A. Basic information
Thank you for your interest in our online offering. The protection of your private sphere is a major concern for us. We place great value on the protection of your personal data and your right to informational self-determination. In the following, we inform you about the collection and processing of personal data when using our website/online offering at www.vegascosmetics.de. Personal data is defined as meaning any information concerning an identified or identifiable natural person (“data subject”), e.g. name, address, e-mail address, user behaviour.
1. Data Controller
Responsible for data protection in accordance with Article 4(7) of the EU General Data Protection Regulation (GDPR):
Vegas Cosmetics GmbH
Telefon: + 49 (0) 60 78 / 96 81 10
You can find further information and contact details, as well as additional legal notices in our Imprint.
2. Data security
We secure our website and other systems against loss, destruction, access, modification or distribution of your data by unauthorised persons through technical and organisational measures. The access to customer accounts is only possible after entering a user ID and a personal password. You should always treat your access data confidentially and log out of your customer/consultant account and close the browser window when you have finished communicating with us, especially if you share your computer with others.
In order to ensure a secure communication, we provide an encrypted communication via SSL protocol as standard, which we use, in particular, to transfer your personal data in our online shop.
With regards to the access to our website, data that may allow identification (e.g. IP address) is temporarily stored on our servers for the purposes of data and system security, but generally not for more than 30 days. The processing of possibly personal data for purposes of data and system security is carried out on the basis of the first sentence of Article 6(1)(f) of the GDPR and our legitimate interest in protecting our systems and preventing misuse.
3. Principles regarding storage and deletion of personal data
Personal data shall only be processed for the period required to achieve the purpose of said processing, or if this is provided for in laws or regulations applicable to our company (e.g. commercial or tax storage obligations). If the storage purpose no longer applies, or if a legally stipulated storage period expires, the personal data concerned shall be routinely deleted in accordance with the statutory provisions or their processing shall be restricted, e.g. restricted processing within the scope of commercial or tax law storage obligations.
The processing of personal data on the basis of a legal obligation, namely the fulfilment of legal storage obligations, is based on the first sentence of Article 6(1)(c) of the GDPR. As far as personal data are processed for purposes of preserving evidence pursuant to the first sentence of Article 6(1)(f) of the GDPR, these processing purposes expire after the statutory limitation periods; the ordinary statutory limitation period shall be three years.
For further details concerning storage and deletion periods, please refer to individual service descriptions/information contained in this privacy statement.
B. Visiting our website
If you merely use our website for information purposes, without registering or shopping in our online shop or otherwise providing us any personal information, we may collect the personal data which your browser transmits to our server.
1. Technical provision of the website
When you visit our website, we collect the following data, which is technically necessary for us to display our website to you and to guarantee the stability and security of our online offering:
– IP address
– Date and time of access
– Time zone difference compared to Greenwich Mean Time (GMT)
– Content of the request (specific page)
– Access status/HTTP status code
– Amount of data transferred in each case
– Website from which the request comes
– Operating system and its interface
– Language and version of the browser software.
This collection and processing are legally based on the first sentence of Article 6(1)(f) of the GDPR. Our legitimate interest lies in the provision of a functional website offering and its system security.
Within the scope of the operation of this website and the processes associated with it, we may be supported in particular by technical service providers (e.g. web hosters, IT service providers). If in this context personal data are processed by the relevant service provider, this is done on our behalf and in accordance with our instructions (order processing).
By using cookies, we are able to provide you with more user-friendly services which would not be possible without the setting of cookies or only to a limited extent. Therefore, cookies enable us to recognise the users of our Internet website. The purpose of this recognition is to make it easier for users of our online service to use it. An illustrative example is the shopping basket feature that you can find in the online shop. If you shop on a website, a cookie allows the shopping basket to "remember" the items the user has added to his/her virtual shopping basket during a session.
You can prevent the setting of cookies by means of an appropriate setting of your Internet browser and thus permanently object to the setting of cookies. Furthermore, you can also delete cookies that have already been set via an Internet browser or other software programs. However, please note that if you deactivate the setting of cookies in your Internet browser, you may not be able to use all the functions of our online offering.
