In addition, all persons affected by data processing are informed of their rights as data subjects. When handling this data, we act in strict compliance with the relevant legal data privacy regulations and the following principles. We have implemented numerous technical and organisational measures to ensure extensive protection of the personal data processed via our website.
Fürst von Metternich Winneburg’sche Domäne Schloss Johannisberg GbR
Represented by Mr. Stefan Doktor
Phone: +49 (0)6722 70090
Fax: +49 (0)6722 700933
a) Personal data:
Personal data is any information which relates to an identified or an identifiable natural person (hereinafter “you”). An identifiable private individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that private individual.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(c) Use of pseudonyms:
Pseudonyms are used when processing personal data so that the data can no longer be allocated to a specific affected person without using additional information, to the extent that this additional information is stored separately and is subject to corresponding technical and organisational activities that ensure that the personal data cannot be allocated to an identified or identifiable private individual.
(d) Person responsible:
The person responsible is the private individual or legal entity, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or national law, the responsible person or the specific criteria for his designation may be provided for by Union or national law.
(e) Contract processors:
A Contract processor is a private individual or legal entity, public authority, agency or other body which processes personal data on behalf of the responsible person.
Consent means any freely given and informed unequivocal expression of the data subject’s wishes in the specific case, in the form of a statement or any other unequivocal affirmative act by which the data subject signifies his or her consent to the processing of personal data relating to him or her.
(g) Supervisory authority:
The supervisory authority is an independent state body established by a member state in accordance with Art. 51 GDPR.
Data processing and consent
In all cases of data processing described below, we observe the principle of data avoidance and data economy. This means that we process as little personal data as possible.
a) We process your personal data if and insofar as this is necessary for the establishment, implementation or termination of a contractual or quasi-contractual relationship. The legal basis for the processing of personal data in connection with a contractual or quasi-contractual relationship is Article 6 (1) sentence 1 b of the GDPR. This also applies to processing operations necessary for the implementation of pre-contractual activities.
The personal data will be deleted as soon as the purpose of the data processing is no longer applicable and legal retention periods have expired.
If you place an order in our online shop, we process your personal data for the establishment, execution or termination of a contractual relationship on the basis of Art. 6 (1) sentence 1b of the GDPR. Which personal data is transmitted to the responsible person can be seen from the respective entry mask.
b) In all other respects we process your personal data if and insofar as you have given us your consent to do so. This data will only be used for the purpose and to the extent stated in the consent, e.g. we will only inform you about our products and services in accordance with the consent you have given. The legal basis for data processing based on your consent is Art. 6(1) Sentence 1 a of the GDPR, in which case you have the right of revocation for the future. You can send the revocation by letter or by e-mail to the contact data of the responsible body mentioned under point 1. The legality of the data processing carried out until the revocation remains unaffected by the revocation. The personal data will be deleted after the completion of the purpose pursued with the consent, in compliance with the legal storage obligations. Within the scope of the consent, your personal data may be transferred to third parties who process this data exclusively for the purpose of the consent.
c) Otherwise we process your personal data in pseudonymised form. If the processing is necessary to safeguard a legitimate interest of ours or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) Sentence 1 f of the GDPR serves as the legal basis, with the possibility of objecting to this data processing in the future. You can send the objection by letter or by e-mail to the contact data of the responsible body mentioned under point 1. The legality of the data processing carried out until the revocation remains unaffected by the revocation. The personal data will be deleted after the legitimate interests have been reached or after an objection, in compliance with the legal storage obligations. Within the scope of legitimate interests, your personal data may be transferred to third parties who process this data exclusively for the purpose compliance with the interests.
Registration, newsletter and order
Our website may provide the possibility to register (e.g. for the newsletter), to contact us or to order goods by providing personal data. Which personal data is transmitted to the responsible person can be seen from the respective registration mask. The data that you enter will be processed exclusively for the purposes specified in connection with the registration or order. If you contact us by e-mail, via a contact form or in a comparable form (e.g. inquiries about our products or services), the personal data you have provided will also be processed. However, this data processing is limited to the purpose of processing your inquiries or contacting you.
As part of contractual or quasi-contractual relationships the legal basis is given by Article 6 (1) sentence 1 b of the GDPR. This applies, for example, to an order placed in our online shop or to a contact made with the aim of concluding a contract.
