PRIVACY POLICY

INTRODUCTION AND TERMS

1. INTRODUCTORY REMARKS
With the operation of our website http://www.andunion.com/de/ and http://www.andunion.com/en/ (hereinafter referred to as “website”) we process personal data. These will be treated confidentially by us and processed in accordance with the applicable laws – in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). With our data protection regulations we want to inform you which personal data we collect from you, for which purposes and on which legal basis we use it and, if applicable, to whom we disclose it. In addition, we will explain to you which rights you have to protect and enforce your data protection.
2. TERMS
Our data protection regulations contain technical terms which are used in the GDPR and the BDSG. For your better understanding we would like to explain these terms in simple words in advance:
2.1 Personal data
“Personal data” means any information relating to an identified or identifiable person (Art. 4 No. 1 GDPR). Information of an identified person can be e.g. the name or the e-mail address. However, personal data also includes data in which the identity is not immediately apparent but can be determined by combining one’s own or third-party information and thus finding out who it is. A person becomes identifiable, for example, by providing his/her address or bank details, date of birth or user name, IP addresses and/or location data. Relevant here is all information that in any way allows conclusions to be drawn about a person.
2.2 Processing
Art. 4 No. 2 GDPR defines “processing” as any process in connection with personal data. This concerns in particular the collection, recording, organisation, sorting, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or any other form of supply, comparison or association, limitation, erasure or destruction of personal data.
CONTROLLER AND DATA PROTECTION OFFICER
3. CONTROLLER
Responsible for data processing:

Company: AND UNION GmbH (“we”)
Legal representative: Henning Madea (Managing Director)
Address: Lindwurmstraße 114, 80337 München
Phone: +49 (0) 895 307 05 – 0
E-mail: info@andunion.com

SCOPE OF PROCESSING
4. PROCESSING: WEB PAGE
Within the scope of the website with the URL http://www.andunion.com/de/ and http://www.andunion.com/en/, we process the personal data of you listed in detail below under items 5-11. We only process data from you which you actively enter on our website (e.g. by filling out forms) or which you automatically make available when using our services.
Your data will only be processed by us and will not be sold, lent or passed on to third parties. If we use the help of external service providers to process your personal data, we use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. We are authorised to give instructions to our Processors. For the operation of our website we use Processors for hosting as well as for maintenance, care and further development. Should further Processors be used for individual processing operations, they will be named there.

Data transfer to third countries does not take place and is not planned. We will inform you about exceptions to this principle in the processing operations described below.

THE PROCESSING IN DETAIL
5. PROVISION OF THE WEBSITE AND SERVER LOGFILES
5.1 Description of processing
Each time you visit our website, we automatically collect information that your browser sends to our server (so-called Logfiles). This is the following data:

• Your IP address
• the browser software used by you, as well as its version and language
• the operating system you are using
• the website from which you came to our website (so-called referrer)
• the subpages you have called up on our website
• the date and time of your visit to our website
• Your Internet Service Provider
• Transferred amount of data
• Country and place from which you visited our website
• Your length of stay on our website

These are also stored in the so-called Logfiles of our system. The temporary storage of your IP address by the system is necessary in order to be able to deliver our website to a user’s terminal device. For this purpose, the IP address of the user must remain stored for the duration of the session. However, your IP address is not recorded in our Logfiles.
5.2 purpose
The processing is carried out in order to enable access to the website and to guarantee its stability and security. In addition, the processing serves the statistical evaluation and improvement of our online offer.
5.3 legal basis
Processing is necessary to safeguard the overriding legitimate interests of the data controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in clause 5.2
5.4 storage period
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data to provide the website, this is the case when the respective session is terminated. The log files will be deleted after 7 days.