3. Web Analytics
This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how you use the website. For information on the type, scope and function of cookies in general, refer to the general explanations on cookies given above. The information generated by the cookie about your use of this website will usually be transmitted to and stored by Google on a server in the United States. However, in case of activation of the IP anonymisation on this website, your IP address will be truncated beforehand by Google within Member States of the European Union or other in other Contracting States to the Agreement on the European Economic Area. Only in exceptional cases is the complete IP address transmitted to a Google server in the USA and truncated there.
This website uses Google Analytics with the extension “_anonymizeIp()”. With this extension, IP addresses are truncated for further processing in order to prevent direct association to a specific person. If the data collected about you contains any references to a specific person, this is immediately excluded and the personal data is immediately deleted.
On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports about website activities and to provide the operator of the website with further services associated with website and internet use. The IP address transmitted by your browser as part of Google Analytics is not merged with other data from Google.
We use Google Analytics to analyse and regularly improve the use of our website. The statistics obtained allow us to improve our offering and make it more interesting for you as a user. Our legitimate interest in data processing also lies in these purposes.
The data sent by us and linked to cookies will be automatically deleted after 14 months. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield https://www.privacyshield.gov/EU-US-Framework.
As an alternative to the browser plug-in, especially for browsers on mobile devices, you can prevent Google Analytics from collecting data by clicking here [link]. By clicking on the link, an "opt-out cookie" is set, which prevents the future collection of your data when you visit this website. Please note that if you remove the cookies stored in your browser, the Google Analytics deactivation cookie for this website will also be deleted. Furthermore, if you use a different computer, mobile device or web browser, you will need to repeat the deactivation process.
Third party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.
Overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html
Google’s privacy statement: http://www.google.de/intl/de/policies/privacy
We use the video-sharing platform “YouTube” on our website in order to integrate their videos and make them available to you on our website. In order for third party providers such as YouTube or Google to be able to show you the videos on our website, they need to recognise your IP address, since they send the respective data to the browser of your IP address. In this context, we endeavour to transmit only data as is absolutely necessary for the delivery of the content. This is legally based on the first sentence of Article 6(1)(f) of the GDPR. Our legitimate interest within the meaning of this regulation lies in the delivery and presentation of the contents offered on our website. Privacy statement from: https://www.google.com/policies/privacy/.
5. Facebook Social Plugins
Our website uses social plug-ins (“plug-ins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). This is legally based on the first sentence of Article 6(1)(f) of the GDPR. Our legitimate interest lies in the analysis and optimisation of our offering.
If a user calls up a feature on this website that contains the plug-in, the respective device establishes a direct connection with Facebook servers. The content of the plug-in is transmitted directly from Facebook to the user's device and integrated by the latter into the online offering. In this case, usage profiles of the users can be created from the processed data. Please note that we have no influence on the amount of data that Facebook collects with the help of this plug-in and therefore hereby inform the users according to our level of knowledge. By integrating the plug-ins, Facebook receives the information that a user has called up the corresponding page of the online offering. If the user is logged in to Facebook, Facebook can assign the visit to his/her Facebook account. By clicking on the Facebook logo (white “f” on a blue background), the corresponding information is transmitted from the device directly to Facebook and stored there. This enables the user to share our website with his/her friends in his/her Facebook account. If a user is not a member of Facebook, there is still the possibility that Facebook can find out his/her IP address and save it. According to Facebook, only an anonymous IP address is stored in Germany.
Further information, in particular on the purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the related rights and setting options to protect the privacy of the users, can be found in Facebook's privacy notices: https://www.facebook.com/about/privacy/.
We would like to point out that if a user is a Facebook member and does not want Facebook to collect data about him/her via our online offering and link it with his/her member data stored on Facebook, he/she must log out of Facebook before using our online offerings and delete his/her cookies. Further settings and objections regarding the use of data for advertising purposes are possible within Facebook’s profile settings, which can be viewed here: https://www.facebook.com/settings?tab=ads or via the USA page http://www.aboutads.info/choices/ or EU page http://www.youronlinechoices.com/. Please note that the settings are platform-independent, that is, they are applied to all devices, such as desktop computers or mobile devices.
Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
The features and contents of the social networking service Twitter, offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA are integrated on our website. This is legally based on the first sentence of Article 6(1)(f) of the GDPR. Our legitimate interest lies in the analysis and optimisation of our offering.
In particular, the Twitter button (recognisable by the Twitter logo: stylised white bird on a light blue background) is one of the features with which the user — who is a member of the Twitter platform — can share our website on his/her Twitter account. We would like to point out that if the user is a member of the Twitter platform, Twitter can assign the call of the above-mentioned contents and features to the profiles of the users therein. Twitter is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active).
Further information and Twitter's privacy statement can be found under: https://twitter.com/de/privacy. Please note that as a user of the Twitter platform, you have the option to opt-out under: https://twitter.com/personalization.
Features and contents of the service Pinterest, which are offered by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA are integrated on our website. This is legally based on the first sentence of Article 6(1)(f) of the GDPR. Our legitimate interest lies in the analysis and optimisation of our offering.
In particular, the Pinterest button (recognisable by the Pinterest logo: stylised white “p” on a red background) is one of the features with which the user — who is a member of the Pinterest platform — can share our website on his/her Pinterest account. We would like to point out that if the user is a member of the Pinterest platform, Pinterest can assign the call of the above-mentioned contents and features to the profiles of the users therein.
Further information and Pinterest's privacy statement can be found under: https://about.pinterest.com/de/privacy-policy.
C. Use of services
The collection and processing of data occur when you communicate with us on the occasion of ordering goods or registering or using the contact options provided (e.g. via our contact forms).
There are various ways for you to register on our website. To place an order in our online shop, the user must first register as a premium customer or consultant. Please refer to our separate information regarding data protection, which you can view and download here for premium customers and here for consultants.
For the respective registrations as well as for the order process in our online shop, we essentially process personal contact data, order data and payment data. This is legally based on the first sentence of Article 6(1)(b) of the GDPR, subject to the following further disclosures.
When placing an order or submitting the registration forms, we also store the following data on the legal basis of the first sentence of Article 6(1)(f) of the GDPR: IP address of the calling computer, date and time of submission. Our legitimate interest lies in the prevention of misuse of our service offerings, in the verifiability of enquiries, as well as in the efficient and structured collection and processing of customer enquiries and orders.
Transfer of data
Your data will only be passed on to third parties if this is necessary for the provision of the respective service. For example, your data will be transferred to the companies responsible for the shipping or to the financial service provider responsible for the handling of payments, to the extent necessary for order processing. The legal basis for the data processing is the first sentence of Article 6(1)(b) and (f) of the GDPR. The data processing occurs for the placement and processing of orders and to protect our legitimate interests in an efficient dispatch and payment processing.
Storage and deletion of personal data
In the case of registrations and orders, we are obliged under commercial and tax law to store your address, payment and order data for a period of ten years. The legal basis for the corresponding data processing is the first sentence of Article 6(1)(c) of the GDPR. However, after three years we generally restrict the processing, that is, your data will only be used to comply with legal obligations unless the processing of your personal data is necessary for other purposes. If so, this processing is covered by another legal basis (e.g. management of your customer account, etc.).
There are various ways on our website for you to get in touch with us and to send us messages. You may contact us by telephone, e-mail or via the contact form provided.
In case you contact us, we will store and process the data you have provided us (e.g. your e-mail and your name and telephone number if necessary) in order to process your request. In this respect, the legal basis is the first sentence of Article 6(1)(b) of the GDPR.
If you use our contact form to get in touch with us, at the time the completed form is submitted, the following data will also be stored on the legal basis of the first sentence of Article 6(1)(f) of the GDPR: IP address of the calling computer, date and time of submission. Our legitimate interest lies in the prevention of misuse of our service offerings, in the verifiability of the enquiries, as well as in the efficient and structured collection and processing of customer enquiries.