The data entered when subscribing for the newsletter is processed exclusively on the basis of your consent (Art. 6 (1) a of the GDPR). The newsletter is sent by our service provider CleverReach GmbH Co KG, Mühlenstr. 43, 26180 Rastede, Germany. For this reason, we transmit your personal data to the service provider exclusively for the purpose of sending the newsletter.
You can revoke your consent to the storage of data, in particular your e-mail address and their use to send the newsletter at any time by unsubscribing from the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.
The data that you have stored with us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted after unsubscribing from the newsletter. However, after you have been removed from the newsletter distribution list, your e-mail address may be stored in a blacklist by us or the newsletter service provider to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in compliance with the legal requirements when sending newsletters (legitimate interest in the sense of Art. 6 (1) lit. f of the GDPR). There is no time limit for data saved in the blacklist. You can object to the storage if your interests outweigh our legitimate interests.
Data stored by us for other purposes (for example e-mail addresses for existing customers) remains unaffected by this.
If your personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising.
If you place an objection concerning process for direct advertising, we will no longer use the personal data for this purpose.
Automatically generated data
Each time you access our website, data is automatically processed in log files, which originate from your terminal device and may also include personal data. This applies to the following data:
We do not process this data together with other personal data about you, i.e. we do not associate the aforementioned data with your person.
This data is processed based on Article 6 (1) Sentence 1 f of the GDPR. Processing is required in order to ensure the website’s ability to function and also to optimise the content of our website and deliver this correctly, and to provide the criminal prosecution authorities with the requisite information for prosecution in the event of a cyber-attack. This is also where the legitimate interest for data processing lies. The automatically generated data will be deleted as soon as it is no longer required to achieve the above-mentioned purposes and legal retention periods have expired.
The hosting services, which we use with our Internet pages, serve the provision of the following services: Platform services and infrastructure services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of providing our websites. For this purpose, we or our hosting provider process the following data: Meta and communication data of customers, inventory data, contact data, content data, contract data, usage data, interested parties and visitors of our website. The hosting provider is used for the purpose of fulfilling the contract with you (Art. 6 (1) lit. b of the GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 (1) lit. f of the GDPR). We have concluded a contract processing agreement with the hosting provider.
The different types of cookies and similar technologies used on our website are described below:
a) Description and scope of data processing:
The term “cookies” is used in the following for all technologies with which user data is stored locally and possibly transferred to us or third parties in the course of your website visit.
(b) Cookie categories:
Cookies are stored for different periods. Both “permanent cookies” and “session cookies” are used on our website:
aa) Session cookies are only stored during your current visit to our website and are used to enable you to use our services without restrictions and to ensure the most convenient possible use of our website for your current visit to our site. If session cookies are deactivated, it cannot be guaranteed that you will be able to use all our services without restriction.
bb) The permanent cookies remain temporarily stored after your visit to our website (temporary cookies) and serve to enable you to use our website as conveniently as possible, even after your current visit, and are only used by us for this purpose. Deactivation of these cookies generally has no effect on the usability of our site. Depending on their function and intended use, cookies can be divided into the following categories:
aaa) Necessary cookies (type 1):
These cookies are mandatory for our website and its functions to function properly. They make it possible to improve the comfort and performance of websites and provide various functions. This allows you to save information that you have already entered (such as user name, language selection or the location where you are) to save you having to enter it again.
bbb) Functional cookies (type 2):
These cookies are used to obtain information about your use of our website. They enable, for example, the identification of particularly popular areas of our Internet offering in order to be able to tailor the content of our website more specifically to your needs. You can find more information on these cookies and their individual deletion under lit. e).
ccc) Marketing and third-party cookies (type 3):
These cookies are used to display advertisements that are more specifically relevant to the user and tailored to his or her interests. This information may be shared with third parties, such as advertisers. Cookies to improve targeting and advertising are often linked to third-party site functionality. You can find more information on marketing cookies and their individual deletion under lit. e).
Our website may also contain content from third parties, such as Facebook services or YouTube videos. These third parties may set cookies while you are using our website and may receive information about your use of the website. The cookies are primarily used to integrate social media content such as social plugins on our site. For further information, please refer to section 8 as well as on the website of the third-party providers.
c) Legal basis and further information:
The cookies only process anonymised and pseudonymised data (data processing). The provision of this data is neither required by law nor by contract, nor is it necessary for the conclusion of a contract. Insofar as personal data is also processed in the form of pseudonymised data, the legal basis for this is the consent given by you when you access our website (Art. 6 (1) Sentence 1 a of the GDPR) or the legitimate interests of us or the third party providers in direct advertising (Art. 6 (1) Sentence 1 f of the GDPR).
d) Deletion of the cookies:
However, you can also visit our websites without cookies. New cookies can be stored and cookies that have already been set can be deleted as follows: In the case of data processing on the basis of legitimate interests (Art. 6 (1) sentence 1 of the GDPR), you can object to all cookies or only certain types of cookies by selecting “do not accept cookies” in your browser settings. It is possible that not all functions of the website can be fully used if all or individual cookies for our website have been deactivated. For information on independently deleting cookies, please refer to the instructions of your browser or terminal device manufacturer.
