Data protection notice in accordance with Art. 13 GDPR

Name and address of the controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection provisions is:

CHRITTO Brand Spaces GmbH
Malteserstr. 85, 52349 Düren, Germany

Represented by
Mr Miklos Szekeres Managing Director

Contact
Telephone +49 2102 70344-0
This email address is being protected from spambots. You need JavaScript enabled to view it.

General information on data processing

Legal basis for the processing of personal data

In accordance with Art. 13 GDPR, we will inform you of the legal basis for our data processing. Unless the legal basis is specifically mentioned in the data protection notice, the following applies:

The legal basis for obtaining consent is Art. 6 (1) (a) in conjunction with Art. 7 GDPR. The legal basis for processing for the purpose of providing our services and implementing contractual measures, as well as for answering enquiries, is Art. 6 (1) (b) GDPR. The legal basis for processing for the purpose of fulfilling our legal obligations is Art. 6 (1) (c) GDPR. If the processing of your data is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) point f GDPR serves as the legal basis for the processing. In the event that the vital interests of the data subject or of another natural person require the processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.

Data erasure and storage duration

We adhere to the principles of data minimisation in accordance with Art. 5 (1) lit. c GDPR and storage limitation in accordance with Art. 5 (1) lit. e GDPR. We only store your personal data for as long as is necessary to achieve the purposes stated here or as required by the statutory retention periods. After the respective purpose no longer applies or after these retention periods have expired, the corresponding data will be deleted as soon as possible.

Note on data transfer to third countries

Our website also includes tools from companies based in third countries. If these tools are active, your personal data may be transmitted to the servers of the respective companies. The level of data protection in third countries does not generally comply with EU data protection law. This means that there is a risk that your data may be passed on to the authorities of these countries. We have no influence over these processing activities.

External links

This website may contain links to third-party websites or to other websites for which we are responsible. If you follow a link to a website for which we are not responsible, please note that these websites have their own data protection information. We do not assume any responsibility or liability for these third-party websites and their data protection notices. Therefore, before using these websites, please check whether you agree with the data protection declarations there.

You can recognise external links either by the fact that they are displayed in a slightly different colour from the rest of the text or underlined. Your cursor will indicate external links when you move it over such a link. Your personal data will only be transferred to the target of the link when you click on an external link. In particular, the operator of the other website receives your IP address, the time at which you clicked on the link, the page on which you clicked on the link, and further information, which you can find in the data protection information of the respective provider.

Please also note that individual links may lead to data transfer outside the European Economic Area. As a result, foreign authorities could gain access to your data. You may not have any legal remedies against such data access. If you do not want your personal data to be transferred to the link destination or even to be exposed to unwanted access by foreign authorities, please do not click on any links.

Rights of the data subject

As a data subject within the meaning of the GDPR, you have the opportunity to assert various rights. The rights of data subjects arising from the GDPR are the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to object (Article 21), the right to lodge a complaint with a supervisory authority and the right to data portability (Article 20).

Right of withdrawal:

Some data processing can only take place with your express consent. You have the option to withdraw your consent at any time. However, this does not affect the lawfulness of the data processing carried out up to the point of withdrawal.

Right to object:

If the processing is based on Article 6(1)(e) or (f) GDPR, you, as the data subject, may object to the processing of your personal data at any time for reasons arising from your particular situation. You also have this right in the case of profiling based on these provisions within the meaning of Article 4(4) GDPR. If we cannot demonstrate a legitimate interest in the processing that outweighs your interests, rights and freedoms, or if the processing is for the purpose of asserting, exercising or defending legal claims, we will refrain from processing your data after the objection has been made.

If the processing of personal data is used for direct marketing purposes, you also have the right to object at any time. The same applies to profiling that is related to direct marketing. Again, we will no longer process personal data as soon as you object.

Right to complain to a regulatory authority:

If you believe that the processing of personal data concerning you is in breach of the GDPR, you have the right to complain to a regulatory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, without prejudice to any other administrative or judicial remedy.

Right to data portability:

If your data is processed automatically based on consent or the performance of a contract, you have the right to receive this data in a structured, commonly used and machine-readable format. You also have the right to request the transfer and provision of the data to another controller, where technically feasible.

Right of access, right to rectification and right to erasure:

You have the right to receive information about your processed personal data regarding the purpose of the data processing, the categories, the recipients and the duration of the storage. If you have any questions about this or other

topics regarding personal data, you can of course contact us using the contact options provided in the imprint.

