A. Data privacy statement

In the following we inform about the collection of personal data when using our website. Personal data are all data that are personally identifiable to you, e.g. your name, address, e-mail addresses, user behavior.


I. Name and address of the person responsible

The person responsible within the meaning of the Basic Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
KOINOR Polstermöbel GmbH & Co. KG
Landwehrstraße 14
96247 Michelau
Germany
Phone.: +49 9571 892-0
Fax: +49 9571 83310
info(at)koinor.de
www.koinor.com


II. Name and address of the data protection officer


The data protection officer of the person responsible is:
Andreas Fischer
KOINOR Polstermöbel GmbH & Co. KG
Landwehrstraße 14 96247 Michelau
Germany
Phone: +49 9571 892-0
E-Mail: a.fischer(at)koinor.de


III. General information on data processing

1. Scope of processing of personal data
We only process the personal data of our users if this is necessary to provide a functional website as well as our contents and services. The regular processing of the personal data of our users only takes place after the user has granted consent. An exception applies in those cases where prior consent cannot be obtained for legal or factual reasons and the processing of the data is permitted by law.

2. Lawfulness of processing personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a General Data Protection Regulation (GDPR) serves as the legal basis.
In the processing of personal data required for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.

3. Data deletion and storage time
The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, storage of data may take place if this has been provided for by European or national lawmaking bodies in the form of EU regulations, laws, or other provisions to which the responsible party (data controller) is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned legal norms lapses, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.


IV. Provision of the website and creation of log files

1. Description and scope of data processing
Every time you visit our website, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:
(1) Information about the browser type and version used
(2) The user's operating system
(3) The IP address of the user
(4) Date and time of access
(5) Websites from which the user's system accesses our website The data is also stored in the log files of our system.
This data is not stored together with other personal data of the user.

2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this the IP address of the user must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the website. In addition, the data helps us to optimize the website and ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. Our legitimate interest in data processing also pertains to these purposes under Art. 6(1)(f) GDPR.

4. Duration of storage
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or obfuscated so that identification of the accessing client is no longer possible.

5. Options for objection and removal
The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.


V. Use of cookies
a) Description and scope of data processing Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic character string that enables a unique identification of the browser when the website is accessed again. We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change. Login information is stored in and transferred into the cookies. We also use cookies on our website which enable an analysis of the user's surfing behavior. In this way, the following data may be transferred:
- Frequency of page views
- Use of website functions
The user data collected in this way is pseudonymized by technical precautions. Therefore, it is no longer possible to assign the data to the accessing user. The data will not be stored together with other personal data of the users. When you visit our website, an information banner informs you about the use of cookies for analytical purposes and refers you to this privacy policy. In this context, there is also a note on how the storage of cookies can be prevented in the browser settings. When accessing our website, the user is informed about the use of cookies for analytical purposes, and his or her consent to the processing of personal data used in this context is obtained. In this context, reference is also made to this privacy policy.

b) Legal basis for data processing The legal basis for the processing of personal data using technically necessary cookies is Art. 6(1)(f) GDPR. The legal basis for the processing of personal data using cookies for analytical purposes is Art. 6(1)(a) GDPR. For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6(1)(f) GDPR.

c) Purpose of data processing The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For this it is necessary for the browser to be recognized even after a page change. We need cookies for the following applications:
- Login functionalities
- Detection of language settings The user data collected by technically necessary cookies is not used to create user profiles. The analytical cookies are used to improve the quality of our website and its content. Using the analytical cookies, we learn how the website is used and can thus continuously optimize the web content we offer. For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6(1)(f) GDPR.

d) Duration of storage, obptions for objection and removal Cookies are stored on the user's computer and transferred by that computer to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.


VI. Registration

1. Description and scope of data processing
On our website, we offer users the opportunity to register by providing personal data. The data is entered into an input screen, transmitted to us, and saved. The data will not be shared with third parties. The following data is collected during the registration process: - x At the time of registration, the following data is also stored: (1) The IP address of the user (2) Date and time of registration In the course of the registration process, the user's consent to the processing of this data is obtained.

2. Legal basis for data processing
The legal basis for the processing of data is Art. 6(1)(a) GDPR. If registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6(1)(b) GDPR.

3. Purpose of data processing
Registration of the user is necessary for the provision of certain content and services on our website: Offer of exhibits stating the dealer contact details.

4. Duration of storage
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. This is the case for the data collected during the registration process if the registration on our website is cancelled or changed.

5. Options for objection and removal
As a user you have the option to cancel the registration at any time. You can change the data stored about you at any time. You can request deletion of the account by sending an email to info(at)koinor.de. If the data is required to fulfil a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as there are no contractual or statutory obligations to the contrary.