Additional information on functional cookies and marketing cookies (type 2 & type 3) and their individual deletion vis-à-vis specifically named third parties is provided below.
e) Special cookies:
Our website uses various performance and marketing cookies, which are described in detail below.
(i) Our website uses Borlabs Cookie Content Technology to obtain your consent to the storage of certain cookies in your browser and to document these in a manner consistent with data protection. This technology is provided by Borlabs – Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg, Germany (hereinafter Borlabs).
When you enter our website, a Borlabs cookie is stored in your browser, which stores the consents you have given or the revocation of those consents. This data is not passed on to the provider of Borlabs Cookies.
The data collected will be stored until you request us to delete it or until you delete the Borlabs cookie itself or until the purpose for which the data is stored no longer applies. Mandatory statutory retention periods remain unaffected. You can find more information on how data from Borlabs cookies is processed here: https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/.
(ii) Detailed list of cookies used on our website
Essential cookies enable basic functions and are necessary for the proper function of the website.
|Provider||Owner of this website|
|Purpose||Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.|
|Cookie Expiry||1 Year|
|Name||PHP Session ID|
|Provider||Owner of this website|
|Purpose||Assigns a unique ID to each website visitor to be able to identify requests from the web server.|
|Name||Shopping cart cookie|
|Provider||Owner of this website|
|Purpose||Records whether products are in the shopping cart and preserves them for future access.|
|Name||WPML Language preferences|
|Provider||Owner of this website|
|Purpose||Saves the website language selected by the visitor.|
|Cookie Expiry||1 day|
|Name||Age Gate - Age verification|
|Provider||Owner of this website|
|Purpose||A session cookie that is used to grant access to the main site only to users who have confirmed that they are over legal age.|
Statistics cookies collect information anonymously. This information helps us to understand how our visitors use our website.
|Name||Google Tag Manager|
|Purpose||Cookie by Google used to control advanced script and event handling.|
|Cookie Expiry||2 Years|
Content from video platforms and social media platforms is blocked by default. If External Media cookies are accepted, access to those contents no longer requires manual consent.
|Purpose||Used to unblock Facebook content.|
|Purpose||Used to unblock Google Maps content.|
|Cookie Expiry||6 Month|
|Purpose||Used to unblock Instagram content.|
|Purpose||Used to unblock Twitter content.|
|Cookie Name||__widgetsettings, local_storage_support_test|
|Purpose||Used to unblock YouTube content.|
|Cookie Expiry||6 Month|
(iii) In order to improve the convenience and quality of our service, the following web services of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) are enabled on this website. Google receives and processes the data generated by the use of the corresponding cookies on our website.
We use Google Analytics on our website. Google Analytics uses temporary cookies that enable your use of the website to be analysed. The stored data on your use of our website including your IP address (“usage data”) is usually transferred to a Google server in the USA and stored there. We would like to point out that on our website Google Analytics has been extended by the code “gat._anonymizeIp();” in order to guarantee an anonymised recording of IP addresses (so-called IP-masking). As part of IP masking, your IP address is abbreviated by Google within a member state of the European Union or another state which is party to the treaty on the European Economic Area. The full IP address will only be transferred to Google’s servers in the USA and shortened there in exceptional cases.
Google will use this information on our behalf to evaluate your use of our website, to compile reports on website activities for us and to provide us with further services associated with the use of the website and the Internet. A transfer of this data by Google to third parties only takes place due to legal regulations or within the scope of order processing. You can prevent cookies being saved by adjusting your browser software’s settings accordingly; however, in this case please note that you may not be able to fully use all of our website’s functions. In addition, you can prevent the data generated by the cookie and which relate to your use of the Web site (including your IP address) being recorded by Google and also any processing of this data by Google, by downloading and installing the browser plugin available at the following Link. You can find more information about Google Analytics under this link http://tools.google.com/dlpage/gaoptout?hl=de
Right of withdrawal and right of appeal
a) Right to revocation of authorisation under data privacy law
You have the right to fully or partially revoke authorisation to process personal data at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
b) Right to appeal
You have the right to object at any time to the processing of personal data concerning yourself, which is carried out on the basis of Art. 6 (1) sentence 1 e or f of the GDPR (Art. 21 (1) of the GDPR). The legality of the data processing carried out until the revocation remains unaffected by the revocation. We no longer process personal data in the event of an objection, unless we can prove that there are mandatory reasons for processing that merit protection which outweigh your interests, rights and freedoms, or if processing serves to assert, exercise or defend legal entitlements.
