Privacy policy

We are pleased that you are visiting our website. The protection and security of your personal information when using our website is very important to us. We would therefore like to take this opportunity to inform you which of your personal data we collect when you visit our website and for what purposes it is used.
This privacy policy applies to the website of WINI Büromöbel Georg Schmidt GmbH & Co KG, which can be accessed under the domain www.wini.de and the various subdomains ("our website").

Who is responsible and how can you contact us?

Controller for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR):
WINI Büromöbel Georg Schmidt GmbH & Co. KG, Auhagenstraße 79, 31863 Coppenbrügge OT Marienau, Phone: +49 5156 979-0, Fax: +49 5156 979-100, info@wini.de, www.wini.de

Personally liable company
WINI Büromöbel Georg Schmidt Beteiligungsgesellschaft mbH

Managing directors authorized to represent
Carolina Schmidt-Karsch, Jan Hendrik Karsch, Jörg Pannekoike, Dirk Hölscher

Data protection officer
SaphirIT GmbH
Managing director: Frank W. Stroot, lawyer, data protection officer (TÜV), data protection auditor (TÜV)
Sutthauser Straße 285
49080 Osnabrück
E-mail: datenschutz@saphirit.de
Internet: https://www.saphirit.de

What is it about?
This privacy policy meets the legal requirements for transparency in the processing of personal data. This is any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, age, address, telephone number, date of birth, e-mail address, IP address or user behavior when visiting a website. Information for which we cannot (or only with disproportionate effort) establish a reference to your person, e.g. through anonymization, is not personal data. The processing of personal data (e.g. the collection, retrieval, use, storage or transmission) always requires a legal basis and a defined purpose.

Stored personal data will be deleted as soon as the purpose of the processing has been achieved and there are no legitimate reasons for further storage of the data. We will inform you about the specific storage periods or criteria for storage in the individual processing operations. Irrespective of this, we store your personal data in individual cases for the assertion, exercise or defense of legal claims and in the event of statutory retention obligations.

Who receives your data?
We only pass on your personal data that we process on our website to third parties if this is necessary for the fulfillment of the purposes and is covered by the legal basis (e.g. consent or protection of legitimate interests) in individual cases. In addition, in individual cases we pass on personal data to third parties if this serves the assertion, exercise or defense of legal claims. Possible recipients may then be, for example, law enforcement authorities, lawyers, auditors, courts, etc.

Insofar as we use service providers for the operation of our website who process personal data on our behalf as part of order processing in accordance with Art. 28 GDPR, they may be recipients of your personal data. You can find more information on the use of processors and web services in the overview of the individual processing operations.

Do we use cookies?
Cookies are small text files that are sent by us to the browser of your end device and stored there when you visit our website. As an alternative to the use of cookies, information can also be stored in the local storage of your browser. Some functions of our website cannot be offered without the use of cookies or local storage (technically necessary cookies). Other cookies, on the other hand, enable us to perform various analyses, so that we are able, for example, to recognize the browser you are using when you visit our website again and to transmit various information to us (non-essential cookies). With the help of cookies, we can, among other things, make our website more user-friendly and effective for you, for example by tracking your use of our website and determining your preferred settings (e.g. country and language settings). If third parties process information via cookies, they collect the information directly via your browser. Cookies do not cause any damage to your end device. They cannot execute programs or contain viruses.

We provide information about the respective services for which we use cookies in the individual processing operations. Detailed information on the cookies used can be found in the cookie settings or in the Consent Manager of this website.

