The PIKO Spielwaren GmbH is responsible for many technical and organisational measures to ensure a complete protection of the personal data processed on these websites. Nevertheless, internet-based data transmission can always leave some security gaps and cannot be completely protected. Because of that, we leave it open to the affected person to choose alternative ways of communication, for example via telephone, through conventional mail or via fax, to transfer their personal data. These ways offer a higher level of security than email.
Amongst others, we use the following terminologies in our statement:
a) personal data
Personal data contains all information relating to an affected natural person identified or identifiable (hereafter “affected person”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number, a location, an online identification or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.
b) affected person
An affected person can be every identified or identifiable natural person, whose personal data is processed by the responsible person or company.
A process is defined as any operation (with or without the support of automatic procedures) or set of operations which is performed upon personal data like the collection, recording, organisation, storage, adaption, selection, retrieving, disclosure distribution, comparison, connection, limitation erasure or destruction of all data.
d) limitation of processing
Limitation of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means every kind of automated processing of personal data which in the context of using that personal data to evaluate, analyse and predict certain personal aspects, especially work performance, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or changes of location relating to a natural person.
Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific affected person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
'Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, institution or authority, to which personal data is revealed, irrespective of whether it is a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients
j) third parties
‘Third party’ means a natural or legal person, public authority, agency or body other than the affected person, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
‘Consent’ of the affected person means any freely given, specific, informed and unambiguous indication of the affected person’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Name and address of the controllerResponsible in terms of the Data Protection Regulation, other force in the Member States of the European Union Data Protection Act and other regulations with data protection law nature is this:
PIKO Spielwaren GmbH
Telephon: 0049 (0) 3675/8972-0
Fax: 0049 (0) 3675/8972-50
Websites: www.piko.de / www.piko-shop.de
Legal representative: Dr René F. Wilfer
Name and address of the data protection officer
The data protection officer of the controller is:
Kronacher Str. 60
If there are any questions or proposals concerning data protection you can directly contact our data protection officer.
Rights of the affected personAt this point we would like to inform you about your rights as an affected person. These rights are standardised after art. 15 – 22 EU-GDPR. These include:
a) Right to obtain confirmation
Any affected person shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed. If an affected person wants to exercise this right, he or she can contact the data protection officer or another employee of the controller at any time.
b) Right to access by the affected person
Every person affected by the collection of personal data shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purpose of the processing
- the categories of personal data concerned
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the affected person or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the affected person, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the affected person
Where personal data are transferred to a third country or to an international organisation, the dshall have the right to be informed of the appropriate safeguards relating to the transfer.
If an affected person wants to exercise the right to access, he or she can contact the data protection officer or another employee of the controller at any time.
c) Right to rectification
Any affected person shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the affected person shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If an affected person wants to exercise the right to rectification, he or she can contact the data protection officer or another employee of the controller at any time.
d) Right to erasure (‘right to be forgotten’)
The affected person shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The affected person withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
- The affected person objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the affected person objects to the processing pursuant to Article 21(2) GDPR.
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
If one of the above-mentioned reasons applies and the affected person demands the erasure of personal data collected by the PIKO Spielwaren GmbH, he or she can contact the data protection officer or another employee of the controller at any time. The data protection officer of the PIKO Spielwaren GmbH or another employee of the controller will arrange the erasure of the data immediately.
If personal data was published by the PIKO Spielwaren GmbH and our company is responsible for the erasure of this data according to article 17 (1) GDPR, the company’s data protection officer or another employee of the company will arrange appropriate measures (in consideration of technical and financial resources), including those of a technical nature, that lead to the erasure of the published data as well as all copies of and all links to these data as long as the processing of the data is not necessary.
