
3.11 Hosting and email dispatch
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services that we use for the purpose of operating this online offering.
In this regard, either we or our hosting provider process the inventory data, contact data, content data, contract data, usage data, as well as the meta and communication data of customers, interested parties and visitors of this online offering based on our legitimate interests in the efficient and secure provision of this website, in accordance with Art. 6 para. 1 lit. f GDPR and Article 28 GDPR (conclusion of order processing agreement).
WELLFLEX GMBH advises all parents and guardians to instruct their children in the safe and responsible handling of personal data on the Internet. Without the consent of their parents or guardian, children should not send any personal data to WELLFLEX GMBH. WELLFLEX GMBH assures that it will not knowingly collect personal data from children, use it in any way or disclose it to third parties without authorization.
3.13 SSL or TLS encryption
For security reasons, our website uses SSL or TLS encryption when it comes to the transmission of confidential or personal content from our users, such as orders or inquiries. This encryption is activated, for example, when processing payment transactions and for inquiries that you send to us via our website. Please make sure that SSL encryption is enabled on your device when engaged in relevant activities. It is easy to tell whether encryption is enabled: the display on your browser line will change from “http://” to “https://”. Data encrypted via SSL or TLS cannot be read by third parties. Only transmit your confidential information if SSL or TLS encryption is activated; if in doubt, please contact us.
3.14 Provision of chargeable services
If you wish to use the paid services offered on our website, we may need to collect additional data from you for billing purposes and for security reasons. This generally includes your name, a valid email address and, if applicable, your address and telephone number as well as further information, depending on the individual case, such as payment details. It may also include content that allows us to verify the information provided, such as to check that you own the email address provided. For legal reasons, we must ensure that you actually wish to receive the services offered and that we can properly invoice you for the service. We secure your data during payment transactions using the SSL encryption standard, identifiable in the browser line “https://”.
3.15 Contract processing
The data you submit when ordering goods and/or services from us will have to be processed in order to fulfil your order. Please note that orders cannot be processed without providing this data.
The legal basis for processing is your consent under Art. 6 para. 1 lit. b GDPR.
After your order has been completed, your personal data will be deleted, but only after the retention periods required by tax and commercial law.
In order to process your order, we will share your data with the shipping company responsible for delivery to the extent required to deliver your order and/or with the payment service provider to the extent required to process your payment. The legal basis for the transfer of such data is Art. 6 para. 1 lit. b GDPR.
3.15.1 Contractual services
We process the data of our contractual partners and interested parties as well as other clients, customers, clients or contractual partners in accordance with Art. 6 para. 1 lit. b. GDPR to provide our contractual or pre-contractual services to them. The data processed here, the type, scope and purpose and the necessity of its processing, is determined by the underlying contractual relationship.
The data processed includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).
We do not process special categories of personal data unless they are part of commissioned or contractual processing.
We process data that is necessary to justify and fulfil the contractual services and point out the necessity of its disclosure unless this is evident for the contractual partners. It is only disclosed to external persons or companies if it is required within the framework of a contract. When processing the data provided to us within the framework of an order, we act in accordance with the instructions of the client as well as with the legal requirements.
When our online services are used, we may store the IP address and the time of the user action in question. The data is stored on the basis of our legitimate interests as well as the user’s interests regarding protection against misuse and other unauthorised use. In principle, this data is not passed on to third parties unless it is necessary for the pursuit of our claims according to Art. 6 para. 1 lit. f. GDPR there is a legal obligation to do so in accordance with the GDPR pursuant to Art. 6 para. 1 lit. c GDPR.
The data will be deleted if the data is no longer required for the fulfilment of contractual or statutory duties of care or for the handling of any warranty or comparable obligations, whereby the necessity of storing the data is checked every three years; in all other respects, the statutory storage obligations apply.
3.16 Checking creditworthiness and scoring
Insofar as we give you the basic option of paying by invoice as part of our range of goods or services and you make use thereof, we reserve the right to run a credit check with a credit agency (such as Creditreform, Schufa, Bürgel or infoscore) on the basis of mathematical-statistical procedures. For this purpose, your data, insofar as it is relevant to the contract, such as your name and address, will be forwarded to the credit agency. We then use the information obtained about the statistical probability of default to decide whether we will offer you payment on account.
