- Information about the collection of personal data
1.1 In the following we inform you about the collection of personal data. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.
1.2 The responsible parties pursuant to Article 4 (7) of the EU General Data Protection Regulation (DS-GVO) are Rosen Apotheke, Nadja Wehner e.K., Happinger Straße 77 b, 83026 Rosenheim, firstname.lastname@example.org (see our imprint).
1.3 When you contact us by e-mail or via our online contact form, the data you provide (e.g. your e-mail address and your first and last name) will be stored by us in order to answer your inquiries. We delete the data accrued in this context after the storage is no longer necessary or restrict the processing if there are legal obligations to retain data.
- Your rights
2.1 You have the following rights with respect to us regarding personal data concerning you:
- Right to information,
- Right to rectification or deletion,
- Right to restriction of processing,
- Right to object to processing,
- right to data portability.
2.2 You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us.
- collection of personal data when visiting our website
3.1 In the case of merely informational use of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis is Art. 6 para. 1 p. 1 lit. f DS-GVO):
- IP address
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Website from which the request comes
- Operating system and its interface
- Language and version of the browser software. 3.1.1 In addition to the previously mentioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive associated with the browser you are using and through which the entity that sets the cookie (in this case by us) receives certain information. Cookies cannot execute programs or transfer viruses to your computer. They serve to make the Internet offer as a whole more user-friendly and effective.
This website uses the following types of cookies, the scope and functionality of which are explained below:
- Transient cookies (see 3.2.1)
- Persistent cookies (see 3.2.2)
3.2.1 Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various requests of your browser can be assigned to the common session. This allows your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.
3.2.2 Persistent cookies are deleted automatically after a specified period of time, which may differ depending on the cookie. You can delete the cookies in the security settings of your browser at any time.
3.2.3 You can configure your browser settings according to your preferences and, for example, refuse to accept third-party cookies or all cookies. Please note that you may not be able to use all functions of this website
4. Use of Google Analytics on our website
4.1 This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. In the event that IP anonymization is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.
4.2 The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.
4.4 This website uses Google Analytics with the extension “_anonymizeIp()”. This means that IP addresses are processed in abbreviated form, thus excluding the possibility of personal references. Insofar as the data collected about you is related to a person, this is therefore immediately excluded and the personal data is thus immediately deleted.
4.5 We use Google Analytics to analyze and regularly improve the use of our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Art. 6 para. 1 p. 1 lit. f DS-GVO.
4.7 To ensure sufficient data security when submitting forms, we use the service reCAPTCHA. The provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. The use of reCAPTCHA is primarily used to determine whether an input is made by a natural person or abused by machine and automated processing. The service leads to a dispatch of the IP address and possibly further data required for the reCAPTCHA service to Google. The data processing is based on Art. 6 para. 1 p. 1 lit. f DS-GVO. We have a legitimate interest in protecting our web offers from abusive automated spying and from SPAM.
5.1 With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers from our product range.
5.2 For the registration to our newsletter we use the so-called double-opt-in procedure. This means that after your registration, we will send you an e-mail to the specified e-mail address in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your respective IP addresses used and times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.
5.3 The only mandatory information for sending the newsletter is your e-mail address. After your confirmation, we store your e-mail address for the purpose of sending the newsletter. The legal basis is Art. 6 para. 1 p. 1 lit. a DS-GVO.
5.4 You can revoke your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can declare the revocation by clicking on the link provided in each newsletter email, via the form on the website, by email to email@example.com or by sending a message to the contact details provided in the imprint.
- Use of our webshop
If you want to order in our webshop, it is necessary for the conclusion of the contract that you provide your personal data, which we need for the processing of your order. Mandatory data necessary for the processing of contracts are marked separately, other data are voluntary. We process the data you provide to process your order. For this purpose, we may pass on your payment data to our house bank. The legal basis for this is Art. 6 para. 1 p. 1 lit. b DS-GVO.
You can voluntarily create a customer account, through which we can store your data for future purchases. When creating an account under “My Account”, the data you provide will be stored revocably. You can always delete all further data, including your user account, in the customer area.
