DATA PROTECTION – Architekturwerkstatt

Data Privacy Statement of ALSA Küchen GmbH for the website architekturwerkstatt.com

This Data Privacy Statement details the type, scope and purpose of the processing of personal data within our online service and of the associated websites, functions and content as well as external online presence, such as for example our social media profiles (hereinafter commonly referred to as “online service”).

I. Definitions
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; hereinafter, personal data is always meant whenever “data” is mentioned.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is extensive and encompasses virtually all dealings with data.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Users” are visitors to and users of our online service.
“GDPR” is the General Data Protection Regulation.

II. Controller:
Name/company: ALSA Küchen GmbH
Street, no.: Gmünder Straße 70
Postcode, town, country: 73550 Waldstetten | Germany
Commercial register/no.: HRB 702016, Court of Registration: Ulm District Court
Managing Director Jürgen Müller
Tel.: +49 | 7171 | 402-0
E-mail address: info@architekturwerkstatt.com
Data Protection Officer:
The Data Protection Officer can be reached at:
E-mail address: datenschutz@architekturwerkstatt.com
or can be contacted by post using the address above and adding “FAO Data Protection Officer”.

III. Types of processed data:
1. Every time our website is accessed, our system automatically collects data and information from the computer system of the device accessing the site.
This process involves the collection of the following data:
Information about the browser type and the version used;
The user’s operating system;
The user’s Internet service provider;
The user’s IP address;
Date and time of access;
Websites from which the user’s system has gained access to our website;
Websites which are called up by the user’s system via our website.
2 If a user registers for an event, the following data is collected and processed:
title, first and last name, postcode, town, country, e-mail address, day of visit.
This data will only be transmitted to the following companies and only with the express permission of the user:
LEICHT Küchen AG
Liebherr-International Deutschland GmbH
V-ZUG AG
Industrias Alcorenses Confederadas S.A. (Inalco, S.A.)
GESSI SPA
DEKKER ZEVENHUIZEN
STEEL S.r.l.
Robert Bosch Hausgeräte GmbH
OUT4KITCHEN c/o mayr + mayr GmbH

IV. Purpose of data collection
1. As long as it only concerns the use of our website, we process our users’ personal data only as far as this is necessary to provide a functioning website, as well as functioning content and services. Users’ personal data is processed regularly only after a user has given his/her consent. Cases in which it is not possible to obtain previous consent for real reasons and cases where it is permitted to process data due to legal regulations are an exception to this rule.
2. Whenever our online services are used, we store the IP address and time of a particular action by a user. This storage takes place on the basis of our justified interests as well as of protection against malpractice and other unauthorised use. As a matter of principle, this data is not passed on to third parties, unless it is necessary in the pursuit of our rights or we are legally obliged to do so pursuant to point (c) of Article 6(1) of the GDPR.

V. Lawfulness for processing personal data
Point (a) of Article 6(1) of the GDPR is the applicable legal basis insofar as we obtain the data subject’s consent to process personal data.
Point (b) of Article 6(1) of the GDPR is the applicable legal basis in the processing of personal data necessary for the performance of a contract to which the data subject is party. This also applies to processing procedures which are necessary to execute precontractual measures.
Point (c) of Article 6(1) of the GDPR is the applicable legal basis insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject.
Point (d) of Article 6(1) of the GDPR is the applicable legal basis in the case where vital interests of the data subject or another natural person necessitate the processing of personal data.
Point (f) of Article 6(1) of the GDPR is the applicable legal basis for processing if processing is necessary for the purposes of protecting a legitimate interest of our company or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