Right to restriction of processing:

You can at any time demand that the processing of your personal data be restricted. To do so, you must meet one of the following requirements:

You dispute the accuracy of the personal data. You have the right to demand that the processing be restricted for the duration of the accuracy check.
If the processing is unlawful, you can request the restriction of the use of the data as an alternative to erasure.
If we no longer need your personal data for the purposes of the processing, but you require the data for the establishment, exercise or defence of legal claims, you can request the restriction of the processing as an alternative to erasure.
If you object to the processing in accordance with Art. 21 (1) GDPR, your and our interests will be weighed up. Until this weighing up has taken place, you have the right to request that the processing be restricted.

The consequence of a processing restriction is that the personal data, apart from being stored, may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.

Provision of the website (web hosting)

When you visit our website, we automatically collect and store information in so-called server log files. Your browser automatically transmits this information to our server or to the server of our hosting company.

This information includes

IP address of the website visitor's device Device used
Host name of the accessing computer Operating system of the visitor
Browser type and version
Name of the accessed file Time of the server request Amount of data
Information on whether the data retrieval was successful

This data is not merged with other data sources.

Instead of operating this website on our own server, we can also have it operated on the server of an external service provider (hosting company), which we have named above in this case. The personal data collected by this website is then stored on the servers of the hosting company. In addition to the above-mentioned data, the web host also stores contact requests, contact data, names, website access data, meta and communication data, contract data and other data generated by a website for us, for example.

The legal basis for the processing of this data is Art. 6 (1) point f GDPR. Our legitimate interest lies in the technically error-free presentation and optimisation of this website. Insofar as the website is accessed in order to enter into contractual negotiations with us or to conclude a contract, this serves as a further legal basis (Art. 6 (1) point b GDPR). In the event that we have commissioned a hosting company, there is a contract for order processing with this service provider.

Use of local storage items, session storage items and cookies

Our website uses local storage items, session storage items and/or cookies. Local storage is a mechanism that enables data to be stored within the browser on your end device. This data usually includes user preferences, such as the ‘day’ or ‘night’ mode of a website, and is retained until you manually delete the data. Session Storage is very similar to Local Storage, whereas the storage duration only

lasts during the current session, i.e. until the current tab is closed. After that, the session storage items are deleted from your device. Cookies are information that a web server (a server that provides web content) stores on your device in order to identify it. They are either deleted temporarily for the duration of a session (session cookies) and at the end of your visit to a website, or they are stored permanently (permanent cookies) on your device until you delete them yourself or until they are automatically deleted by your web browser.

These objects can also be stored on your end device by third-party companies when you enter our site (third-party requests). This enables us, as the operator, and you, as a visitor to this website, to make use of certain third-party services installed on this website. Examples include the processing of payment services or the display of videos.

These mechanisms have a wide range of possible uses. They can improve the functionality of a website, control shopping basket functions, increase the security and convenience of using the website and carry out analyses of visitor flows and behaviour. Depending on the individual functions, these are to be classified under data protection law. If they are necessary for the operation of the website and intended to provide certain functions (shopping cart function) or serve to optimise the website (e.g. cookies to measure visitor behaviour), then their use is based on Art. 6 para. 1 lit. f DSGVO. As the website operator, we have a legitimate interest in the storage of local storage items, session storage items and cookies for the technically error-free and optimised provision of our services. In all other cases, local storage items, session storage items and cookies are only stored with your express consent (Art. 6 para. 1 lit. a DSGVO).

If local storage items, session storage items or cookies from third-party companies are used or for analysis purposes, we will inform you of this separately in this data protection notice. Your required consent will be requested and can be revoked at any time.

Use of external services

External services are used on our website. External services are services from third-party providers that are used on our website. This may be for a variety of reasons, such as embedding videos or for website security. When using these services, personal data is also passed on to the respective providers of these external services. If we have no legitimate interest in the use of these services, we obtain your consent as a visitor to our website, which can be revoked at any time, before using them (Art. 6 para. 1 lit. a GDPR).

Analytics

We process personal data of website visitors to analyse user behaviour. By analysing the data obtained, we are able to compile information on the use of the individual components of our website. This enables us to increase the user-friendliness of our website. The analysis tools used could, for example, be used to create user profiles for the purpose of displaying targeted or interest-based advertising messages, to recognise our website visitors the next time they visit our website, to measure their click/scroll behaviour, their downloads measured, heat maps created, page views recognised, the duration of the visit or the bounce rates measured, and the origin of the website visitors (city, country, from which page the visitor comes) traced. With the help of the analysis tools, our market research and marketing activities can be improved.