e) Right to restriction of processing
The affected person shall have the right to obtain from the controller restriction of processing where one of the following conditions applies:
- The accuracy of the personal data is contested by the affected person, for a period enabling the controller to verify the accuracy of the personal data
- The processing is unlawful and the affected person opposes the erasure of the personal data and requests the restriction of their use instead
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the affected person for the establishment, exercise or defence of legal claims
- The affected person has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the affected person
If one of the above-mentioned conditions applies and the affected person demands the restriction of personal data collected by the PIKO Spielwaren GmbH, he or she can contact the data protection officer or another employee of the controller at any time. The data protection officer of the PIKO Spielwaren GmbH or another employee of the controller will arrange the restriction of the data immediately.
f) Right to data portability
Every affected person shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) GDPR and the processing is carried out by automated means. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In exercising his or her right to data portability pursuant to paragraph 1, the affected person shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
To execute the right to data portability the affected person can contact the company’s data protection officer or another employee of the controller at any time.
g) Right to object
Every affected person shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The PIKO Spielwaren GmbH shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the affected person or for the establishment, exercise or defence of legal claims.
If the PIKO Spielwaren GmbH processes personal data for direct marketing purposes, the affected person shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing measures.
If the affected person objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, the affected person, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To execute the right to object, the affected person can contact the company’s data protection officer or another employee of the controller at any time. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the affected person may exercise his or her right to object by automated means using technical specifications
h) Automated individual decision-making, including profiling
Every affected person shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. That shall not apply if (1) the decision is necessary for entering into, or performance of, a contract between the affected person and a data controller; (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the affected person’s rights and freedoms and legitimate interests; or (3) is based on the affected person’s explicit consent.
If the decision is (1) necessary for entering into, or performance of, a contract between the affected person and a data controller or (2) is based on the affected person’s explicit consent the PIKO Spielwaren GmbH shall implement suitable measures to safeguard the affected person’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
To execute rights according to automated individual decision-making, including profiling, the affected person can contact the company’s data protection officer or another employee of the controller at any time.
i) Right to withdraw consent
Every affected person shall have the right to withdraw his or her consent at any time.
To execute the right to withdraw consent, the affected person can contact the company’s data protection officer or another employee of the controller at any time.
Purposes and legal bases of processing dataWhen processing your personal data, the EU GDPR and all other applicable provisions concerning the data protection laws are applied. The legal bases for data processing are arises from Article 6 EU GDPR.
We use your data for initiating business; fulfilling contractual and legal obligations; implementing the contractual relationship; offering products and services; and strengthening the customer relationship, which may also include analysis for the purpose of marketing and direct advertising.
Your consent also represents a permission instruction under data protection law. We hereby inform you of the purposes of data processing and your right to object. If consent also relates to processing special categories of personal data, we will make explicit reference to this in the consent, Art. 88 Para. 1 GDPR. Special categories of personal data, as defined by Art. 9 Para 1 GDPR, may only be processed when necessary due to legal specifications and when there is no grounds to suspect that your legitimate interest in the exclusion of processing takes precedence, Art. 88, Para 1 GDPR.
Disclosure to third partiesWe will only disclose your data to third parties in the framework of legal provisions or in the event of corresponding consent. Otherwise we will not disclose your data to third parties unless we are required to do so due to compulsory legal stipulations (disclosure to external bodies such as supervisory authorities or law enforcement authorities).
Data recipients / categories of recipientsWithin our company, we ensure that only individuals who require your data to fulfil contractual and legal obligations receive access to that data.
In many cases, service providers (e.g. shipping providers like DHL or GLS, payment providers like PayPal and BSPayone for credit card payments, credit check companies, collection agencies and IT companies) support our departments in performing their tasks. The necessary data protection contracts have been concluded with all service providers.
We store your data for as long as is needed for the respective purpose of processing. Please note that many retention periods exist requiring that data continues to be stored. This particularly relates to retention obligations under commercial or fiscal law (such as the Commercial Code (Handelsgesetzbuch, HGB), General Fiscal Law (Abgabenordnung, AbgO), etc.). Unless there are further-reaching retention obligations, the data will be routinely erased once the relevant purpose has been fulfilled.