VI. Security, order processing, transfer to other countries
1. Security measures
Taking into account, pursuant to Article 32 of the GDPR, the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood of occurrence and severity of the risk for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; these measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the relevant access, input, transmission, safeguarding of availability and separation of the data. Furthermore we have set up procedures which guarantee a perception of the rights of data subjects, erasure of data and a reaction to any endangerment of the data. Moreover we already consider the protection of personal data in the development and/or selection of hardware, software as well as procedures, in accordance with the principle of data protection with technology engineering and with data-protection-friendly presettings (Article 25 of the GDPR).
The security measures include in particular the encrypted transmission of data between your browser and our server.
2. Collaboration with order processors and third parties
If within our processing we disclose data to other persons and companies (order processors or third parties), transmit such to them or otherwise grant them access to the data, this takes place only with legal permission (e.g. when the transmission of data to third parties, such as payment service providers, is necessary to fulfil the contract in accordance with point (b) Article 6(1) of the GDPR), you have given your consent, a legal obligation allows for this or on the basis of our justified interests (e.g. when using authorised agents, web hosts, etc.).
Insofar as we commission third parties to process data on the basis of what is referred to as an “order processing contract”, this is based on Article 28 of the GDPR.
3. Transfer to third countries
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this takes place as part of the availment of services of third parties or the disclosure or transmission of data to third parties, this only occurs if it takes place to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our justified interests. Subject to legal or contractual permission, we only process the data or have the data processed in a third country when the special requirements of Article 44 et seq. of the GDPR apply. In other words, the processing takes place for example on the basis of special guarantees such as the officially recognised ascertainment of one of the EU compliant data privacy protection levels (e.g. for the USA through the “Privacy Shield”) or the observance of officially recognised special contractual obligations (known as “standard contract clauses”).
VII. Rights of the data subjects
If your personal data is processed, you are a data subject as defined by the GDPR and you have the following rights vis-à-vis the controller:
1. Right to information
The data subject can demand a confirmation from the controller as to whether we are processing personal data concerning him. If personal data is being processed, you can demand to be informed by the controller of the following:
a) the purposes of the processing for which the personal data is intended;
b) the categories of personal data to be processed;
c) the recipients or categories of recipients who have been provided with or will be provided with personal data concerning the data subject;
d) the planned period for which the personal data concerning the data subject will be stored, or, if specific details cannot be revealed, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or restriction of processing or to object to processing;
f) the right to lodge a complaint with a supervisory authority;
g) all available information on the origin of the data if the personal data is not obtained from the data subject;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The data subject has the right to demand information on whether the controller intends to transfer personal data concerning him or her to a third country or international organisation. In this context, the data subject can demand to be informed of the appropriate safeguards in accordance with Article 46 of the GDPR in connection with the transfer.
2. Right to rectification
The data subject has the right to request from the controller rectification and/or completion of personal data if the processed personal data concerning him or her is incorrect or incomplete. The controller must rectify the personal data without undue delay.
3. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing of personal data appertaining to the data subject where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of the use of personal data instead;
c) the controller no longer needs the personal data for the purposes of processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where the processing of personal data concerning the data subject has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject who has obtained restriction of processing pursuant to the aforementioned prerequisites shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data concerning the data subject is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based in accordance with point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
d) the personal data concerning the data subject has been unlawfully processed;
e) the personal data concerning the data subject has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data concerning the data subject has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
The right to erasure shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
5. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format.
6. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data concerning the data subject unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the processing serves the establishment, exercise or defence of legal claims.
Where personal data concerning the data subject is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
7. Right to withdraw consent
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial right of appeal, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, your workplace or the place of the alleged violation, when you are of the opinion that the processing of personal data concerning you is in breach of the GDPR.
The supervisory authority relevant to us is:
Landesbeauftragte für den Datenschutz und Informationsfreiheit (State Data Protection and Freedom of Information Officer) Baden-Württemberg, Postfach 10 29 32, 70025 Stuttgart, Germany, or Königstraße 10a, 70173 Stuttgart, Germany, Tel.: +49 (0)711/61 55 41-0, Fax: +49 (0)711/61 55 41-15, e-mail: poststelle@lfdi.bwl.de

VIII. Cookies
“Cookies” are small files stored on a user’s computer. A range of details can be stored within the cookies. A cookie is primarily intended to store information on a user (or on the device the cookie is stored on) during or also after the user’s visit within an online service. Temporary cookies, also referred to as “session cookies” or “transient cookies”, are those which are deleted when a user leaves an online service and closes his or her browser. This type of cookie might store items placed in a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies are those which remain saved once the user’s browser is closed. This makes it possible, for example, to store the login status when the user revisits a site after several days. This kind of cookie can also save the interests of the user; this information can then be used for audience measurement or marketing purposes. “Third-party cookies” are cookies offered by suppliers other than the controller providing the online service (otherwise, if they are cookies exclusively from the controller, the cookies are referred to as “first-party cookies”).
We can use both temporary and permanent cookies and have detailed this accordingly in our Data Privacy Statement.
If users do not want cookies to be stored on their system, they are asked to disable the relevant option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. Disabling cookies can lead to the restricted functioning of this online offer.
You can generally object to the use of cookies for the purposes of online marketing for a number of services, particularly in the case of tracking, using the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore the storage of cookies can be disabled in the settings of the browser. Please note that this can lead to the online service not working properly.

