Privacy Policy Chocoversum GmbH

CHOCOVERSUM GmbH would like to explain to you below which data are collected, processed and used when and for what purpose. We would like to explain to you how our offered services work and how the protection of your personal data is guaranteed. We only collect, process and use personal data if you have consented therein or a law allows this.

This Privacy Policy can be retrieved, saved and printed at any time under the URL https://chocoversum.ticketfritz.de/en/Home/Privacy.

1. Information about the collection of personal data

(1)   In the following we inform about the collection of personal data when using our website. Personal data is all data that are personally identifiable to you, e.g. name, address, e-mail addresses and user behaviour.

(2)   The person responsible pursuant to Article 4 (7) of the EU General Data Protection Regulation (GDPR) is

CHOCOVERSUM GmbH
Meßberg 1, 20095 Hamburg
Tel.: (040) 41 91 23 00
Fax: (040) 41 91 23 0 – 20
E-Mail: info@CHOCOVERSUM.de

(see our imprint).

You can contact our data protection officer at:

Rechtsanwalt Bertold Frick
Datenschutz-Metropol GmbH
Baumwollbörse, Wachtstraße 17/24, 28195 Bremen
Tel.: (0421) 339 53 50
Fax: (0421) 339 53 55
E-Mail: frick@trinity-metropol.de

(3)   When you contact us by e-mail, the information you provide (your e-mail address, if applicable your name and telephone number) will be stored by us to answer your questions. We delete the data that arise in this context after the storage is no longer required, or limit the processing if statutory storage obligations exist.

(4)   If we rely on commissioned service providers for individual functions of our offer or would like to use your data for advertising purposes, we will inform you in detail about the respective transactions below. In doing so, we also specify the specified criteria for the storage duration.

2. Your rights

(1)   You have the following rights with respect to your personal data:

• to request information, pursuant to Art. 15 GDPR, about your personal data processed by us. In particular, you may request information on the processing purposes, the category of personal data, the categories of recipients to whom your data has been disclosed, the planned retention period, the right to rectification, deletion, limitation of processing or objection, and the existence of a right to appeal, the origin of their data, if not collected from us, and the existence of automated decision-making including profiling and, where appropriate, meaningful information about their details;
• to demand the correction, pursuant to Art. 16 GDPR, of incorrect or complete personal data stored by us without delay;
• to demand the deletion, pursuant to Art. 17 GDPR, of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
• to demand the restriction, pursuant to  Art. 18 GDPR, of the processing of your personal data if you dispute the accuracy of the data or if the processing is unlawful but you refuse to delete the data and we no longer need the data, but if you need it to assert, exercise or defend legal claims or if you have objected to the processing in accordance with Art. 21 GDPR;
• to receive, pursuant to Art. 20 GDPR, your personal data provided to us in a structured, conventional and machine-readable format or to request the transfer to another person in charge and
• to complain to a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or work or the registered office of our company.

To assert your rights, please contact: frick@trinity-metropol.de

(2)   If you wish to complain to the data protection  supervisory authority for our company’s registered office about our processing of your, please contact:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Klosterwall 6 (Block C), 20095 Hamburg
Tel.: (040) 4 28 54 – 40 40
E-Fax: (040) 4 279 – 11811
E-Mail: mailbox@datenschutz.hamburg.de

3. Scope of processing personal data

In principle, we collect and use our users’ personal data only to the extent necessary to provide a functional website and our content and services. This includes

• E-mail address
• Payment data
• Booked events / tickets purchased or vouchers
• Any documents or information provided by you, the personal data

We collect, process and use this data in order to contact you and process your request for events, ticket purchases or general enquiries.

In addition, we collect, process and use the following data to compile visitor statistics on the use of our website and to improve our website. The following data is collected:

• Date and visit of the URL on which the visitor is located
• URL that the visitor visited immediately before
• Browser used
• Operating system used
• IP address of the visitor

If this is not the case, personal data will only be used with the user’s consent. An exception applies in cases where prior consent cannot be obtained for effective reasons and the processing of the data is permitted by law.