Domain	Domain name	Cookie description	Storage period
.fonts.net	__cf_bm	The __cf_bm cookie is a cookie required to support Cloudflare Bot Management, which is currently in private beta. As part of our bot management service, this cookie helps manage incoming traffic that meets the criteria of bots.	29 minutes
.wini.com	_ga	This cookie name is associated with Google Universal Analytics - an important update to Google's more widely used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client ID. It is included in every page request in a website and used to calculate visitor, session and campaign data for the websites' analytics reports. By default, it expires after 2 years, although this can be customized by website owners.	approx. 2 years
.wini.de	_gat	This cookie name is associated with Google Universal Analytics, according to the documentation it is used to throttle the request rate - limiting the collection of data on high traffic websites. It expires after 10 minutes.	15 seconds
.wini.de	_gid	This cookie name is associated with google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited.	24 hours
www.wini.de	_pk_id.2.086b	This cookie name is associated with the open source web analytics platform Piwik. It is used to help website owners track visitor behavior and measure website performance. It is a pattern cookie where the prefix _pk_id is followed by a Short series of numbers and letters, which are assumed to be a reference code for the domain that sets the cookie.	approx. 1 year
www.wini.de	_pk_ses.2.086b	This cookie name is associated with the open source web analytics platform Piwik. It is used to help website owners track visitor behavior and measure website performance. It is a pattern cookie, where the prefix _pk_ses is followed by a Short series of numbers and letters, which are assumed to be a reference code for the domain that sets the cookie.	29 minutes
www.wini.de	fe_typo_user	This cookie name is assigned to the Typo3 web content management system. It is generally used as a user session identifier to allow user preferences to be saved, but in many cases it may not be needed as it can be set by the platform through Defualt, although this can be prevented by website administrators. In most cases, it is destroyed at the end of a browser session. It contains a random identifier instead of specific user data.	Session

What rights do you have?
Under the conditions of the statutory provisions of the General Data Protection Regulation (GDPR), you have the following rights as a data subject:

Information in accordance with Art. 15 GDPR about the data stored about you in the form of meaningful information on the details of the processing as well as a copy of your data;
Correction in accordance with Art. 16 GDPR of incorrect or incomplete data stored by us;
Erasure in accordance with Art. 17 GDPR of the data stored by us, unless the processing is necessary for exercising the Right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
restriction of processing pursuant to Art. 18 GDPR if the accuracy of the data is contested, the processing is unlawful, we no longer need the data and you oppose the erasure of the data because you need it for the establishment, exercise or defense of legal claims or you have objected to processing pursuant to Art. 21 GDPR
Data portability pursuant to Art. 20 GDPR, insofar as you have provided us with personal data on the basis of consent pursuant to Art. 6 para. 1 lit. a GDPR or on the basis of a contract pursuant to Art. 6 para. 1 lit. b GDPR and these have been processed by us using automated procedures. You will receive your data in a structured, commonly used and machine-readable format or we will transmit the data directly to another controller if this is technically feasible.
Objection pursuant to Art. 21 GDPR to the processing of your personal data, insofar as this is carried out on the basis of Art. 6 para. 1 lit. e, f GDPR and there are reasons for this arising from your particular situation or the objection is directed against direct advertising. The right to object does not exist if overriding, compelling legitimate grounds for the processing can be demonstrated or the processing is carried out for the establishment, exercise or defense of legal claims. If the right to object does not exist for individual processing operations, this is indicated there.
Withdrawal pursuant to Art. 7 para. 3 GDPR of your consent given with effect for the future.
Complaint pursuant to Art. 77 GDPR to a supervisory authority if you believe that the processing of your personal data violates the GDPR. As a rule, you can contact the supervisory authority of your usual place of residence, your workplace or our company headquarters.

How is your data processed in detail?

Below we inform you about the individual processing operations, the scope and purpose of the data processing, the legal basis, the obligation to provide your data and the respective storage period. Automated decision-making in individual cases, including profiling, does not take place.