VII. Email contact

1. Description and scope of data processing
You can contact us via the email address provided. In this case, the user's personal data transmitted by email will be stored. In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

2. Legal basis for data processing
The legal basis for the processing of data is Art. 6(1)(a) GDPR. The legal basis for the processing of data transmitted in the course of sending an email is Art. 6(1)(f) GDPR. If the intention of the email contact is to conclude a contract, the additional legal basis for the processing is Art. 6(1)(b) GDPR.

3. Purpose of data processing
The purpose of processing of the personal data from the email is only to process the establishment of contact.

4. Duration of storage
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the email, this is the case when the conversation with the user has ended. The conversation has ended when it can be inferred from the circumstances that the facts in question have been finally clarified.

5. Options for objection and removal
The user has the option of revoking his consent to the processing of personal data at any time. If the user contacts us by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. All personal data stored in the course of contacting us will be deleted in this case.


VIII. Web analysis by Matomo (formerly PIWIK)

1. Scope of processing of personal data
On our website, we use the open source software tool Matomo (formerly PIWIK) to analyze the surfing behavior of our users. The software places a cookie on the user's computer (see above for cookies). If individual pages of our website are accessed, the following data is stored:
(1) Two bytes of the IP address of the user's system used for access
(2) The accessed web page
(3) The website from which the user has accessed the accessed website (referrer)
(4) The subpages that are accessed from the accessed website
(5) Duration of stay on the website
(6) The frequency of visiting the website The software runs exclusively on the servers of our website. The personal data of users is only stored there. The data will not be passed on to third parties. The software is set so that the IP addresses are not completely stored. Instead 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way it is no longer possible to assign the shortened IP address to the accessing computer.

2. Legal basis for the processing of personal data
The legal basis for processing users' personal data is Art. 6(1)(f) GDPR.

3. Purpose of data processing
The processing of users' personal data enables us to analyse the surfing behavior of our users. We are in a position to compile information about the use of the individual components of our website by evaluating the data obtained. This helps us to continuously improve our website and its user-friendliness. For these purposes, it is also in our legitimate interest to process the data in accordance with Art. 6(1)(f) GDPR. By anonymizing the IP address, the interest of the user regarding the protection of their personal data is sufficiently taken into account.

4. Duration of storage
The data will be deleted as soon as it is no longer needed for our recordkeeping purposes. In our case, this is the case after 180.

5. Options for objection and removal
Cookies are stored on the user's computer and transferred by that computer to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent. We offer our users on our website the possibility to opt out of the analysis procedure. To do this, you must follow the corresponding link.

This action causes another cookie to be created on your system that signals to our system not to store the user's data. If the user deletes the corresponding cookie from his own system in the meantime, he must set the opt-out cookie again.
More information about the privacy settings of the Matomo software can be found at the following link: https://matomo.org/docs/privacy/.


IX. Social Media

1. Use of social media Plugins
(1) We currently use the following social media plugins: [Facebook, Google+, Twitter, Xing, T3N, LinkedIn, Flattr]. We use the so-called two-click solution. This means that when you visit our site, no personal data is initially passed on to the providers of the plugins. You can recognize the provider of the plugin by the marking on the box above its initial letter or the logo. We offer you the possibility to communicate directly with the provider of the plugin via the button. Only if you click on the marked field and thereby activate it will the plugin provider receive the information that you have accessed the corresponding website of the online content we offer. In addition, the data specified in section 3 of this privacy policy will be transmitted. In the case of Facebook and Xing, the IP address is anonymized immediately after collection by the respective provider in Germany. By activating the plugin, personal data is transferred from you to the respective plugin provider and stored there (in the case of US providers in the USA). Since the plugin provider collects data mainly via cookies, we recommend that you delete all cookies before clicking on the grayed-out box using your browser's security settings.
(2) We have no influence on the data collected or data processing operations, nor are we aware of the full extent of data collection, the purposes of processing, or the storage periods. We also have no information on the deletion of the data collected by the plugin provider.
(3) The plugin provider stores the data collected about you as user profiles and uses these for the purposes of advertising, market research, and/or demand-oriented design of its website. Such an evaluation takes place in particular (also for not logged in users) for the representation of demand-based advertising and in order to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plugin provider to exercise this right. With the plugins, we offer you the possibility of interacting with social networks and other users so that we can improve our offer and make it more interesting for you as a user. The legal basis for the use of the plugins is Art. 6(1)(1)(f) GDPR.
(4) The data is transferred regardless of whether you have an account with the plugin provider and are logged in there. If you are logged in with the plugin provider, your data collected with us will be directly assigned to your existing account with the plugin provider. If you click the activated button and, for example, link to the page, the plugin provider also stores this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, especially before activating the button, as this way you can avoid being assigned to your profile with the plugin provider.
(5) For more information on the purpose and scope of data collection and its processing by the plugin provider, please refer to the privacy policies of these providers as listed below. They will also provide you with further information about your rights in this regard and settings options for protecting your privacy. 
(6) Addresses of the respective plugin providers and URLs of privacy policies:
a) [Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; www.facebook.com/policy.php; further information on data collection: www.facebook.com/help/186325668085084, www.facebook.com/about/privacy/your-info-on-other sowie www.facebook.com/about/privacy/your-info. Facebook has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