6. CONTACT US BY E-MAIL
6.1 Description of processing
You can contact us via the e-mail addresses provided on the website. In this case, the personal data transmitted by e-mail will be processed by us.
6.2 purpose
The data transmitted with your e-mail will be used exclusively for the purpose of processing and answering your request.
6.3 legal basis
Processing is necessary to safeguard the overriding legitimate interests of the data controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in Section 6.2If the e-mail contact is aimed at concluding or fulfilling a contract, data processing is carried out to fulfil the contract (Art. 6 para. 1 lit. b GDPR).
6.4 storage period
The data is deleted by us as soon as it is no longer required for the purpose of its collection. This is usually the case when the respective communication with you is finished. Communication is terminated when it can be inferred from the circumstances that your request has been conclusively clarified. If statutory retention periods prevent deletion, deletion shall take place immediately after expiry of the statutory retention period.
7. COOKIES
7.1 Description of processing
Our website uses cookies. Cookies are small text files that are stored on the user’s terminal device when a website is visited. Cookies contain information that enables the recognition of a terminal device and, if necessary, certain functions of a website. In most cases, we only use so-called “session cookies”. These are automatically deleted when you end your Internet session and close your browser. Other cookies remain stored on your terminal for a longer period of time and enable partner companies to recognize your browser or computer (persistent cookies). Depending on the cookie, persistent cookies are automatically deleted depending on the specified storage period.
7.2 purpose
We use cookies to make our website more user-friendly and to provide the features described in Section 7.1. We work with advertising partners who help us to make our website as interesting as possible for you. For this purpose, cookies from third parties, our partner companies, may also be stored on your hard drive on our website. If we allow third parties to use such cookies, we will inform you in the following sections about the information collected in this way.
7.3 legal basis
Processing is necessary to safeguard the overriding legitimate interests of the data controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Clause 7.2.
7.4 storage period
Cookies are automatically deleted at the end of a session or at the end of the specified storage period. Since cookies are stored on your terminal device, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser.

In the following we have compiled the links for you that will lead you to instructions on how to change the settings in the common browsers. Further information can be found in the support menu of your browser:

Internet Explorer: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
Chrome: http://support.google.com/chrome/bin/answer.py?hl=en&hlrm=en&answer=95647
Safari: https://support.apple.com/kb/ph21411?locale=en_DE
Opera: http://help.opera.com/Windows/10.20/de/cookies.html

Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, individual functions of our website cannot be used or can only be used to a limited extent.
8. SOCIAL NETWORKS
8.1 Description of processing
Certain subpages of our website contain so-called social plugins, which are offered by the external social networks Twitter and Instagram. When you access a page that contains such a plugin, your browser establishes a direct connection with the servers of the social network. The content of the respective social plugin is transmitted directly from the social network to your browser and displayed on our website. To prevent this, we use the so-called two-click solution. We have integrated the social plugins on our website in such a way that the connection of the social plugins to the servers of the social networks is interrupted by default. If you want to communicate on our website directly with a social network via the social plugin and enable data exchange, you have to click on the desired social plugin and activate it.
After activating a social plugin, we no longer have any influence on the amount of data collected by the respective social network. We will therefore inform you according to our state of knowledge.
By activating a social plugin, your IP address in connection with the address of our website will be transmitted to the respective social network. If you are logged in to the Social Network when you visit our website, this information is assigned to your user account there. If you interact with an activated Social Plugin, e.g. “share”, “liken” or “retweeten” a contribution by means of the Social Plugin, this information is also transmitted directly to the respective Social Network and stored there in your user account.

However, our profiles within the social networks represent data processing. If you are logged into the respective social network when visiting such a profile, this information will be assigned to your user account there. If you interact with our profile, e.g. “share”, “liken” or “retweet” a post, this information is also stored in your user account. The “Insights” of our Facebook page allow us to obtain statistical data. These statistics are provided by Facebook. The “Insights” function cannot be deactivated. We cannot decide to turn this feature on or off. It is available to all Facebook fan page operators, regardless of whether you use the Insights function of Facebook or not. We are provided with data for a selectable period and for the following groups of affected persons: Fans, subscribers, reached and interacting people. These are the following categories of personal data: Total number of page views, “like me” information including origin, page activity, contribution interactions, reach, contribution reach (divided into organic, viral and paid interactions), comments, shared content, responses, and demographics, i.e., country of origin, gender and age. Due to the Facebook Terms of Use – which every user must agree to in order to use Facebook – we are able to identify subscribers and fans of our site and view their profiles.
The social networks with which you communicate store your data using pseudonyms as user profiles and use them for advertising purposes and market research. For example, you may see advertisements within the social network and on other third party websites that match your alleged interests. For this purpose, cookies are usually used, which the social network stores on your terminal device. Further information on cookies can be found in section 7. You have the right to object to the creation of these user profiles, for the exercise of which you must contact the social networks directly.
8.2 purpose
We maintain profiles with the aforementioned social networks for the purpose of contemporary and supportive public relations and corporate communication with customers and interested parties.
We use the “Facebook Insights” function to make our contributions on our Facebook fan page more attractive to our visitors. This enables us, for example, to use visitors’ favourite visiting times for optimised scheduling of our contributions.
8.3 legal basis
The legal basis for data processing within the framework of our profiles on social networks is the protection of our overriding legitimate interests (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in clause 8.2. If you are asked by the respective operator of a social network for consent, the legal basis is Art. 6 Para. 1 lit. a GDPR. Data processing with regard to our Facebook fan page is also based on an agreement on joint responsibility pursuant to Art. 26 GDPR between us and Facebook, which you can view here: https://www.facebook.com/legal/terms/page_controller_addendum.
8.4 Recipients and transfers to third countries
The respective social networks are operated by the companies listed below. Further information on data protection with regard to our profile on social networks can be found in the linked data protection provisions.