Provision of the website

Type and scope of processing
When you access and use our website, we collect the personal data that your browser automatically transmits to our server. The following information is temporarily stored in a log file

IP address of the requesting computer
Date and time of access
Name and URL of the retrieved file
Website from which the access was made (referrer URL)
Browser used and, if applicable, the operating system of your computer, as well as the name of your access provider

Purpose and legal basis
The processing is carried out to safeguard our overriding legitimate interest in displaying our website and ensuring security and stability on the basis of Art. 6 para. lit. f GDPR. The collection of data and storage in log files is absolutely necessary for the operation of the website. There is no right to object to the processing due to the exception under Art. 21 para. 1 GDPR. Insofar as further storage of the log files is required by law, the processing is carried out on the basis of Art. 6 para. 1 lit. c GDPR. There is no legal or contractual obligation to provide the data, but it is not technically possible to access our website Without providing the data.

Storage period
The aforementioned data is stored for the duration of the display of the website [and for technical reasons for a maximum of 3 months beyond that].

Presence on social media platforms
We maintain so-called fan pages or accounts or channels on the networks mentioned at the bottom in order to provide you with information and offers within social networks and to offer you further ways to contact us and find out about our offers. In the following, we will inform you about which of your data we or the respective social network process in connection with your accessing and using our fan pages/accounts.

Data that we process from you
If you wish to contact us via Messenger or via direct message via the respective social network, we generally process your user name, which you use to contact us, and may store other data provided by you to the extent necessary to process/respond to your request.

The legal basis is Art. 6 para. 1 sentence 1 f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller).

(Static) usage data that we receive from the social networks
We receive automated statistics regarding our accounts via Insights functionalities. The statistics include the total number of page views, likes, information on page activity and post interactions, reach, video views/views and information on the proportion of men/women among our fans/followers.

The statistics only contain aggregated data that cannot be linked to individual persons. They are not identifiable to us.

What data the social networks process from you
In order to view the content of our fan pages or accounts, you do not need to be a member of the respective social network and therefore no user account is required for the respective social network.

Please note, however, that the social networks also collect and store data from website visitors Without a user account when the respective social network is called up (e.g. technical data in order to be able to display the website to you) and use cookies and similar technologies, over which we have no influence. You can find details on this in the privacy policy of the respective social network (see the corresponding links at the top)

If you wish to interact with the content on our fan pages/accounts, e.g. comment on, share or like our posts/contributions and/or wish to contact us via Messenger functions, you must first register with the respective social network and provide personal data.

We have no influence on the data processing by the social networks when you use them. To the best of our knowledge, your data is stored and processed in particular With the provision of the services of the respective social network, as well as for the analysis of user behavior (using cookies, pixels/web beacons and similar technologies) on the basis of which advertising based on your interests is displayed both within and outside the respective social network. It cannot be ruled out that your data will also be stored by the social networks outside the EU/EEA and passed on to third parties.

Information on, among other things, the exact scope and purposes of the processing of your personal data, the storage period/deletion and guidelines on the use of cookies and similar technologies in the context of registration and use of the social networks can be found in the data protection provisions/cookie guidelines of the social networks. There you will also find information on your rights and options to object.

Facebook page
When you visit our Facebook page, Facebook collects, among other things, your IP address and other information that is stored on your PC in the form of cookies. This information is used to provide us, as the operator of the Facebook pages, with statistical information about the use of the Facebook page. Facebook provides more information on this at the bottom of the following link: https: //facebook.com/help/pages/insights.

It is not possible for us to draw conclusions about individual users based on the statistical information transmitted. We only use this information to respond to the interests of our users and to continuously improve our online presence and ensure its quality.

We only collect your data via our fan page in order to make it available for communication and interaction with us. This collection generally includes your name, message content, comment content and the profile information you provide "publicly".

The processing of your personal data for our purposes mentioned at the top is based on our legitimate business and communicative interest in offering an information and communication channel in accordance with Art. 6 para. 1 f) GDPR. If you as a user have given your consent to data processing to the respective provider of the social network, the legal basis for processing extends to Art. 6 para. 1 a), Art. 7 GDPR.

Due to the fact that the actual data processing is carried out by the provider of the social network, our access to your data is limited. Only the provider of the social network is authorized to have full access to your data. As a result, only the provider can directly take and implement appropriate measures to fulfill your user rights (request for information, request for deletion, objection, etc.). The most effective way to assert such rights is therefore to contact the respective provider directly.