We may also process the data you provide to inform you about other interesting products from our portfolio or to send you e-mails with technical information. Insofar as we have received your e-mail address in connection with the sale of goods and use it for direct advertising for similar goods, you can object to this use at any time without incurring any costs other than the transmission costs according to the basic rates. We will clearly point this out to you again for each use. The legal basis is Art. 6 para. 1 p. 1 lit. f DS-GVO, § 7 para. 3 UWG.
We are obliged by commercial and tax law to store your address, payment and order data for a period of ten years. However, we restrict processing after two years, i.e. your data is only used to comply with legal obligations.
To prevent unauthorized access by third parties to your personal data, especially financial data, the ordering process is encrypted.
- Use of the blog function
In our blog, where we publish various posts on topics related to our activities, you can make public comments. Your comment will be published with your specified username at the post. We recommend using a pseudonym instead of your real name. You are required to provide your username and e-mail address; all other information is voluntary. If you post a comment, we will continue to store your IP address, which we will delete after one week. The storage is necessary for us to be able to defend ourselves against liability claims in cases of possible publication of illegal content. We need your e-mail address to contact you if a third party should object to your comment as unlawful. Legal bases are Art. 6 para. 1 p. 1 lit. b and f DS-GVO. The comments are not checked before publication. We reserve the right to delete comments if they are objected to by third parties as unlawful.
- Use of social media plug-ins
8.1 We currently use the following social media plug-ins: Facebook, Google+, Twitter, Pinterest. We use the so-called two-click solution. This means that when you visit our site, no personal data is initially passed on to the providers of the plug-ins. You can recognize the provider of the plug-in by the corresponding logo. We open up the possibility for you to communicate directly with the provider of the plug-in via the button. Only if you click on the marked field and thereby activate it, the plug-in provider receives the information that you have called up the corresponding website of our online offer. In addition, the data mentioned under item 3 of this declaration is transmitted. In the case of Facebook, according to the respective providers in Germany, the IP address is anonymized immediately after collection. By activating the plug-in, personal data is therefore transmitted from you to the respective plug-in provider and stored there (in the case of US providers, in the USA). Since the plug-in provider collects the data in particular via cookies, we recommend that you delete all cookies via the security settings of your browser.
8.2 We have no influence on the collected data and data processing operations, nor are we aware of the full extent of the data collection, the purposes of the processing, the storage periods. We also have no information on the deletion of the collected data by the plug-in provider.
8.3 The plug-in provider stores the data collected about you as usage profiles and uses them for purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. Via the plug-ins, we offer you the opportunity to interact with the social networks and other users, so that we can improve our offer and make it more interesting for you as a user. The legal basis for the use of the plug-ins is Art. 6 para. 1 p. 1 lit. f DS-GVO.
8.4 The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the plug-in provider, your data collected from us will be directly assigned to your account with the plug-in provider. If you click the activated button and link to the page, for example, the plug-in provider also saves this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this allows you to avoid an assignment to your profile with the plug-in provider.
8.5 For more information on the purpose and scope of data collection and processing by the plug-in provider, please refer to the data protection declarations of these providers provided below. There you will also receive further information about your rights in this regard and setting options for protecting your privacy.
8.6 Addresses of the respective plug-in providers and URL with their privacy notices:
8.6.1 Facebook Inc, 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; Facebook has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
8.6.2 Google Inc, 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de. Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
8.6.3 Twitter, Inc, 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
8.6.4 Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland; https://policy.pinterest.com/de/privacy-policy.
- Integration of YouTube videos
- Mandatory information for data collection outside our website (pharmacies).
In the following, we inform you about the processing framework for data collections outside our website, where you use the services of our pharmacies.
10.1 Categories of personal data processed: Prescription data, health data, name data, address data, contact data, date of birth, contract data, billing data.
10.2 Criteria for determining the storage period of personal data: The legislator has enacted a wide range of retention obligations and periods. After expiration of these periods, the corresponding data is routinely deleted if it is no longer required to fulfill the order. If data is not affected by this, it is deleted when the purposes stated for collecting it no longer apply. Declarations of consent which are not used for two years (e.g. through the use of the customer card) will be deleted insofar as this does not conflict with statutory storage obligations.