IX. Erasure of data
Data processed by us is erased or the processing of this data is restricted in compliance with Articles 17 and 18 of the GDPR. Unless explicitly specified otherwise within this Data Privacy Statement, the data stored by us is erased as soon as it is no longer necessary for the purpose originally intended and erasure would not constitute violating legal duties to retain such data. If this data is not erased, because it is required for other, legally permissible purposes, the processing thereof will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data which must be retained for reasons relating to commercial or tax law. In accordance with legal regulations in Germany, data is retained particularly for 6 years in accordance with § 257 Paragraph 1 HGB [German Commercial Code] (account books, inventory, opening balance sheets, annual financial statements, commercial letters, accounting records, etc.) as well as for 10 years in accordance with § 147 Paragraph 1 AO [German tax code] (books, recordings, annual reports, accounting records, business and commercial letters, documents relevant for taxation, etc.).
We erase e-mail inquiries and other forms of contact via our website within a suitable period of time, within which it is no longer expected that a contract or similar will be concluded.

X. Online presence in social media
We maintain online presences within social networks and platforms to be able to communicate with the customers, prospective clients and users active there and to be able to inform them there about our services. When the relevant networks and platforms are accessed, the Terms and Conditions as well as the data processing regulations of the relevant operators apply.
Unless stated otherwise in our Data Privacy Statement, we process the users’ data if the users communicate with us within the social networks and platforms, e.g. by making comments on our online presences or by sending us messages.

XI. Google Universal Analytics
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services pursuant to point (f) of Article 6(1) of the GDPR) we use Google Analytics, a web analytics service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie concerning users’ use of this website is usually transferred to a Google server in the USA where it is saved.

Google has been certified under the Privacy Shield Agreement thereby guaranteeing compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google will use this information on our behalf to analyse users’ use of the website, to compile reports on website activities within this online service and to provide us with other services associated with the use of the website and the Internet. In this process, the processed data can be used to create pseudonymous usage profiles of the users.

We use Google Analytics in the “Universal-Analytics” version. “Universal Analytics” is a particular procedure of Google Analytics in which user analysis takes place on the basis of a pseudonym user ID and thus a pseudonym user profile is created with information from the use of different devices (referred to as “cross-device tracking”).

We only use Google Analytics with activated IP anonymisation. This means Google will truncate the user’s IP address within member states of the European Union or other states which are parties to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and be truncated there.

The IP address transmitted by a user’s browser is not associated with any other data held by Google. Users can prevent the storage of cookies by changing the relevant setting in their browser software; the users can also prevent Google’s collection and processing of the data generated by the cookie and related to their use of the website by downloading and installing the browser plug-in available using the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

You will find more information on how Google uses data, possible settings and possibilities of appeal in Google’s Privacy Policy (https://policies.google.com/technologies/ads) as well as in the settings for the displaying of ads by Google (https://adssettings.google.com/authenticated).

Users’ personal data will be erased or anonymised after a period of 14 months.

XII. Google Maps
We include the maps of the service “Google Maps” from service provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

XIII. Using Facebook Social Plugins
We use social plugins (“plugins”) from the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”) on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service pursuant to point (f) of Article 6(1) of the GDPR). The plugins can be interaction elements or content (e.g. videos, graphics or text) and can be recognised by one of the Facebook logos (white “f” on blue tile, the term “Like”, or a “thumbs up” sign) or marked with the phrase “Facebook Social Plugin”. The list and the appearance of the Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
Facebook has been certified under the Privacy Shield Agreement thereby guaranteeing compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
If a user accesses a function of this online service that contains such a plugin, his or her device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted directly to the user’s device by Facebook and is integrated into the online service. The processed data can be used to create usage profiles of the user. We therefore have no control over the amount of data Facebook collects with the help of this plugin and therefore inform users based on our level of knowledge.
Through the integration of plugins, Facebook receives the information that a user has accessed the corresponding site of the online service. If the user is logged into Facebook, Facebook can link the visit to his or her Facebook account. If the user interacts with the plugins, for example by clicking on the “Like” button or leaving a comment, the corresponding information will be sent directly from their device to Facebook and stored there. If the user is not a member of Facebook, it is still possible for Facebook to obtain and store his or her IP address. According to Facebook, only an anonymised IP address is stored in Germany.
The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the relevant rights and setting options for the protection of the privacy of users, can be found in the Facebook Privacy Policy: https://www.facebook.com/about/privacy/.
If a user is a Facebook member and does not want Facebook to collect information on him or her via this online service or link it to his or her membership data stored on Facebook, he or she must log out of Facebook before using our online service and delete his or her cookies. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are platform independent, which means they are applied to all devices such as desktop computers or mobile devices.