With Facebook, we are jointly responsible for the personal content of the fan page. Data subject rights can be asserted with Facebook Ireland and with us.

The primary responsibility for the processing of Insights data lies with Facebook in accordance with the GDPR and Facebook fulfills all obligations under the GDPR with regard to the processing of Insights data, Facebook Ireland provides the essentials of the Page Insights Supplement to the data subjects.

We do not make any decisions regarding the processing of Insights data and all other information resulting from Art. 13 GDPR, including the legal basis, identity of the controller and storage duration of cookies on user end devices.

Please note that further information can be found directly on Facebook (supplementary agreement with Facebook): https: //www.facebook.com/legal/terms/page_controller_addendum.

XING page
XING is a social network of XING SE based in Hamburg, Germany, which enables the creation of private and professional profiles. Users can maintain their existing contacts and make new ones. Companies can create profiles where photos and other company information can be uploaded. Other XING users have access to this information and can write their own articles and share this content with others.

The focus is on professional exchanges on specialist topics with people who have the same professional interests. In addition, XING is often used by companies and other organizations to recruit employees and present themselves as an interesting employer.

You can find more information about XING at the bottom:

https://corporate.xing.com/de/unternehmen/

Further information on data protection at XING can be found at the bottom:

https://privacy.xing.com/de/datenschutzerklaerung.

We do not collect or process any personal data via our XING company page.

YouTube page
YouTube is a video-on-demand service that allows users to upload, watch and share videos, including movie and music clips and amateur content. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Further information about YouTube can be found at the bottom:

www.youtube.com/intl/de/about/
Further information about data protection at YouTube can be found at:
https://policies.google.com/privacy
Further questions about data protection are answered here:
policies.google.com/technologies/product-privacy

Fast Fonts
Type and scope of processing
We use Fast Fonts from Monotype Imaging Inc, 600 Unicorn Park Drive, Woburn, Massachusetts 01801 USA, as a service to provide fonts for our online offering. To obtain these fonts, you establish a connection to Monotype Imaging Inc. servers, whereby your IP address is transmitted.

Purpose and legal basis
The use of Fast Fonts is based on your consent in accordance with Art. 6 para. 1 lit. a. GDPR and § 25 para. 1 TTDSG.

The data processing operations are also not precluded by the fact that the data may be processed by the provider outside the European Union, possibly in cooperation with Google LLC. Your consent also includes a declaration in accordance with Article 49(1)(a) GDPR.

Please read our notes under "Information: Consent to transfer to third country bodies based in the USA, including the risk information" before giving your consent.

Storage period
The specific storage period of the processed data cannot be influenced by us, but is determined by Monotype Imaging Inc. Please note further information in the privacy policy for Fast Fonts: https: //www.monotype.com/legal/privacy-policy.

Google Analytics
Type and scope of processing
We use Google Analytics from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as an analysis service for the statistical evaluation of our online offer. This includes, for example, the number of visits to our website, subpages visited and the length of stay of visitors.

Google Analytics uses cookies and other browser technologies to evaluate user behaviour and recognize users.

This information is used, among other things, to compile reports on website activity.

Purpose and legal basis
Google Analytics is used on the basis of your consent in accordance with Art. 6 para. 1 lit. a. GDPR and § 25 para. 1 TTDSG.

Please read our notes under "Information: Consent to transfer to third country bodies based in the USA, including the risk information" before giving your consent.

Storage period
The specific storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Please note further information in the privacy policy for Google Analytics: https: //policies.google.com/privacy.

Google DoubleClick
Type and scope of processing
We have integrated components of DoubleClick by Google on our website. DoubleClick is a Google brand under which special online marketing solutions are primarily marketed to advertising agencies and publishers. DoubleClick by Google transfers data to the DoubleClick server with every impression as well as with clicks or other activities.

