Privacy
Information on the handling of personal data
Name and address of Data Processing Controller
MERCHCOWBOY GmbH & Co. KGCarsten Ehlich, Tobias Richter
Friedrich-Ebert-Straße 7
48153 Münster
Tel: +49 (0)251 - 239 4899-5
E-Mail: info@merchcowboy.com
Website: https://www.merchcowboy.com
Data Protection Officer
Martina BrinkmannCortina Consult GmbH
Hafenweg 24
48155 Münster
Tel: +49 (0)251 - 29 79 47 40
E-Mail: dsb.merchcowboy@cortina-consult.de
Website: https://www.cortina-consult.com
Rights of Data Subjects
Chapter III of the EU General Data Protection Regulation (GDPR) lays down extensive rights for so-called “data subjects” (i.e. persons whose personal data is processed by us), which we wish to detail in relation to the handling of your personal data as follows:
Right to information
This requirement applies in particular to information relating to the following aspects of the data processing:
- Purposes of the processing
- Categories of data
- Recipients or categories of recipients
- Planned duration of retention (i.e. storage) of the data and/or the criteria for determining the duration
- Information in each case on the right of rectification, erasure, restriction or objection
- Right to lodge a complaint with a supervisory authority
- Source of the data (if not collected from you)
- The existence of automated decision-making, including profiling, as well as meaningful information on the logic involved and also on the significance and envisaged consequences of such processing
- Transfer of the data to a third country or an international organization
Right to rectification (i.e. correction)
We will rectify incorrect data without delay on being informed of the circumstances by you.
Right to erasure (“right to be forgotten”)
If processing of the data is no longer necessary and any of the following preconditions is fulfilled:
- The purpose for which the data was collected no longer applies
- You withdraw your consent and no other legal basis for processing of the data exists
- You object to processing of the data and no other overriding legitimate grounds for the processing exist
- Processing of the data is unlawful
- Erasure is necessary for compliance with a legal obligation
- The data was collected under Article 8 (1) GDPR
In connection with your request for erasure, we will also transmit your request to any third parties to whom your data has been previously transmitted.
Right to restriction on processing
This right exists if any of the following preconditions exist:
- The accuracy of the personal data is contested by you (the restriction on processing may apply for the time needed for us to verify the accuracy of the data)
- Processing of the data is unlawful but erasure of the data is not desired; in this case, a restriction on processing will apply instead of erasure
- The original processing purposes no longer apply, but you nevertheless need the data for the establishment, exercise or defence of legal claims
- You have lodged an objection pursuant to Article 21 (1) GDPR, and a restriction on processing applies for the duration of the review whether our legitimate grounds override yours
Right to data portability
Provided it is technically possible to do so and would not infringe the rights and freedoms of other persons, we will, on your request, transmit your data to another recipient (controller).
Right to object
If we collect, or have collected, personal data from you (in accordance with Article 6 (1) (e) or (f) or Article Art 9 (2) (a) GDPR) and engage in processing of the said data, you have the right at any time (with effect for the future) to object to processing of the data (including profiling). In exceptional cases, the objection may be ineffective, e.g. if we can show that compelling legitimate interests exist for the processing which override your own interests or that processing is necessary for the purpose of establishing, exercising or defending legal claims. Should we process your personal data for the purpose of direct marketing activities, you have the right to object to such processing at any time. The same also applies to profiling if used in connection with such direct marketing. You also have the right to object to processing of your data which is conducted by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, except where such processing is necessary for the fulfilment of a purpose lying in the public interest.
Automated individual decision-making, including profiling
If we collect, or have collected, and process personal data from you, you have the right not to be subject to any decision taken solely on the basis of automated processing — including profiling — which would have legal effects for you or would otherwise similarly significantly affect you. Exceptions to this are if the decision is necessary for the conclusion or performance of a contract between you and ourselves or if you have expressly consented to such processing. In all cases, we take appropriate measures to protect your rights and freedoms and your legitimate interests, which shall include at least the right to obtain human intervention on our part, to express your own point of view and to contest the decision.
Right to revoke consent under data protection law
You have the right to revoke consent to the processing of your personal data at any time.
Right to lodge a complaint with a supervisory authority
You can obtain a list of the supervisory authorities with responsibility in Germany from the website of the Federal Data Protection Officer (“Bundesbeauftragter für Datenschutz”)
General information on data processing on our website
The following information applies to the processing of data on our website in general. Where deviations from or additions to this information apply, they are described in detail in the sections concerned.
Information on data safety and security
We secure our website and other systems through technical and organizational measures against loss, destruction, access, modification or processing of your data by unauthorized persons. Furthermore, we have implemented SSL encryption (SHA256) on our website in order to safeguard your data. However, despite regular monitoring, complete protection against all risks is not possible.
Legal basis of processing
Depending on the nature and purpose of the processing, we process personal data in accordance with the provisions of the General Data Protection Regulation as follows:
- Informed consent - Article 6 (1) (a)
- Performance of a contract - Article 6 (1) (b)
- Performance of steps prior to entering into a contract - Article 6 (1) (b)
- Compliance with legal obligations - Article 6 (1) (c)
- Protection of vital interests - Article 6 (1) (d)
- Protection of our legitimate interest - Article 6 (1) (f)
Our legitimate interest
Our legitimate interest as defined pursuant to Article (1) (f) GDPR is based on the conduct of our business activity for the maintenance of our operational ability and safeguarding the employment of our employees.