XIV. Facebook, custom audiences and Facebook marketing services
Within our online service and based on our legitimate interests in the analysis, optimisation and economic operation of our online service and for these purposes, our online service uses “Facebook Pixel” from the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are based in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
Facebook has been certified under the Privacy Shield Agreement thereby guaranteeing compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
Facebook processes the data in accordance with Facebook’s Data Policy. Accordingly, you can find further information about how Facebook ads are displayed in general in the Facebook Data Policy: https://www.facebook.com/policy.php. Special information and details on Facebook Pixel and how it works can be found in the Facebook Help section: https://www.facebook.com/business/help/651294705016616.
You can object to Facebook Pixel collecting data and using it to display Facebook ads. To define which types of advertisements are displayed to you within Facebook, you can visit the website set up by Facebook and follow the instructions on usage-based advertising settings here: https://www.facebook.com/settings?tab=ads. The settings are platform independent, which means they are applied to all devices such as desktop computers or mobile devices.
To prevent your data being collected on our website by Facebook Pixel, please click the following link: Facebook opt-out. Note: When you click this link, an “opt-out” cookie is played on your device. If you delete the cookies in this browser, you must click the link once more. Furthermore, the opt-out is only valid within the browser you use and only within our web domain within which the link was clicked.
You can also object to the use of cookies used for audience measurement and advertising purposes using the deactivation site of the network advertising initiative (http://optout.networkadvertising.org/) and also the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

XV. Instagram
Functions and content of the service Instagram can be included in our online service. These are provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. They may include content such as pictures, videos or texts and buttons with which users can show what they like in terms of content, and via which they can subscribe to the authors of the content or our articles. If the users are members of the Instagram platform, Instagram can link the access of the above-mentioned content and functions to the user profiles there. Instagram Privacy Policy: http://instagram.com/about/legal/privacy/.

XVI. Pinterest
Functions and content of the service Pinterest can be included in our online service. These are provided by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA. They may include content such as pictures, videos or texts and buttons with which users can show what they like in terms of content, and via which they can subscribe to the authors of the content or our articles. If the users are members of the Pinterest platform, Pinterest can link the access of the above-mentioned content and functions to the user profiles there. Pinterest Privacy Policy: https://about.pinterest.com/de/privacy-policy.

XVII. Vimeo
Our website uses videos provided by the Vimeo video portal. This service is provided by Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA, (Vimeo). If you visit one of our pages featuring a Vimeo plug-in, a connection to the Vimeo servers is established. Here the Vimeo server is informed about which of our pages you have visited. In addition, Vimeo will receive your IP address. This also applies if you are not logged in to Vimeo when you visit our website or do not have a Vimeo account. The information captured by Vimeo is transmitted to a Vimeo server in the US.

Details on the data collected and processed by Vimeo can be found in the Vimeo Privacy Policy: https://vimeo.com/privacy.
We would like to point out that Vimeo may use Google Analytics and would thus like to refer you to the relevant privacy policy (https://policies.google.com/privacy) as well as opt-out options for Google Analytics (http://tools.google.com/dlpage/gaoptout?hl=de) and the settings of Google for the use of data for marketing purposes (https://adssettings.google.com/).

XVIII. Twitter
We have an account with Twitter to present our company and our services as well as communicate with people. Twitter is a service of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
We would like to point out that there is a possibility that user data may be processed outside the European Union, particularly in the US. This may represent increased risks for users as, for example, accessing user data at a later date may be hindered. We do not have access to the user data processed by Twitter. The access facilities lie solely with Twitter. Twitter Inc. has been certified under the Privacy Shield and is thus obliged to adhere to European data protection standards.
Information on data protection at Twitter can be found at
https://twitter.com//privacy

XIX. eveeno
When organising events, we rely on the support of the event management platform eveeno. This platform makes it possible for us to show our events online, accept registrations, possibly sell tickets for our events and to execute the associated communication and administration.
eveeno is a German provider which was selected in compliance with the regulations of the GDPR. eveeno does not transmit/forward data to third parties. All data is stored on servers within the EU. Furthermore data transmission is protected by SSL encryption.
We have concluded a contract on order data processing with eveeno to ensure that the legal regulations of the German data protection authorities are adhered to in entirety when using services provided by eveeno.
To register for our events using eveeno, you first have to agree to our data privacy statement as well as that of eveeno. The data privacy statement of eveeno can be found here:
https://eveeno.com/de/privacy