The legal basis for such processing is our legitimate interest to avoid default on our claim according to Art. 6 para.1 lit. f GDPR.
3.17 Objection to advertising emails
As part of the legal imprint obligation, we must publish our contact details. These may not be used by third parties to send unwanted advertising or other information. We hereby object to the sending of advertising material of any kind not expressly authorized by us. We also expressly reserve the right to take legal action against the unwanted and unsolicited sending of advertising material. This applies in particular to so-called spam emails, spam letters, and spam faxes. We would like to point out that the unauthorized transmission of advertising material may be in breach of competition law, civil law, and criminal law. Spam emails and spam faxes, in particular, can lead to high claims for damages if they disrupt business operations due to overcrowding of inboxes or fax machines.
3.18 Collection of access data and log files
We, or our hosting provider, on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f GDPR collect data regarding each access to the server on which this service is located (known as server log files). Access data includes the name of the requested website, file, date and time of access, amount of data transferred, report whether the site was successfully accessed, browser type and version, the user’s operating system, the referrer URL (the site visited before coming to our site), the user’s IP address, and the requesting Internet service provider.
Logfile information is stored for a maximum of seven days for security reasons (e.g., to investigate misuse or fraud) and then deleted. Data which must be retained as potential evidence is not deleted until the relevant incident has been ultimately clarified.
3.19 Server data
For technical reasons, the data sent by your Internet browser to us or to our server provider will be collected, especially to ensure a secure and stable website. These server log files record the type and version of your browser, operating system, the website from which you came (referrer URL), the webpages on our site visited, the date and time of your visit, as well as the IP address from which you visited our site. The data thus collected will be temporarily stored, but not in association with any other of your data.
The basis for this storage is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the improvement, stability, functionality, and security of our website.
The data will be deleted within no more than seven days unless continued storage is required for evidentiary purposes. In which case, all or part of the data will be excluded from deletion until the investigation of the relevant incident is finally resolved.
3.20 Google content delivery network (ajax.googleapis.com)
3.21 Administration, financial accounting, office organization, contact management
We process data in the context of administrative tasks as well as the organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The bases of processing are art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f GDPR. Customers, prospective customers, business partners and website visitors are affected by the processing. The purpose of and our interest in the processing lies in administration, financial accounting, office organisation, archiving of data, namely, tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the tasks specified in these processing activities.
In this regard, we disclose or transmit data to tax authorities, consultants, such as tax consultants or auditors, as well as other fee offices and payment service providers.
Furthermore, we store information regarding suppliers, event organisers and other business partners on the basis of our business interests, e.g. for the purpose of making contact at a later date. In principle, we store this data, which is mainly company-related, permanently.
3.22 Business analyses and market research
In order to operate our business economically, to be able to recognise market tendencies, wishes of the contracting parties and users, we analyse the data available to us of business processes, contracts, enquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of art. 6 para. 1 lit. f GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.
The analyses are carried out for the purpose of business evaluations, marketing and market research. We can include the profiles of registered users with information, e.g. on the services they have used. The analyses help us to improve user-friendliness, the optimisation of our offer and our competitiveness. The analyses serve us alone and are not disclosed externally unless they are anonymous analyses with summarized values.
If these analyses or profiles are personal, they will be deleted or made anonymous upon user termination, otherwise after two years from the conclusion of the contract. Macroeconomic analyses and general trend determinations are also prepared anonymously wherever possible.
3.23 Links to other websites
Therefore, please make your own enquiries about the privacy policies which apply to the web pages of the other operators.
3.24 Disclosure of personal data
We will not pass on personal data without your express consent unless legal permission exists, e.g. if we are legally obligated to surrender data (information to law enforcement authorities and courts; information to public bodies that receive data due to legal regulations, e.g. social security agencies, tax authorities, etc.) or if we involve third parties who are obliged to maintain professional secrecy to enforce our claims.
3.25 Data security
We secure our website and other systems using technical and organisational measures against loss, destruction, access, modification or processing of your data by unauthorised persons. However, despite regular checks, complete protection against all risks is not possible.
The website employs the industry-standard SSL (Secure Sockets Layer) encryption. Your personal information on the Internet is thereby safeguarded.