If you have expressly authorised us in the contact form to do so, your contact data may be forwarded to one of our consultants/business partners in your area; the legal basis for this is the first sentence of Article 6(1)(a) of the GDPR.
The resulting data will be deleted after storage is no longer needed, or the processing will be restricted if there are legal storage obligations.
In case you subscribe to our newsletter, we collect and process personal data for the purpose of sending you promotional information, namely information about our products, events as well as product and commercial offerings.
The registration is based on consent. Your e-mail address is the only mandatory information. The information regarding your form of address as well as your name and your company are voluntary and serve to address you personally. For the subscription to our newsletter, we use the so-called double opt-in procedure. This means that after your subscription we will send you an e-mail to the e-mail address you have provided, in which we will ask you to confirm that you wish to receive our newsletter via the e-mail address you have provided.
We use the data you have provided us to subscribe to the newsletter exclusively for the purpose of sending our newsletter. In addition, the following data is collected during subscription: IP address of the calling computer, date and time of subscription. The purpose of this collection and storage occurs in order to demonstrate that effective consent has, in fact, been given by the respective user and that the double opt-in procedure has been properly carried out.
The legal basis for the processing of your data for the purpose of providing the newsletter service is your consent pursuant to the first sentence of Article 6 (1)(a) of the GDPR. If we document the newsletter subscription technically, the legal basis for this is the first sentence of Article 6(1)(f) of the GDPR, whereby our legitimate interests lie in the verifiability of the proper collection or performance of the double opt-in procedure.
The data collected at the time of the newsletter subscription will only be stored as long as the newsletter subscription is active. The newsletter subscription can be cancelled at any time by the user concerned. For that reason, each newsletter contains a corresponding “unsubscribe” link. You may also contact us using or entering the e-mail address you have provided on your newsletter subscription; simply use the contact details provided in this privacy statement.
D. Rights of the data subject
We would like to inform you about your rights as “data subject” under the GDPR. The rights you are entitled to regarding your personal data are the following:
– Right of access (Article 15(1) and (2) of the GDPR)
– Right to rectification (Article 16 of the GDPR) or right to erasure (Article 17 of the GDPR)
– Right to restriction of processing (Article 18 of the GDPR)
– Right to data portability (Article 20 of the GDPR)
– Right to object to the processing (Article 21 of the GDPR)
– Right to withdraw (Article 7(3) of the GDPR)
– Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR)
In addition, we summarise the key points of the rights of the data subject under the GDPR as follows. This presentation is not intended to be exhaustive, but aims merely to address the broad guidelines of the rights of the data subject under the GDPR:
– Right of access (including the right to confirmation and right to data access)
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.
The data subject shall have the right to obtain access to the personal data and the following information:
The purposes of the processing;
· The categories of personal data concerned;
· The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
· Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
· The existence of the right to request from the controller a rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
· The right to lodge a complaint with a supervisory authority;
· Where the personal data are not collected from the data subject, any available information as to their source;
· The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
· If personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
The data subject shall have the right to obtain a copy of personal data relating to him or her which are undergoing processing.
– Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
– Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
§ The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
§ The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
§ The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or
§ The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
– Right to erasure
The data subject shall have the right, in principle and subject to the necessity of data processing determined by law (see, on the exceptions Article 17(3) of the GDPR), the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
§ The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
§ The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
§ The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
§ The personal data have been unlawfully processed;
§ The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
§ The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
– Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract pursuant to point (b) of Article 6(1) and the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
– Right to withdraw
The data subject shall have the right to withdraw his or her consent given at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
– Right to lodge a complaint with a supervisory authority
The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
The data protection supervisory authority responsible for GmbH is: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden
- Reference to the right to object pursuant to Article 21(1) and (2) of the GDPR
As data subject you shall have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. If you lodge an objection, your personal data shall no longer be processed unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you wish to exercise your rights as a data subject or have general questions regarding data protection, please do not hesitate to contact us at any time.
Vegas Cosmetics GmbH
Telefon: + 49 (0) 60 78 / 96 81 10