General deadlines for the erasure of data
On cessation of the purpose for which the data was originally stored, the retention periods normally amount to at least six or ten years. Under our erasure scheme, data is generally erased (deleted) as soon as it is no longer subject to a retention requirement, a need relating to contract performance, or a legitimate interest.
Erasure or blocking of personal data
We retain your personal data only for the period of time necessary for fulfilment of the stipulated purpose. On cessation of the purpose and on termination of any retention periods as may apply, your data will be erased (deleted) immediately. If erasure should not be possible, your data will be blocked instead.
Collection of general data and information
As soon as you visit our website, certain general data and technical information, without which a visit to the website would not be possible, are collected by our web server (log data). This includes: Types and versions of browsers used. Date and time of access to the website, as well as the visitor’s IP address and internet service provider
Information on special data processing on the website
In addition to the general information indicated above, the following provides details of specific data processing activities on our website.
Address validation
On our website we offer you the possibility of real-time checking of certain entries for input errors in our web shop's address forms. This is to avoid problems with the delivery of the products ordered by you due to incorrect information (e.g. errors due to auto-completion, forgotten house number, etc.). For the provision of these functions we use the service provider Endereco, Balthasar-Neumann-Straße 4b, 97236 Randersacker, Germany. The service provider processes the data exclusively according to our instructions. The legal basis for the transmission, processing and temporary storage of the data with the service provider is Art. 6 Para. 1 lit. b of the General Data Protection Regulation, as it is absolutely necessary for the fulfilment of the contract or for the implementation of pre-contractual measures that some of the data entered by you in the input mask is checked for accuracy. The service provider processes the following data:
- Address (country, city, postal code, street, house number)
The data is processed separately by the service provider and is not merged. The requests are deleted by the service provider as soon as the status of the entered data has been determined and storage in the web shop has been completed, but at the latest after 30 days.
Contact form
You have the possibility to complete a contact form on our website. This enables us to obtain feedback from you with the aim of improving our service and making contact with you if desired. In order to process your inquiries and respond to them if and as necessary, we need your email address and optionally your first name and last name. The legal basis for such processing is the protection of our legitimate interest (Article 6 (1) (f)) and/or the performance of steps prior to entering into a contract (Article 6 (1) (b)). We will not transmit your data to third parties, and in this context we also undertake not to rely on any automated decision-making.
Newsletter
You can subscribe to a newsletter on our website to stay informed about the latest news, dates and events. Newsletters are only sent following registration via a double opt-in procedure based on Art. 6 para. 1 lit. a of the GDPR. Your data is only collected for the purpose of providing and sending an electronic newsletter. For this purpose, the data is forwarded to rapidmail (operator: rapidmail GmbH). You can find the rapidmail privacy policy at https://www.rapidmail.de/datenschutz. We will delete or block your e-mail address as soon as you unsubscribe from the newsletter. You can revoke your consent to the processing of your personal data via the newsletter at any time by visiting support@merchcowboy.com or via a link in each newsletter.
Cookies
On this website, we use cookies; these are small data files that are placed or stored on your computer by your internet browser (e.g. Google Chrome, Safari, Firefox, Edge). The cookie may contain a so-called cookie-ID, i.e. a unique identifier made up of a sequence of characters that allows the attribution of websites and servers to the storing browser. At the same time, the cookies provide us with information that enables us to optimize our websites to the needs of our visitors. In some cases, we only use cookies for the duration of a visit to the website. All cookies on our web pages contain technical information only and no personal data. Use of our internet offerings is possible even without cookies (though not always with all the functions in full scope). Most browsers are set so that they accept cookies automatically. You can, however, also deactivate the storage of cookies at any time or adjust the settings of your browser so that it notifies you as soon as cookies are sent.
Customer account
A customer account offers you many advantages. For example, it allows the efficient handling of complaints and the purchase of products. In this context, we process your email address, last name (surname), postcode, street, house number, title, first name, place (town/city), and country/state. This is also important for unique identification of the customer account, delivery, payment transactions and authentication, and for enabling independent resetting of passwords. The legal basis for this is the performance of a contract pursuant to Article 6 (1) (b) GDPR. Within the context of processing, the data are transmitted to parcel service, logistics service and payment service providers. The data (in the required fields) must be provided for purposes of the underlying contract. In this context, we undertake not to rely on any automated decision-making. You can request erasure (deletion) of your data at any time by email.
PayPal
To be able to offer an efficient and secure method of payment, we use the services of PayPal. In this context, your personal data are processed (first name, last name, address, email address, telephone number). The legal basis for processing is the protection of a legitimate interest (Article 6 (1) (f)). Data are transmitted to PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. In the case of purchase by instalments, the data will be forwarded to credit agencies for the purpose of checking your identity and credit rating. In this context, we undertake not to rely on the process of purely automated decision-making. Information on the data privacy policy of PayPal can be found at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Web tracking technologies - managed with Usercentrics
To ensure management of all cookies as well as website and tracking technologies that are subject to consent or optout in a manner compliant with data protection regulations, we use the consent management platform of Usercentrics GmbH, Rosental 4, 80331 München [Munich], Germany, with which we have integrated the following services:
Cloudfront
We use the Cloudfront service. This is a content delivery network operated by Amazon Web Services. This allows us to guarantee fast loading times and increased reliability, among other things. By using the service, your IP address is transmitted to Amazon web servers in the EU. This data processing is based on our legitimate interest according to Art. 6 para. 1 lit. f EU-GDPR.