Period of data storage
In addition, we may retain data if you have provided your authorisation for us to do so, or if legal disputes arise within the statutory limitation period and we use pieces of evidence that become subject to legal limitation periods, which may be up to thirty years; the regular limitation period is three years
Secure transfer of your dataWe implement appropriate technical and organisational measures for the best possible protection of the data we store against accidental or deliberate manipulation, loss, destruction, or access by unauthorised individuals. Security levels are reviewed on an ongoing basis in collaboration with security experts and adapted to new security standards.
Data exchange from and to our web server is encrypted in every case. We offer HTTPS as a transfer protocol for our web presence, in each case subject to the use of current encryption protocols (SSL via GlobalSign nv-sa for www.piko.de and thawte, Inc. for www.piko-shop.de).
We also offer our users content encryption within the contact forms. We are the only party able to decrypt this data. There is also the option of using alternative channels of communication (e.g. post).
Obligation to provide dataVarious personal data is required for the establishment, implementation, and termination of the contractual relationship, and the fulfilment of the associated contractual and legal obligations. The same applies for the use of our website and the various functions it offers.
We have summarised the details of this in the point above. In certain cases, data also needs to be collected or made available as a result of legal provisions. Please note that it is not possible to process your enquiry or execute an underlying contractual relationship without the provision of this data.
Categories, sources, and the origin of dataWhich data we process is determined by the relative context: It depends, for example, on whether you place an order online or enter an enquiry into our contact form, or whether you are sending us an application or submitting a complaint.
Please note that we may also make information for particular processing situations separately available to an appropriate body, for example when application documents are uploaded or a contact enquiry is sent.
We collect and process the following data when you visit our website:
- Information about the website from which you reach our site
- The web browser and operating system you are using
- The IP address allocated by your internet service provider
- The files requested, data volume transferred, and downloads/file export
- nformation about the webpages that you access on our site, including the date and time
- For technical security reasons Aus Gründen der technischen Sicherheit (insbesondere zur Abwehr von Angriffsversuchen auf unseren Webserver) werden diese Daten gemäß Art. 6 Absatz 1 lit. F EU-DS-GVO gespeichert. Nach spätestens 7 Tagen findet eine Anonymisierung durch Verkürzung der IP-Adresse statt, so dass kein Bezug zum Nutzer hergestellt wird
We collect and process the following data when you submit a contact enquiry:
• Surname and first name
• Email address and if given telephone number
• Information on your requests and interests
We process the following data in the course of the order:• Title
• Surname and first name
• Shipping address
• Invoice address
• Email address (if necessary for the order)
We collect and process the following data for newsletters:• Email address
• Analytical data from the newsletter evaluation
These cookies enable us to analyse how users use our websites. This means that we can design the content of the website to meet the needs of its visitors. Cookies also enable us to measure how effective a particular advertisement is, and for example to place it depending on thematic user interests.
Most of the cookies we use are session cookies which are automatically deleted after your visit. Permanent cookies are automatically deleted from your computer when their term of validity (generally six months) is reached, or if you delete them yourself before the term of validity expires.
Most web browsers accept cookies automatically. However, you can generally also change your browser settings if you would prefer not to send information. You can still continue to use our website without restrictions in this case (with the exception of configurators).
Please note: If you deactivate the saving of cookies, you may no longer be able to use all of our website’s functions to the full extent.
Contact form / making contact by emailOur website contains a contact form that can be used to make contact electronically. If you write to us using the contact form, we process the personal data you provide in the contact form in order to make contact and respond to your questions and requests.
The principle of data economy and data reduction is taken into account here, in that you only need to provide the data that we need in order to make contact with you. This comprises your email address, title, first name, surname, subject, and the message field itself. In addition, your IP address is processed for reasons of technical necessity and legal safeguarding. All other data fields are voluntary, and you have the option of filling them out (for example for a better-tailored response to your questions).
If you contact us by email, we will process the personal data you provide in the email purely for the purpose of processing your enquiry. If you do not use the offered form to contact us, no additional data is collected.
NewsletterYou can subscribe to a free-of-charge newsletter on our website. Your name and the email address provided during newsletter registration will be used for sending the personalised newsletter.
