The (data) controller within the meaning of the General Data Protection Regulation (GDPR):

Wheelworld GmbH

Managing Director: Thomas Mögelin

Hüttenstrasse 3

D – 38871 Ilsenburg

Germany

Tel.: + 49 (0) 39452 4828-0

Fax: +49 (0) 39452 4828-28

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Contact the data protection officer:

This email address is being protected from spambots. You need JavaScript enabled to view it.

Tel.: +49 (0) 39452 4828-21

We appreciate your interest in our website and our company.

The protection of your personal data is important to us. Your data is protected in accordance with the law. Our data protection practice thus complies with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and the German Telecommunications and Media Services Act (Telemediengesetz – TMG). You can find information about our processing of personal data and your rights below.

 

  1. General data processing
  2. Scope and purpose of the processing

In principle, the data controller only processes personal data where this is necessary for the provision of its services or of the functions of its website. Processing takes place within the scope of the user’s consent and to the extent permitted by law.

  1. Legal basis for processing

Where the controller obtains consent to processing, Article 6(1)(a) GDPR provides the legal basis. The legal basis for processing operations necessary for the performance of a contract to which the data subject is party is Article 6(1)(b) GDPR. This also applies to processing necessary in order to take steps at the request of the data subject prior to entering into a contract. The legal basis for processing of personal data necessary for compliance with legal obligations to which the controller is subject is Article 6(1)(c) GDPR. Article 6(1)(d) GDPR provides the legal basis for cases where the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person. Article 6(1)(f) GDPR provides the legal basis for the processing of personal data where this is necessary to safeguard a legitimate interest pursued by the undertaking of the controller or a third party and this overrides the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

  1. Erasure and storage

The controller will erase personal data or make it unavailable where its storage serves no purpose. Data may also be stored where so required by law or regulation. In particular, retention may be required for six years under commercial law and ten years under tax law. The making unavailable or erasure of personal data will also take place where time limits on storage laid down in laws or regulations are reached and data for the conclusion, performance or termination of a contract is no longer required. Data may also be stored for the purposes of preserving evidence within the scope of the statute of limitations. The standard period of limitation is three years, but limitation periods of 30 years are also possible.

 

  1. Provision of the website and log files
  2. Scope of the processing

All access to the controller’s website and any retrieval of a file stored on its website is automatically logged by default. In so doing, the date and time of access, the web browser and version, the operating system, the website from which the user accesses the controller’s site and the websites that the user accesses via the controller’s website, the user’s internet service provider and IP address may be logged.

This data may be stored in the log files of the controller’s system. This data will not be combined with other data sources, in particular other personal data pertaining to the user.

  1. Legal basis for processing

The legal basis for the temporary storage of the said data and log files is Article 6(1)(f) GDPR.

  1. Purpose

The temporary storage of the user’s IP address by the system is necessary in order to enable delivery of the website to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session. Storage in log files takes place in order to ensure the functioning of the website. In addition, the controller uses the data to optimise its website and to ensure the security of its IT systems.

The above-mentioned purposes also represent the overriding legitimate interests of the controller in respect of this data processing, in accordance with Article 6(1)(f) GDPR.

  1. Erasure and storage

The data will be erased as soon as it is no longer necessary for the achievement of the above purposes. For the collection of data for the provision of the website this occurs at the end of the session in question, while for the storage of data in log files this occurs after no more than seven days.

 

III. Cookies

  1. Scope of the processing

The controller’s websites uses cookies. A “cookie” is a small text file that is stored in a visitor’s internet browser or by the internet browser on his/her computer. This file enables the web server to store preferences and settings on the user’s computer that are automatically restored on the next visit. This also enables a server to recognise a user without forcing him/her to constantly re-enter a username and password.

Two types of cookies may be used on the controller’s sites. The first type are what are known as “session cookies”, which are deleted when the browser is closed. The other type are known as “persistent cookies”, which can remain on the data subject’s computer for a longer period of time. Using the information collected, usage patterns and website structures can be analysed. This enables the controller, among other things, to continually optimise its website by improving the content or personalisation and making it easier to use.

  1. Legal basis for processing

Article 6(1)(f) GDPR provides the legal basis for the processing of personal data using cookies.