If your personal data is processed for the purpose of direct advertising, you have the right to object to this at any time (Art. 21 (2) of the GDPR). In the event of an objection, we no longer process the personal data. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
You can send the objection by letter or by e-mail to the contact data of the responsible body mentioned under point 1.
a) Right to confirmation
You have the right to ask us to confirm whether we process personal data about you.
b) Right to information
You have the right to receive information from us at any time and free of charge concerning the information we have processed concerning you, and to receive a copy of this information. In addition, you have a right of information as to whether personal data is transferred to another country or to an international organisation. If this is the case, you also have a right to receive information on the suitable guarantees in connection with the transfer.
c) Right of rectification:
You have the right to demand the immediate correction of incorrect personal data that relates to you. In addition you have the right, while considering the processing purposes, to demand the completion of incomplete personal data – including via a supplementary declaration.
d) Right to the deletion of data (right to be forgotten):
The GDPR provides for a right of deletion. You have the right to demand that we immediately delete personal data relating to you, to the extent that one of the following reasons is given and to the extent that processing is not necessary:
The personal data was collected for purposes or otherwise processed for which it is no longer needed.
• You revoke your authorisation on which processing is based according to Article 6 (1) Letter a) of the GDPR or Article 9 (2) Letter a) of the GDPR, and there is no other legal basis for processing.
• You object to the processing within the meaning of Article 21 (1) of the GDPR and there are no overriding legitimate reasons for processing.
• You object to processing within the meaning of Art. 21 (2) of the GDPR.
• Personal data has been illegally processed.
• The deletion of personal data is necessary to comply with a legal obligation under Union or national law.
• Personal data was collected with regard to services offered by the IT company according to Article 8 (1) of the GDPR.
e) Right to the restriction of processing:
You have the right to request that we restrict processing if one of the following conditions is present:
• You dispute that the personal data is correct, and for a period which allows the responsible person to review the correct nature of the personal data.
• Processing is illegal and you reject the deletion of the personal data and, instead you request that the use of the personal data is restricted.
• We no longer need the personal data for processing, however you need this to assert, exert or defend legal entitlements.
• You have objected to the processing pursuant to Art. You have objected to the processing according to Article 21 (1) of the GDPR and it is not yet certain whether our company’s legitimate reasons outweigh your rights.
f) Right to transferability of data:
You have the right to receive the personal data you provide us with in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us, provided that the processing is based on the consent pursuant to Art. 6 (1) sentence 1 a of the GDPR or on a contract pursuant to Art. 6 (1) sentence 1 b of the GDPR and the processing is carried out by means of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition, when exercising your right to the transferability of data, you have the right to intervene so that the personal data is transferred directly from one responsible party to another, to the extent that this is feasible and to the extent that this does not impact the rights and freedoms of other persons.
g) Right to file a complaint with a supervisory authority:
In addition to these rights, you have a right of complaint to the supervisory authority responsible for data protection (Hessen: State Commissioner for Data Protection and Freedom of Information Hessen, Wiesbaden).
Transfer of data to third parties
Within the scope of the contractual relationship, your personal data may be transferred to third parties who process this data exclusively for compliance with the contractual purpose. This applies in particular to postal delivery services for the delivery of age restricted goods and payment services for the fulfilment of your payment obligations.
We work together with the following payment providers:
We offer, for example, payment via PayPal on our website. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as “PayPal”).
If you choose to pay via PayPal, the payment details you enter will be sent to PayPal.
We offer, for example, payment by means of an “Sofort-Überweisung” on our website. The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereinafter referred to as “Sofort GmbH”).
With the help of the “Sofort-Überweisung” procedure, we receive a payment confirmation from Sofort GmbH in real time and can start fulfilling our obligations immediately.