• Facebook: Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA. Datenschutzbestimmungen: http://www.facebook.com/policy.php; http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications sowie http://www.facebook.com/about/privacy/your-info#everyoneinfo.

• Twitter, Twitter Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; Privacy Policy: https://twitter.com/privacy.

• Instagram: Instagram LLC, 1601 Willow Rd, Menlo Park, California 94025, USA; Privacy Policy: https://help.instagram.com/155833707900388/.

The social networks also process your personal data in the USA and have submitted to the EU-US Privacy Shield. Further information on the EU-US Privacy Shield can be found at https://www.privacyshield.gov/EU-US-Framework.

9. GOOGLE ANALYTICS
9.1 Description of processing
Our website uses “Google Analytics”, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). Google Analytics uses cookies (see paragraph 7), which allow an analysis of your use of our offer. We use Google Analytics in the offered version “Universal Analytics”, which allows this analysis across devices by assigning the data to a pseudonymous user ID. The information generated by the cookie is usually transferred to a Google server in the USA and stored there. However, we only use Google Analytics with IP anonymization. As a result, your IP address will be previously shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser as part of Google Analytics is not combined with other data from Google. The statistics compiled by Google Analytics record in particular how many users visit our website, from which country or location the access takes place, which subpages are accessed and via which links or search terms visitors reach our website. The Google Analytics Terms of Use can be found at http://www.google.com/analytics/terms/de.html. An overview of data protection at Google Analytics can be found at http://www.google.com/intl/de/analytics/learn/privacy.html . Google’s privacy policy can be viewed at http://www.google.de/intl/de/policies/privacy .
9.2 purpose
The processing takes place in order to evaluate the use of our website. The information obtained in this way serves to improve and design our online presence in line with requirements.
9.3 legal basis
Processing is necessary to safeguard the overriding legitimate interests of the data controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Clause 9.2
9.4 Storage period and right of objection
We have explained the storage period as well as your control and setting options for cookies in section 7. You can object to the data processing by Google Analytics at any time by downloading and installing the browser add-on offered by Google under https://tools.google.com/dlpage/gaoptout?hl=en. Alternatively you have the possibility to click on the following link. This will set an opt-out cookie on your device that will prevent your information from being collected on future visits to this website: Disable Google Analytics (LINK: “javascript:gaOptout()”). The analysis data processed and stored with Google Analytics are automatically deleted by us after 14 months.
9.5 Recipients and transfers to third countries
Google Analytics works for us as a service provider within the scope of order processing. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield. Further information on the EU-US Privacy Shield can be found at https://www.privacyshield.gov/EU-US-Framework.
10. FACEBOOK CUSTOM AUDIENCE
10.1 Description of processing
Our website uses the remarketing service “Facebook Custom Audience” operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) in the “Facebook Pixel” variant. The “Facebook Pixel” enables us to place advertisements on the social network that target those Facebook users who have shown interest in our offer – e.g. by visiting our website earlier. The Facebook pixel also allows us to track and evaluate the effectiveness and reach of our advertising on Facebook by tracking whether Facebook users interact with our ads on the social network by clicking on the ads on our website. Therefore, when you visit our website, a connection is established to the Facebook servers and the “Facebook pixel” is embedded in our website. In addition, Facebook may store a cookie (see 8 above) on your device. If you are logged in to Facebook or later log in to Facebook, your visit to our website will be associated with your user account. The data collected about you using the “Facebook pixel” are anonymous to us. You do not provide us with any conclusions about your person. However, Facebook can connect to your user profile. Facebook processes data in accordance with the company’s data policy, which can be found at https://www.facebook.com/policy.php .
10.2 purpose
The processing is carried out in order to carry out targeted online advertising for our own offers and to evaluate their effectiveness and reach.
10.3 legal basis
Processing is necessary to safeguard the overriding legitimate interests of the data controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Clause 10.2
10.4 Storage period and right of objection
We have explained the storage period as well as your control and setting options for cookies in section 7. You may object to the collection of data by “Facebook Pixel” and the use of your data to display Facebook advertisements at any time.
10.5 Recipients and transfers to third countries
By including the “Facebook pixel”, personal data may be transmitted to Facebook. Facebook also processes your personal data in the USA and has submitted to the EU-US Privacy Shield. Further information on the EU-US Privacy Shield can be found at https://www.privacyshield.gov/EU-US-Framework.