  1. Purpose

The purpose of using cookies is to make visits to the controller’s website more pleasant and to provide certain functionalities. In addition, it enables the controller to continually optimise its website by improving the content or personalisation and making it easier to use, based on the usage information obtained via the cookies.

The above-mentioned purposes provide the controller with a legitimate and overriding interest in respect of this data processing, in accordance with Article 6(1)(f) GDPR.

  1. Storage, objection and removal options

All up-to-date browsers offer explicit control of how cookies are handled. Most browsers accept cookies by default. Users can allow or prohibit both temporary (session) and persistent cookies independently in their security settings. However, if a data subject disables cookies, he/she may find certain usage functionalities of the controller’s website unavailable, and some pages may not be displayed correctly.

 

  1. Contact form and email contact
  2. Scope of the processing

There is a contact form on the controller’s website. If the data subject makes use of this form, the data entered into the input mask in respect of his/her name, email address, telephone number and the content of the message will be stored by the controller, together with the date and time of transmission.

In addition, the controller can also be contacted via its email address. In this case, too, the personal data transmitted by email will be stored.

This data is used solely for the purposes of processing the communication between the data subject and the controller and is not disclosed to third parties.

  1. Legal basis for processing

Article 6(1)(a) GDPR provides the legal basis for this processing of personal data, provided consent has been obtained. If not, the legal basis is Article 6(1)(f) GDPR and, insofar as the establishment, performance or termination of a contract is concerned, Article 6(1)(b) GDPR, as appropriate.

  1. Purpose

Personal data from the contact form or an email is only processed for the purposes of establishing contact and responding to the data subject’s query, as well as for preventing misuse of the contact form and protecting the controller’s IT systems.

  1. Erasure and storage

The data collected by the controller via the contact form or email is erased as soon as it is no longer necessary for the purpose for which it was collected. This is the case once the conversation with the data subject in question has ended and it is evident from the circumstances that a final resolution has been reached.

  1. Option to object

The data subject has the option to withdraw consent to the processing of his/her personal data at any time. The data subject is also entitled to object to the storage of his/her personal data at any time, in which case the conversation in question cannot be continued. Moreover, in such a case, all personal data stored in the course of establishing contact will be erased.

 

  1. Registration as a specialist dealer and contract settlement
  2. Scope of the processing

The controller offers users of its website the option of registering with their personal data and then placing orders from their customer account. Where this occurs, the data is entered into an input mask, transmitted to the controller and stored by it. In connection with the order and the registration process, the user’s gender, first name, last name, date of birth, email address, company name and VAT number (if applicable), address and telephone number (optional) are collected.

This personal data will only be passed on to third parties where this is necessary for the conclusion and settlement of contracts. This involves the passing on of address data to the courier and of payment data to the payment service provider.

  1. Legal basis for processing

Article 6(1)(a) GDPR provides the legal basis for this processing of personal data, provided consent has been obtained. If not, the legal basis is Article 6(1)(f) GDPR and, insofar as the establishment, performance or termination of a contract is concerned, Article 6(1)(b) GDPR, as appropriate.

  1. Purpose

The purpose of data processing in connection with registration is initially the implementation of pre-contractual measures, and then the conclusion and settlement of contracts with the user. This data is collected in order to provide knowledge about who the (initially potential) contracting party is for the purposes of the establishment, shaping, settlement and modification of contractual relationships with the data subject, verifying the plausibility of the data given and establishing contact. The name and address are collected in order to determine who the contracting party is and for and with whom the controller has to provide and settle its services. The contact details are collected in order to provide the contracting party with information regarding the execution of the contractual relationships. The address data is taken to be passed on to the courier for delivery of the goods ordered. The collection of data in connection with registration means that there is no need to re-enter this data in the event of subsequent contracts and also allows for orders placed to be viewed via the customer account.

  1. Erasure and storage

The data collected in connection with an order or registration is erased as soon as it is no longer necessary for the purpose for which it was collected. For data collected in connection with the registration process for the purposes of the establishment and performance of a contract or for the implementation of pre-contractual measures, this is the case once this data is no longer necessary for the performance of the contracts. However, registration can be cancelled at any time, whereby a complete erasure of the data collected in this connection is only possible to the extent that this is not prevented by contractual or legal obligations.