The principle of data economy and data reduction is taken into account here, as only the email address is identified as a mandatory field. When you subscribe to the newsletter, your IP address will also be processed for reasons of technical necessity and legal safeguarding.
You may of course end your subscription at any time using the unsubscribe option provided in the newsletter, thereby revoking your consent. Furthermore, you may at any time also unsubscribe from the newsletter directly via our website
We use web beacons for our newsletter distribution. Web beacons are transparent images that help us track the activity of users on our newsletter. With and embedded web beacon, we can see if and when an affected person opened an email from us. Personal data collected via one of these web beacons can be collected, saved and analysed to improve our newsletter distribution. These personal data are not disclosed to third parties.
Online shopWe process the data you provide in the context of the order form only for the purposes of implementing and/or transacting the contractual relationship, unless you agree to its further use.
The principle of data economy and data reduction is taken into account in that you only need to provide us with data that we require in order to implement the contract and/or to fulfil our contractual obligations (i.e. your name, address, email address, and the payment details required for the selected payment type) or which we are legally required to collect.
In addition, your IP address is processed for reasons of technical necessity and legal safeguarding. Without this data being provided, we must unfortunately refuse to enter into a contract as we will not then be able to implement it, or we may need to terminate an existing contract. You are of course also free to provide more data if you would like to
Registration / customer accountOn our website, we offer users the opportunity to register by providing their personal data. The advantage of this is that you are able to view your order history, and the data you provide is stored for the order form, meaning that you will not need to enter the information again the next time you place an order. Furthermore, a registered user can use the memory list to save items he desires for later.
Registration is therefore either necessary in order to fulfil a contract (via our online shop) with you or to implement pre-contractual measures, or possible if guest access is also made available. The principle of data economy and data reduction is taken into account here as only the data required for registration is marked with an asterisk (*). These are, for example, an email address and password including a password confirmation.
If you wish to place an order in our shop, we also need information about the invoice address (title, first name, surname, postal address, phone number) for delivery. If the delivery address differs from the invoice address, the above information must also be provided for the delivery address.
Registering on our website also causes the user’s IP address, the date, and the time of registration to be stored (technical background data). By pressing the “Register now” button, you provide your consent for the processing of your data.
Please note: The password you allocate will be stored within our organisation in encrypted format. Employees of our company are not able to read this password. They are therefore unable to provide you with information if you forget your password.
Should this happen, use the “Forgotten password” function, which sends you a new, automatically generated password by email. No employee is entitled to ask you for your password during a phone call or in writing. So please never disclose your password if you receive any requests of this type.
Completing the registration process causes your data to be stored within our organisation in order for you to use the protected customer area. As soon as you register on our website, with your email address as the username and with a password, this data will be made available for actions that you perform on our website (e.g. for placing orders in our online shop). Orders placed can be viewed in the order history. You can make changes to the invoice or delivery address here.
Registered individuals are free to independently change/rectify the invoice or delivery address in the order history. Our customer service team is also happy to change or rectify this information if you get in touch with them. You can of course also terminate or delete your registration and your customer account by sending us an email.
Payment systemsIn our online shop you can pay with your credit card, by PayPal or by cash in advance. The respective payment-relevant data is collected for this purpose, so that your order and payment can be processed. In addition, your IP address is processed for reasons of technical necessity and legal safeguarding.
The principle of data economy and data reduction is taken into account in that you only need to provide us with the data that we need for the processing of payment and therefore the processing of the contract, or which we are legally required to record.
Without this data, we must unfortunately refuse to enter into a contract as we will not then be able to implement it.
The payment system we use utilises SSL encryption for the protected transfer of your data.
Note on credit card payments: As is standard for credit card payments, the information regarding the credit card is reviewed and a credit check is performed.
Note on PayPal: PayPal is a company which is part of PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal, L-2449 Luxembourg. If the affected person selects PayPal as the payment option during the order process in our online shop, data relating to the affected person is automatically transferred to PayPal.
By selecting this payment option, the affected person consents to the transfer of personal data as required to process payment. The personal data transferred to PayPal is generally the affected person’s first name, surname, address, email address, IP address, phone number, mobile phone number, or other data that is necessary to process payments.