Once you have decided on the “Sofort-Überweisung” payment method, send the PIN and a valid TAN to Sofort GmbH, with which it can log into your online banking account. After logging in, Sofort GmbH automatically checks your account balance and carries out the transfer to us with the help of the TAN you provided. It then immediately sends us a transaction confirmation. After logging in, your turnover, the credit line of the overdraft facility and the existence of other accounts as well as their stocks are automatically checked.
In addition to the PIN and the TAN, the payment data entered by you and your personal data will also be transmitted to Sofort GmbH. Your personal data includes your first and last name, address, telephone number(s), email address, IP address and any other data required for payment processing. The transmission of this data is necessary in order to establish your identity beyond doubt and to prevent fraud attempts.
Your data is sent to Sofort GmbH based on Article 6 (1) lit. b of the GDPR which allows the processing of data to fulfil a contract.
For details on payment by immediate transfer, please refer to the following link: https://www.sofort.de/datenschutz.html.
When paying by Amazon pay, your data is transferred to Amazon Payments Europe S.C.A. 38 avenue J.F. Kennedy, L-1855 Luxembourg. When using payment services your data is processed based on Article 6 (1) lit. b of the GDPR, which allows the processing of data to fulfil a contract.
We use the company BS PAYONE GmbH, Lyoner Str. 9, 60528 Frankfurt am Main to process payments. When using payment services your data is processed based on Article 6 (1) lit. b of the GDPR, which allows the processing of data to fulfil a contract.
Due to our legitimate interests (Art. 6 para. 1 lit. f. of the GDPR) we use content or services of third party providers on our website (hereinafter referred to as “content”). Item 3.a) remains unaffected. This includes, for example, the embedding of videos, the use of fonts, etc. In order for the content to be displayed correctly, the third-party providers are sometimes dependent on perceiving your IP address, otherwise the content cannot be sent to the browser. When selecting third-party services, we always try to use only those that need your IP address exclusively for the delivery of the content offered.
The following third party providers offer content or services on our website:
Google Web Fonts:
Our website uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.
For this purpose, the browser you are using must connect to Google’s servers. This allows Google to know that this website has been accessed via your IP address. The use of Google WebFonts is based on Art. 6 (1) lit. f of the GDPR. The website operator has a legitimate interest in the uniform presentation of the typeface on his website. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 (1) letter a of the GDPR; the consent can be revoked at any time.
If your browser does not support web fonts, a standard font will be used by your computer.
This site uses the Google Maps map service via an API.
To ensure the privacy of this site, Google Maps is disabled when you first enter this site. A direct connection to Google’s servers is only established when you activate Google Maps yourself (consent in accordance with Art. 6 (1) lit. a of the GDPR). This prevents your data from being transferred to Google the first time you enter the site.
After activation, Google Maps will save your IP address. The information is generally transferred to and saved on one of Google’s servers in the USA. The provider of this site has no influence on this data transfer after Google Maps has been activated.
Information on transfers from third countries
In the event that we transfer your personal data to entities in third countries outside the EU or the EEA, this will only take place if the EU Commission has decided that the third country, territory or several specific sectors in that third country offer an adequate level of protection or if there are adequate or appropriate data protection safeguards within the meaning of Art. 46 or Art. 47 or Art. 49 of the GDPR.
We do not process personal data of persons who have not yet reached the age of 18. If we become aware that such data has been transmitted to us without the consent of a parent or guardian, we will delete it immediately. We are dependent on corresponding information from you as a parent or legal guardian.
We process your personal data only for the period of time required to achieve the purpose of processing and for which we are obliged by law to retain the data. If the purpose of the data processing ceases to apply and there are no longer any statutory retention periods, the personal data is routinely deleted or restricted/blocked in accordance with the statutory provisions.
Obligation to provide data
The provision of your personal data is partly required by law (e.g. tax regulations) or also results from contractual regulations (e.g. information on the contractual partner). In order to conclude a contract, it may also be necessary that you provide us with personal data, which must subsequently be processed by us. Failure to provide the personal data would mean that the contract with you could not be concluded. If you do not wish to provide personal data in these cases, you can contact the responsible office in stated in point 1 by post or e-mail. We will inform you on a case-by-case basis whether the provision of the personal data is required by law or contract or necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what the consequences would be if the personal data is not provided.
Data privacy officer
If you have any questions concerning the collection, processing or use of your personal data, for information, correction, blocking or the deletion of data please contact:
Fürst von Metternich Winneburg’sche Domäne Schloss Johannisberg GbR
Version dated: January 2020