2. Embedding of YouTube Videos
(1) We have embedded YouTube videos into the online content that we offer. These videos are stored at www.YouTube.com and can be played directly from our website. These are all embedded in "extended data protection mode", i.e. no data about you as a user will be transmitted to YouTube if you do not play the videos. Only when you play the videos will the data referred to in paragraph 2 be transmitted. We have no influence on this data transmission.]
(2) By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, the data specified in section 3 of this privacy policy will be transmitted. This is independent of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your information will be directly associated with your account. If you do not wish to be associated with your profile on YouTube, you must log out before activating the button. YouTube stores your data as user profiles and uses it for the purposes of advertising, market research, and/or demand-oriented design of its website. Such evaluation takes place in particular (even for users who are not logged in) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.
(3) For more information on the purpose and scope of data collection and processing by YouTube, please refer to the privacy policy. There you will also find further information about your rights and settings options for protecting your privacy: www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
(3) For more information about the purpose and scope of data collection and its processing by the plugin provider, please refer to the provider's privacy policy. There you will also find further information about your rights in this regard and settings options for the protection of your privacy: www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework

 

X. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of GDPR and you have the following rights with regard to the data controller:

1. Right to Information whether your personal data will be pocesed
You can obtain from the data controller a confirmation about whether personal data concerning you will be processed by us. If such processing has taken place, you can obtain the following information from the data controller:
(1) the purposes for which the personal data is processed;
(2) the categories of personal data processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or are still being disclosed;
(4) the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to have your personal data concerning you corrected or deleted, a right to have processing restricted by the controller or a right to object to such processing;
(6) the existence of a right to appeal to a supervisory authority;
(7) any available information on the origin of the data if the personal data is not collected from the data subject;
(8) the existence of automated decision making including profiling in accordance with Art. 22(1) and (4) GDPR and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing on the data subject. You have the right to request information regarding whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you can request the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transmission.

2. Right to rectification
You have a right of rectification and/or completion with respect to the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay. 

3. Right to limitation of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:
(1) if you dispute the accuracy of the personal data concerning you for a period of time that enables the data controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
(3) the controller no longer needs the personal data for the purposes of the processing, but you do need it to assert, exercise, or defend legal claims, or
(4) if you object to the processing pursuant to Art. 21(1) GDPR and it is not yet clear whether the legitimate reasons of the person responsible outweigh your reasons. If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of asserting, exercising, or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State. If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.

4. Right to erasure
a) Deletion obligation
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) the data subject withdraws consent on which the processing is based according to point (a) of Article 6 para. 1, or point (a) of Article 9 para. 2, GDPR and where there is no other legal ground for the processing; (3) the data subject objects to the processing pursuant to Article 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 para. 2 GDPR;
(4) the personal data have been unlawfully processed;
(5) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) the personal data have been collected in relation to the offer of information society services referred to in Article 8 para. 1.

b) Information to other party
Where the controller has made the personal data public and is obliged pursuant to Article 17 paragraph 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions
The right to extinction exist no longer, insofar the processing is necessary,
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 para. 2 as well as Article 9 para. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 para 1 in so far as the right referred to in paragraph 1 GDPR is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.

5. Right to Information after exercising rectification, erasure or limiting 
If you have exercised your right to have the data controller correct, delete, or limit the processing, he/she is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort. The person responsible shall have the right to be informed of such recipients. 

6. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(1) the processing is based on consent pursuant to point (a) of Article 6 para. 1 or point (a) of Article 9 para. 2 GDPR or on a contract pursuant to point (b) of Article 6 para. 1 GDPR; and
(2) the processing is carried out by automated means. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The right shall not adversely affect the rights and freedom of others. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

8. Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until the time of revocation.

9. Automated individual decision-making, including profiling
a) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
b) Paragraph 1 shall not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(3) is based on the data subject's explicit consent.
c) In the cases referred to in points (1) and (2) of paragraph b) GDPR, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
(d) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.