SAFETY PRECAUTIONS
11. SAFETY PRECAUTIONS
In order to protect your personal data from unauthorized access, we have provided our website with an SSL or TLS certificate – insofar as formals are used. SSL stands for “Secure Sockets Layer” and TLS for “Transport Layer Security” and encrypts the communication of data between a website and the user’s terminal device. You can recognize the active SSL or TLS encryption by a small lock logo, which is displayed on the far left in the address bar of the browser.

YOUR RIGHTS
12. RIGHTS CONCERNED
With regard to the data processing described above by our company, you are entitled to the following data subject rights:
12.1 Right of access by the data subject (Art. 15 GDPR)
You have the right to request confirmation from us as to whether we are processing personal data concerning you. If this is the case, you have the right, under the conditions set out in Art. 15 GDPR, to obtain information about this personal data and about the further information listed in Art. 15 GDPR.
12.2 Right to rectification (Art. 16 GDPR)
You have the right to demand from us immediately the correction of incorrect personal data concerning you and, if necessary, the completion of incomplete personal data.
12.3 Right to erasure (‘right to be forgotten’) (Art. 17 GDPR)
You have the right to demand that we delete personal data concerning you immediately if one of the reasons listed in Art. 17 GDPR applies, e.g. if your data is no longer required for the purposes pursued by us.
12.4 Right to restriction of processing (Art. 18 GDPR)
You have the right to demand that we restrict processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you dispute the accuracy of your personal data, data processing will be restricted for the duration that enables us to verify the accuracy of your data.
12.5 Right to data portability (Art. 20 GDPR)
You have the right, under the conditions set out in Art. 20 GDPR, to request the publication of the data concerning you in a structured, common and machine-readable format.
12.6 Revocation of consents (Art. 7 para. 3 GDPR)
You have the right to revoke your consent at any time in the case of processing based on consent. The revocation applies from the time of its assertion. In other words, he works for the future. The processing does not therefore become retroactively illegal through the revocation of the consent.
12.7 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
If you are of the opinion that the processing of your personal data violates the GDPR, you have the right to complain to a supervisory authority. They may exercise this right before a supervisory authority in the EU Member State where they are staying, working or suspected of having committed an infringement.
12.8 Prohibition of automated decisions/profiling (Art. 22 GDPR)
Decisions which have legal consequences for you or which significantly affect you must not be based solely on automated processing of personal data, including profiling. We inform you that we do not use automated decision making, including profiling, with respect to your personal data.
12.9 Right to object (Art. 21 GDPR)
If we process your personal data on the basis of Art. 6 para. 1 lit. f GDPR (to protect predominantly legitimate interests), you have the right to object under the conditions set out in Art. 21 GDPR. However, this only applies if there are reasons arising from your particular situation. Following an objection, we will no longer process your personal data unless we can prove compelling reasons for the processing worthy of protection which outweigh your interests, rights and freedoms. Nor do we have to stop processing if it serves the assertion, exercise or defence of legal claims. In any case – regardless of any particular situation – you have the right to object at any time to the processing of your personal data for direct marketing purposes.

Status: January 2019