Processing only takes place if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6 para. 1 lit. a GDPR). Without your consent, the data processing in the manner described above will not take place. If you withdraw your consent (e.g. via the consent banner or other options provided on this website), we will stop this data processing. The lawfulness of the processing carried out until the withdrawal of consent remains unaffected.

Google Analytics

We use the Google Analytics service on our website. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Use of the service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection.

Further information can be found in the provider's data protection information at the following URL: y.

The service uses the following cookies on our website:

Name Storage duration Type Purpose
_ga 400 days 1st-party cookie Contains a randomly generated user ID. This ID enables Google Analytics to recognise returning users on this website and to merge the data from previous visits.
_ga_X5W0VRWZ0D 400 days 1st-party cookie Collects data on how often a user has visited a website, as well as data for the first and last visit.
_gat_gtag_UA_125315378_1 1 minute 1st-party cookie Ensures that data is only transmitted to Google Analytics once a minute. As long as it is set, certain data transfers are prevented.
_gid 24 hours 1st-party cookie This cookie assigns an ID to a user so that the web tracker can summarise the user's actions under this ID.

Consent management

In order to comply with data protection requirements, we use a consent management tool on our website. We use this tool to obtain the necessary consent for setting cookies or using external services. The consent is stored.

The processing is necessary for compliance with a legal obligation to which the controller (operator of the website) is subject. The legal basis for the processing is therefore Article 6(1)(c) GDPR.

Joomla Cookie Consent

We use the Joomla Cookie Consent service on our website. This service is provided by Open Source Matters, Inc., PO Box 4668 #88354, New York, 10163-4668, USA.

Since this service is hosted locally on the web server, no data is transferred to third parties. The service stores the following data in the browser's local or session storage:

Name Storage duration Type Purpose
gdprCategoriesChoices Permanent 1st-Party Local Storage Stores the categories of cookies for which consent has been given.

Content Delivery Network (CDN)

We use a content delivery network (CDN) to optimise the performance and availability of our website. To do this, the service provider that provides this network processes your IP address and the information about when you visited our website. You can find all further information about data processing by this service provider in its data protection notice.

We base this processing on a legitimate interest (Art. 6 para. 1 lit. f GDPR).

Our legitimate interest in using a content delivery network is to be able to display our website as quickly, securely and reliably as possible.

Fastly

We use the Fastly service on our website. The service is provided by Fastly, Inc., 475 Brannan St, Suite 300 San Francisco, CA 94107, USA.

Use of the service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection.

Further information can be found in the provider's data protection information at the following URL: https://www.fast ly.com/de/privacy/.

Map service

We use a map service on this website. In order for the map to be used and displayed on the website, the map must be loaded from the provider's server. This involves transferring your IP address to the provider's server. Depending on the provider, cookies and other technologies, including fonts, may be loaded. You can find more details in the provider's privacy policy.

Processing only takes place if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6 para. 1 lit. a GDPR). Without your consent, data processing in the manner described above will not take place. If you withdraw your consent (e.g. via the consent banner or other options provided on this website), we will stop this data processing. The lawfulness of the processing carried out until the withdrawal of consent remains unaffected.

Google Maps

We use the Google Maps service on our website. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Use of the service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection.

Further information can be found in the provider's data protection information at the following URL: y.

Interface software

Business processes run more cost-effectively, quickly and accurately when they are automated using software via interfaces. This allows them to be efficiently integrated into business processes via your own website or social networks. We use interface software on our website to link different applications with each other and to transfer personal data securely from one application to another.

Processing only takes place if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6 para. 1 lit. a GDPR). Without your consent, the data processing in the manner described above will not take place. If you revoke your consent (e.g. via the consent banner or other options provided on this website), we will stop this data processing. The legality of the processing carried out up to the point of revocation remains unaffected.

Google APIs

We use the Google APIs service on our website. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Use of the service may result in data being transferred to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection.

Further information can be found in the provider's data protection information at the following URL: y.

Google Tag Manager

We use the Google Tag Manager service on our website. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Further information can be found in the provider's data protection information at the following URL: y.