Each of these data transfers triggers a cookie request to the data subject's browser. If the browser accepts this request, DoubleClick places a cookie in your browser.

DoubleClick uses a cookie ID, which is required to process the technical procedure. The cookie ID is required, for example, to display an advertisement in a browser. DoubleClick can also use the cookie ID to record which advertisements have already been displayed in a browser in order to avoid duplication. The cookie ID also enables DoubleClick to record conversions. Conversions are recorded, for example, if a user has previously been shown a DoubleClick ad and subsequently makes a purchase on the advertiser's website with the same Internet browser.

A DoubleClick cookie does not contain any personal data, but may contain additional campaign identifiers. A campaign identifier is used to identify the campaigns with which you have already been in contact on other websites. As part of this service, Google obtains knowledge of data that Google also uses to create commission statements. Among other things, Google can see that you have clicked on certain links on our website. In this case, your data will be passed on to the operator of DoubleClick, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Further information and the applicable data protection provisions of DoubleClick by Google can be found at policies.google.com/privacy.

Purpose and legal basis
We process your data with the help of the DoubleClick cookie for the purpose of optimizing and displaying advertising on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. You give your consent by setting the use of cookies (cookie banner / Consent Manager), with which you can also declare your revocation at any time with effect for the future in accordance with Art. 7 para. 3 GDPR. The cookie is used, among other things, to place and display user-relevant advertising and to create reports on advertising campaigns or to improve them. The cookie is also used to avoid multiple displays of the same advertisement. Each time you access one of the individual pages of our website on which a DoubleClick component has been integrated, your browser is automatically prompted by the respective DoubleClick component to transmit data to Google for the purpose of online advertising and billing of commissions. There is no legal or contractual obligation to provide your data. If you do not give us your consent, you can visit our website without restriction, but not all functions may be fully available.

The use of Google DoubleClick is based on your consent in accordance with Art. 6 para. 1 lit. a. GDPR and § 25 para. 1 TTDSG.

Please read our notes under "Information: Consent to transfer to third country bodies based in the USA, including the risk information" before giving your consent.

Matomo
Type and scope of processing

We use the open source software tool Matomo (formerly PIWIK) on our website. The software sets a cookie in your browser (for cookies, see above). If individual pages of our website are accessed, the following data is stored

Two bytes of the IP address of the user's accessing system (anonymized IP address)
The website accessed
The website from which the user accessed the website (referrer)
The subpages that are accessed from the accessed website
The time spent on the website
The frequency with which the website is accessed

The software runs exclusively on the servers of our website. Your personal data is only stored there. The data is not passed on to third parties.

Purpose and legal basis
We process your data with the help of the Matomo analysis software for the purpose of evaluating the use of individual components and contents of our website on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR. You give your consent by setting the use of cookies (cookie banner / Consent Manager), with which you can also declare your revocation at any time with effect for the future in accordance with Art. 7 para. 3 GDPR. There is no legal or contractual obligation to provide your data. If you do not give us your consent, you can visit our website without restriction, but not all functions may be fully available.

Storage duration
The specific storage duration of the cookies set is 13 months.

Starfield Security trust seal
Type and scope of processing
We use Starfield Security trust seal to properly provide the content of our website. Starfield Security trust seal is a service of Starfield Technologies, LLC, which acts as a content delivery network (CDN) on our website.

A CDN helps to provide the content of our online offer, in particular files such as graphics or scripts, more quickly with the help of regionally or internationally distributed servers. When you access this content, you establish a connection to the servers of Starfield Technologies, LLC, 2155 E Warner Rd. Tempe, AZ 85284, United States, whereby your IP address and possibly browser data such as your user agent are transmitted. This data is processed exclusively for the purposes mentioned at the top and to maintain the security and functionality of Starfield Security trust seal.

Purpose and legal basis
The use of the Content Delivery Network is based on our legitimate interests, i.e. interest in the secure and efficient provision and optimization of our online offer in accordance with Art. 6 para. 1 lit. f. GDPR. GDPR.