  1. Matomo (formerly Piwik)

The controller makes use of the open-source web analytics service Matomo (www.matomo.org), a service from the provider InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, (“Matomo”). Matomo uses cookies (see Section III), which are stored on the user’s device and facilitate analysis of his/her use of the website. The information about the use of the website generated by the cookie is stored on the controller’s server, with the IP address pre-anonymised.

Matomo cookies remain on the device until they are deleted by the data subject. The information about the use of this website generated by the cookie is not disclosed to third parties.

The legal basis for the storage of Matomo cookies is Article 6(1)(f) GDPR. The statistical analysis of user behaviour for optimisation and marketing purposes is an overriding and legitimate interest on the part of the controller.

Data subjects can prevent the storage of cookies by setting their browser software accordingly. However, where this is done, it may be that not all functions of the website are fully usable.

If you do not agree with the storage and use of your data, you can deactivate this storage and use by clicking here. In this case, an opt-out cookie is placed in your browser that prevents Matomo from saving usage data. If you delete your cookies, you will also delete this Matomo opt-out cookie. You will then need to reactivate the opt-out on returning to the website.

https://matomo.org/docs/privacy/

 

 

VII. Job application process

The controller collects and processes the personal data provided by applicants for the purpose of carrying out the job application process. This processing may also be carried out electronically. In the case of a contract of employment with an applicant, the data transmitted will be stored, in compliance with any legal requirements, for the purposes of managing the employment relationship. If the controller does not conclude a contract of employment with the applicant, the application documents will be automatically deleted within 10 weeks of the applicant being informed of the decision to reject him/her, provided that deletion is not contrary to the controller’s legitimate interests (e.g. an obligation to retain evidence in proceedings under the German General Act on Equal Treatment [Allgemeines Gleichbehandlungsgesetz – AGG]).

VIII. Rights of the data subject

With regard to the processing of the data subject’s personal data, he/she is deemed the data subject and has the following rights vis-à-vis the controller:

  1. Right to confirmation

The right to obtain confirmation as to whether or not personal data concerning him/her are being processed.

  1. Right of access

The right to access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data is not collected from the data subject, any available information as to the source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The data subject also has a right to know whether his/her personal data is being transferred to a third country or to an international organisation. Where this is the case, the data subject also has the right to information about the appropriate safeguards in place relating to the transfer.

The data subject is entitled to the provision of a copy of the personal data undergoing processing, provided that receipt of this data does not adversely affect the rights and freedoms of others.

  1. Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  1. Right to erasure (“right to be forgotten”)

The data subject has the right to obtain from the controller the erasure of personal data concerning him/her without undue delay, and the controller is obliged to carry this out, where one of the following grounds applies and to the extent that the processing is not necessary:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;
  • the personal data has been unlawfully processed;
  • the personal data must be erased for compliance with a legal obligation in European Union or Member State law to which the controller is subject;
  • the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

Where the controller has made the data subject’s personal data public and is obliged pursuant to the above provisions to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that a data subject has requested the erasure by such controllers of any links to, or copy or replication of, the said personal data.

  1. Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification of whether the legitimate grounds of the controller override those of the data subject.
  1. Right to data portability

The data subject has the right to receive the personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where:

  • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and
  • the processing is carried out by automated means.

In exercising his/her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided this does not adversely affect the rights and freedoms of others.

  1. Right to object
  • The data subject has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  • Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, the data subject, on grounds relating to his/her particular situation, has the right to object to processing of personal data concerning him/her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. 
  1. Automated individual decision-making, including profiling
  • The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her, except where the decision: is necessary for entering into, or the performance of, a contract between the data subject and a data controller; is authorised by European Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent.
  • Where the decision is necessary for entering into, or the performance of, a contract between the data subject and a data controller or is based on the data subject’s explicit consent, the controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  1. Right to withdraw consent under data protection law

All personal data subjects have the right to withdraw consent to the processing of their personal data at any time. This shall not affect the lawfulness of processing based on consent before its withdrawal.

  1. Right to lodge a complaint

Data subjects who believe that processing infringes the provisions of data protection law have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to further administrative or judicial remedies.