Web fonts

This site uses so-called web fonts, which are provided by an external provider and loaded by the browser when the website is accessed, to ensure fonts are displayed consistently. In doing so, the web font provider learns that your IP address has accessed our website because your browser establishes a direct connection to the web font provider.

Processing only takes place if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6 (1) (a) GDPR). Without your consent, data processing in the manner described above will not take place. If you withdraw your consent (e.g. via the consent banner or other options provided on this website), we will stop this data processing. The lawfulness of the processing carried out until the withdrawal of consent remains unaffected.

Google Fonts (local hosting)

We use the Google Fonts service on our website. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The Google fonts are installed locally, so no connection to Google's servers is established. Further information can be found in the provider's data protection information at the following URL: y.

Websecurity

We use tools on our website to protect against unauthorised access, spam or other attacks. This increases the security of our website.

We base this processing on a legitimate interest (Art. 6 para. 1 lit. f DSGVO).

Our legitimate interest is to be able to guarantee the security of our website and to protect ourselves from unauthorised access, spam and other attacks.

Google Recaptcha

We use the Google Recaptcha service on our website. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Use of the service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection.

Further information can be found in the provider's data protection information at the following URL: y.

The service uses cookies on our website and stores data in the browser's local or session storage:

Name Storage duration Type Purpose
_grecaptcha Permanent 1st-party local storage Used to protect against spam.
_GRECAPTCHA 180 days 3rd-party cookie, www.google.com Used to protect the website from spam requests
rc::a Persistent 3rd-Party LocalStorage, www.google.com Used to read and filter requests from bots.
rc::b Session 3rd-Party SessionStorage, www.google.com Used to read and filter requests from bots.
rc::c Session 3rd-Party SessionStorage, www.google.com Used to read and filter requests from bots.
rc::d-* [7] Persistent 3rd-party LocalStorage, www.google.com Used to distinguish between humans and bots.
rc::f Persistent 3rd-party LocalStorage, www.google.com Used to distinguish between humans and bots.

hCaptcha

We use the hCaptcha service on our website. The service is provided by Intuition Machines, Inc., 350 Alabama St, San Francisco, CA 94110, USA.

Use of the service may result in data being transferred to a third country (USA).

Further information can be found in the provider's data protection information at the following URL: y.

The service uses the following cookies on our website:

Name Storage duration Type Purpose
__cflb 30 minutes 3rd-party cookie, api2.hcaptcha.com This cookie makes it possible to return an end user to the same customer base for a specific period of time configured by the customer. This provides the end user with a seamless experience

Contact form

On our website, you have the option to send us a message using a contact form. If you contact us using this form, we will need your contact details in particular.

The legal basis for this is the processing for the purpose of fulfilling the contract or pre-contractual measures in accordance with Art. 6 (1) point b GDPR. In addition, there may be a legitimate interest in maintaining business relationships or answering your enquiry for other reasons.

In this case, the legal basis for the processing of your data would be Article 6 (1) (f) GDPR.

The data will be deleted once we have finally answered your enquiry and there are no other retention requirements to the contrary.

Handling of applicant data

You have the option to send us an application (e.g. by post, online application form or by email). The personal data received as a result will be stored and processed by us for the application process.

The basis for the processing is Art. 6 (1) point b GDPR as well as Art. 6 (1) point a GDPR, provided that consent has been granted. Insofar as German law is applicable, Section 26 of the German Federal Data Protection Act (BDSG) is used in particular as the legal basis for the processing. You can revoke your consent at any time. The legality of the processing carried out up to the point of revocation remains unaffected.

If an employment relationship results from the application, the data collected will be stored for the purpose of processing the employment relationship on the basis of Art. 6 (1) point b GDPR. If no employment relationship is established, the data will be stored on the basis of Art. 6 (1) point f GDPR for the duration of the statutory claims, in particular due to discrimination in the application process. This is necessary for defence against any lawsuits or accusations. If consent has been granted, the data will be stored for a longer period on the basis of Article 6(1)(a) GDPR. You can withdraw your consent at any time. The lawfulness of the processing carried out up to the point of withdrawal remains unaffected.

If no employment relationship is established, the applicant can be included in our pool of applicants. In this case, all the information provided in the application will be stored so that the person in question can be contacted about suitable job vacancies.

Data is only stored in the applicant pool after consent has been granted on the basis of Art. 6 (1) (a) GDPR. This consent can be withdrawn at any time, whereupon the corresponding data will be deleted, provided there are no legal grounds for retention. Deletion will occur automatically no later than two years after consent has been granted. The lawfulness of the processing carried out until consent is withdrawn remains unaffected.