Storage period
The specific storage period of the processed data cannot be influenced by us, but is determined by Starfield Technologies, LLC. Please note further information in the Starfield Security trust seal privacy policy: https: //www.starfieldtech.com/.

Data transfer to entities outside the European Union

We transfer personal data to bodies that are located outside the European Union or at least cannot rule this out (hereinafter: third country body). In accordance with Art. 44 of the General Data Protection Regulation (GDPR), we are obliged to guarantee that the level of protection of the General Data Protection Regulation is not undercut in these cases. We would like to point out that the third country body can be both a controller and a processor.

Art. 45 GDPR contains the transfer of data on the basis of an adequacy decision. If we refer to this in this privacy policy, this means that the third country body is located in a country, territory or specific sector for which the EU Commission has decided that an adequate level of data protection comparable to the GDPR exists.

Art. 46 (1) and (5) GDPR stipulates that data transfer is also possible on the basis of so-called standard contractual clauses. If we refer to standard contractual clauses, it is ensured that the third country body accepts these and has thus undertaken to comply with a level of data protection comparable to the GDPR.

Finally, there is the possibility that we may rely on your consent in accordance with Art. 29 para. 1 lit. a GDPR when transferring data to the third country body. This means that you have been informed about all existing possible risks regarding a data transfer for which no adequacy decision or other guarantees exist and have nevertheless consented to the data transfer.

We describe the corresponding risks in the relevant sections of this privacy policy.

Information: EU standard contractual clauses and third country bodies based in the USA

In addition to the explanations under "Data transfer to bodies outside the European Union", we would like to draw your attention to a special constellation.

With data transfers to entities based in the USA, the possibility of invoking the EU standard contractual clauses is limited. Therefore, if we intend to invoke the EU standard contractual clauses in this context (or already do so), we would like to point out the following:

We only base the transfer of personal data to entities in the USA on standard contractual clauses if we have first thoroughly examined the facts of the case. We first carry out a risk assessment. In doing so, we pay particular attention to the type and sensitivity of the data concerned, the scope and purpose of the data processing and the susceptibility to misuse.

We then check whether the entity processing the personal data has taken sufficient technical and organizational measures (e.g. processing of data exclusively in European data centers, encryption) to sufficiently minimize the risks identified in advance. We will only invoke the EU standard contractual clauses if we have come to the conclusion after this comprehensive review that they exceptionally guarantee an adequate level of data protection.

Please note this possibility merely as a precaution. It is also possible that we will not refer to this in this declaration, as we do not make use of it.

Information: Consent to transfer to third country bodies based in the USA, including risk information

In addition to the explanations under "Data transfer to bodies outside the European Union" - we would like to draw your attention to another special constellation.

As already described, the possibility of invoking EU standard contractual clauses when transferring data to a location in the USA is only possible to a limited extent. Therefore, in some cases, the only option is to obtain your consent to the transfer of data.

Before granting this consent, we ask you to take note of the following risks and consider them when deciding whether to give your consent.

We would like to emphasize that a data transfer to the USA Without the protection of an adequacy decision may involve considerable risks. Please note the following risks in particular:

There is no uniform data protection law in the USA; in particular not one that would be comparable with the GDPR applicable in the EU. This means that both US companies and government agencies have more opportunities to process your personal data, in particular for advertising, profiling and conducting (criminal) investigations. Our options for taking action against this are considerably restricted.
The US legislator has granted itself numerous rights of access to your personal data (see, for example, Section 702 of FISA or E.O. 12333 in conjunction with PPD-28 and Cloud Act 2018). PPD-28 and Cloud Act 2018), which are not compatible with our understanding of the law. In particular, there is no proportionality check prior to access, as is customary in the EU.
Citizens of the European Union cannot expect effective legal protection in the USA.
As a rule, we will only ask you for such consent if we have come to the conclusion that the US third country office cannot successfully invoke EU standard contractual clauses.

Status 02/2023