Such personal data that relates to the respective order is also necessary to process the purchase agreement. Details on data privacy at PayPal can be accessed at: https://www.paypal.com/uk/webapps/mpp/ua/privacy-prev (for the legal situation from 25 May 2018).
Advertising purposes for existing customers:The PIKO Spielwaren GmbH is interested in maintaining its customer relationship with you and sending you information and offers relating to our products/services. We process your data for these reasons, in order to send you appropriate information and offers by email.
If you do not wish us to do so, you can object to the use of your personal data for the purposes of direct advertising at any time; this also applies for profiling in as far as it is associated with direct advertising. If you submit an objection, we will no longer process your data for this purpose.
We do not use any purely automated processing procedures for making decisions.
User profiles / Web tracking proceduresThe controller uses Google Analytics on this website (with anonymisation function). Google Analytics is a web analytics service that is used for the survey, collection and analysis of behavioural data of website users. Amongst other things, the service collects data about how an affected person landed on the website (so-called referrer), which sub-pages are accessed and how often and how long a person stays on the website.
Google Inc. is the operating company of the Google-Analytics service., Address: 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The controller uses the addition “_gat.anonymizelp” for the Google Analytics service. With this addition, the IP address of the user is shortened and anonymised by Google when our website is accessed by a user located in an Union or Member State.
The purpose of Google Analytics is to analyse visitors of our website. Google uses the collected data and information to analyse the usage of our website and to create online reports for us, that show the activities on our website. These reports can be used for further services regarding our website.
Google Analytics creates a cookie on the IT system of the user. For more information about cookies, please look above. By creating cookies, Google can analyse the usage of our website. Every access of a sub-page that has an integrated Google Analytics component leads to a collection and processing of user data to Google. In the course of this process, Google receives personal data like the user’s IP address, that later can be used to track the user’s origin and to calculate Google’s commission.
By using cookies, the controller receives information about personal data of the user like access time, access location and access frequency, that can be saved. These personal data, including the users IP address, will be transmitted to Google in the USA every time he or she visits our website. The data will be saved and possibly forwarded to third parties by Google.
By adjusting the settings of their web browser, the affected person can prevent the creation of cookies by our website at any time. These settings will also prevent Google from creating a cookie on the IT system of the affected person. Once created, a Google Analytics cookie can be deleted via the web browser or by another software at any time.
Furthermore, the affected person can object to the collection and processing of personal data by Google via Google Analytics. To do so, the affected person has to download and install a browser add on, that can be found und the following link: https://tools.google.com/dlpage/gaoptout. This browser-add on informs Google Analytics via JavaScrip, that no personal data or information must be transmitted from the website to Google Analytics. The installation of the browser add on is regarded as an objection by Google. If the affected person’s IT system is formatted or re-installed, he or she has to install the add on again to deactivate Google Analytics. If the browser add on is activated or deinstalled by the affected or another person, there is the possibility to re-install or re-activate the add on.
Opt-Out cookies prevent the future collection of your data when visiting this website. To prevent the collection of data by Universal Analytics across all your devices, you have to perform the opt-out on all used systems. By clicking here, you set the opt-out cookie: Disable Google Analytics
Online offers for childrenIndividuals under the age of 16 may not transfer personal data to us or issue a declaration of consent without the approval of their parent or legal guardian. We would like to invite parents and legal guardians to actively participate in their children’s online activities and interests.
Links to other providersOur website also – clearly and identifiably – includes links to websites operated by other companies. Where links to other providers’ websites are provided, we have no influence over their content. For this reason, no guarantee can be provided and no liability can be accepted for this content. The respective provider or operator of the relevant pages is responsible for the content of these pages.
At the time that the link was placed, the linked pages were checked for possible legal violations and identifiable infringements of the law. No legal content was identifiable at the time that the link was placed. However, constant monitoring of the content of the linked pages is unreasonable without specific indication of an infringement of the law. In the event of infringements of the law becoming known, links of this type will be removed without delay.