Presence on Facebook

Social networks process their users' personal data on a large scale. When you visit our profiles, your IP address and other information about the devices you use are processed, which makes it possible to assign the IP addresses to individual users. We have no influence over this data processing. We would like to point out that you use our profiles on social networks and their functions at your own responsibility. Details on data processing can be found in the operator's privacy policy.

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Details can be found in Facebook's privacy policy: y/.

The purpose of our profiles on social media platforms is to expand our internet presence and thus increase our popularity. Therefore, the legal basis is legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO. Furthermore, with regard to the processing activities by the social networks, reference is made to their own legal bases (e.g. consent in accordance with Art. 6 para. 1 lit. a DSGVO), which you can find in the respective data protection declaration.

In principle, we are jointly responsible with the social media platform for the data processing operations triggered when you visit our profile. Therefore, you can assert your rights as a data subject in accordance with Art. 15ff DGSVO against the social media platform as well as against us. However, we would like to point out that we have no influence on the data processing by the social media platform.

Presence on Instagram

addresses to individual users. We have no influence over this data processing. We would like to point out that you use our profiles on social networks and their functions at your own responsibility. You can find details on data processing in the operator's data protection declaration.

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

You can find detailed information about how personal data is handled in Instagram's privacy policy: .

The purpose of our profiles on social media platforms is to increase our internet presence and thus raise our profile. Therefore, the legal basis for legitimate interest in accordance with Article 6 (1) (f) GDPR is to be used. Furthermore, with regard to the processing activities by the social networks, reference is made to their own legal bases (e.g. consent in accordance with Article 6 (1) (a) GDPR), which you can find in the respective data protection declaration.

In principle, we are jointly responsible with the social media platform for the data processing operations triggered when visiting our profile. Therefore, you can assert your rights as a data subject in accordance with Art. 15ff DGSVO against the social media platform as well as against us. However, we would like to point out that we have no influence on the data processing by the social media platform.

Presence on LinkedIn

Social networks process their users' personal data on a large scale. When you visit our profiles, your IP address and other information about the devices you use are processed, which makes it possible to assign IP addresses to individual users. We have no influence over this data processing. We would like to point out that you use our profiles on social networks and their functions at your own risk. Details on data processing can be found in the operator's data protection declaration.

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

Detailed information on the handling of personal data can be found in LinkedIn's privacy policy: y.

The purpose of our profiles on social media platforms is to increase our internet presence and thus achieve greater awareness. Therefore, the legal basis for this is a legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO. Furthermore, with regard to the processing activities by the social networks, reference is made to their own legal bases (e.g. consent in accordance with Art. 6 para. 1 lit. a DSGVO), which you can find in the respective data protection declaration.

Pinterest

Social networks process their users' personal data on a large scale. When you visit our profiles, your IP address and other information about the devices you use are processed, which makes it possible to assign IP addresses to individual users. We have no influence over this data processing. We would like to point out that you use our profiles on social networks and their functions at your own risk. You can find details on data processing in the operator's data protection declaration.

We have a profile on Pinterest. The operator is Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

For details, please refer to the Pinterest privacy policy: https://polic>y.pinterest.com/de/privacy-policy.

The purpose of our profiles on social media platforms is to increase our internet presence and thus achieve greater awareness. Therefore, the legal basis is legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO. Furthermore,

with regard to the processing activities by the social networks, reference is made to their own legal bases (e.g. consent in accordance with Art. 6 para. 1 lit. a DSGVO), which you can find in the respective data protection declaration.

Presence on X

Social networks process personal data of their users to a large extent. When you visit our profiles, your IP address and other information about the devices you use are processed, which makes it possible to assign IP addresses to individual users. We have no influence over this data processing. We would like to point out that you use our profiles on social networks and their functions at your own risk. Details on data processing can be found in the operator's data protection declaration.

We have a profile on X. The provider is X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. For details, please refer to the X privacy policy: y.

The purpose of our profiles on social media platforms is to increase our internet presence and thus our popularity. Therefore, the legal basis for this is a legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO. Furthermore, with regard to the processing activities by the social networks, reference is made to their own legal bases (e.g. consent in accordance with Art. 6 para. 1 lit. a DSGVO), which you can find in the respective data protection declaration.

Data protection notice in accordance with Art. 13 GDPR

Links