10.3 Purposes for which the personal data are processed: Provision of medicines by a public pharmacy Accounting vis-à-vis health insurance companies Customer loyalty.
10.4 Legal basis for data processing: Supply of medicines by a public pharmacy: legal permission, Art. 6 (1) p. 1 lit. b, 9 (2) DS-GVO. Billing to health insurance companies: legal permission, Art. 6 para. 1 p. 1 lit. b, 9 para. 2 DS-GVO, § 300 SGB V. Customer loyalty: consents, Art. 6 para. 1 p. 1 lit. a DS-GVO.
10.5 Provision of personal data required for the conclusion of a contract: Yes, with regard to the supply of prescription medicines, which cannot otherwise take place.
10.6 Categories of recipients of the personal data: Internal: employees in main and branch pharmacies involved in the execution and fulfillment of the respective information processes. Externally: external bodies with which commissioned data processing agreements are concluded in accordance with Art. 28 DS-GVO, such as health insurance funds and pharmacy billing bodies; doctors, hospitals, therapists, care and nursing facilities; public bodies which receive data on the basis of statutory regulations, such as tax authorities and social insurance carriers; IT service providers; tax consultants.
10.7 Data is not transferred abroad and is not intended to be transferred abroad.
10.8 Sections 1 and 2 of this data protection declaration shall also apply to data collections within the meaning of Section 10.
- Mandatory information for data collection outside our website (PurNatur)
In the following, we inform you about the processing framework for data collections outside of our website, where you make use of the PurNatur offer.
11.1 Categories of personal data that are processed: Name data, address data, contact data, date of birth, contract data, billing data.
11.2 Criteria for determining the storage period of personal data: The legislator has enacted a wide range of retention obligations and periods. After expiration of these periods, the corresponding data is routinely deleted if it is no longer required to fulfill the order. If data is not affected by this, it is deleted when the purposes stated for collecting it no longer apply. Declarations of consent which are not used for two years (e.g. through the use of the customer card) will be deleted insofar as this does not conflict with statutory retention obligations.
11.3 Purposes for which the personal data are processed: Contract processing in a natural food store Customer loyalty.
11.4 Legal basis for data processing: contract processing in a health food store: legal permission, Art. 6 para. 1 p. 1 lit. b. Customer loyalty: consents, Art. 6 para. 1 p. 1 lit. a DS-GVO.
11.5 The provision of personal data is not required for the conclusion of a contract. The online order makes it necessary to provide certain personal data requested as part of the order.
11.6 Categories of recipients of the personal data: Employees involved in the execution and fulfillment of the respective information processes.
11.7 A transfer abroad does not take place and is not intended.
11.8 Items 1 and 2 of this data protection declaration also apply to data collections as defined in item 11.
- Card payments
In the area of card payments (direct debit/girocard/credit cards) we work together with Concardis GmbH (Concardis), Helfmann Park 7, D-65760 Eschborn, represented by its managing directors Mark Freese, Jens Mahlke and Luca Zanotti.
In this context, in addition to the purchase amount and datu, card data will also be transmitted to the above-mentioned company.
All payment data as well as data on any chargebacks that may occur will only be stored as long as they are needed for payment processing (including the processing of possible chargebacks and debt collection) and to combat abuse. As a rule, the data is deleted no later than 13 months after it is collected.
Beyond this, further storage may take place if and as long as this is necessary to comply with a statutory retention period or to prosecute a specific case of abuse. The legal basis for data processing is Art. 6 (1) f) of the General Data Protection Regulation.
You can request information and, if necessary, correction or deletion as well as restriction of the processing of your data and/or, if necessary, object to the processing of your data. If you have any questions regarding data processing by Concardis or to assert your aforementioned rights, you can contact the data protection officer, who can be reached at the address given or by e-mail at Datenschutzbeauftragter@concardis.com.
Furthermore, you have the right to complain to a supervisory authority (in Germany, the state data protection commissioners). We would like to point out that the provision of payment data is neither legally nor contractually required. If you do not want to provide your payment data, you can use another payment method (e.g. cash payment).