4. Legal basis of processing

Insofar as we obtain the consent of the data subject for processing of personal data, Article 6 (1)(a) EU General Data Protection Regulation (GDPR) serves as the legal basis.

For the processing of personal data required to fulfil a contract to which the data subject is a party, Article 6 (1)(b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual actions.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Article 6 (1)(c) GDPR serves as the legal basis.

In the event that the vital interests of the data subject or any other natural person require the processing of personal data, Article 6 (1)(d) GDPR serves as the legal basis.

If the processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not prevail over the first interest, Article 6 (1)(f) GDPR serves as the legal basis for processing. The legitimate interest of our company lies in the execution of our business activities.

5. Routine deletion and blocking of personal data

We only process and store personal data of the data subject for as long as necessary to achieve the storage purpose. In addition, such storage may take place if provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible for the processing is subject. As soon as the storage purpose ceases to apply or a storage period prescribed by the aforementioned regulations expires, the personal data is routinely blocked or deleted.

6. Data security

We employ technical and organisational measures to secure our website and other systems against the loss, destruction, access, alteration or dissemination of your personal data by unauthorised persons. However, notwithstanding regular controls, complete protection against all risks is not possible. In some places, the website employs the industry standard SSL (Secure Sockets Layer) for encryption, which guarantees the privacy of your personal details.

7. Your personal information

• What are "personal data"?

Personal data are information about yourself that allow  conclusions to be drawn about your identity or which relate directly or indirectly to you, e.g. your name, address or phone number. Information that does not allow conclusions to be made about a specific or identifiable person is not included.

• E-mail, telephone

If you contact us by e-mail or telephone, we will only use the personal data you provide to process your specific request. The given data will be treated confidentially.

• Your registration

If you use the opportunity to register on our website, the data in the respective input mask will be transmitted to us. The data are stored solely for the purpose of internal use. Upon registration, the IP address of the user as well as the date and time of the registration will be stored in addition to the data mentioned below. This is to prevent misuse of the services. A transfer of the data to third parties does not take place. An exception exists if there is a legal obligation to disclose. Registered persons have the possibility to delete or modify the stored data at any time. The data subject receives information about the personal data stored about him or her at any time. Registration is based on our legitimate interests. With the opportunity to register, we can offer our visitors the convenience of regularly logging in and storing the data permanently.

8. Recording of customer contact details in accordance with the Hamburg SARS-CoV-2 containment regulation (HmbSARS-CoV-2 containment regulation)

(1) Purpose: Your data will be used exclusively for the purpose of tracking SARS-CoV-2 infection chains. The use of your data for our own purposes or services, especially advertising, is excluded.

(2) Legal basis: The legal basis for processing your data is Art. 6 Paragraph 1 lit. c General Data Protection Regulation (GDPR) in conjunction with Section 26 Paragraph 2 No. 2 of the HmbSARS-CoV-2 containment regulation.

(3) We use the digital solution from https://darfichrein.de for data acquisition.

(4) Transmission to third parties: Your data will be presented to the competent authority (health authority) upon request.

• Retention periods / deletion periods: Your data will be deleted after the retention period of 4 weeks has expired.

You are entitled to all data subject rights according to Art. 15 ff. GDPR, in particular information, deletion and restriction of processing.

9. What data do we collect and what for?

As part of the registration, we need an email address and password from you. The data you provide will be stored with us and serve solely to provide the services you requested and thereby fulfil our contracts with you, in particular the sale through our online store.

• Bank and credit card data

For certain fee-based offers, we also need bank or credit card information to process the contract.

If you choose the payment method "credit card", we also need your credit card details, but these credit card details are not collected by us but are collected directly and exclusively via the payment service provider that we have appointed and specialise in the online area Within the Giropay payment method, you can choose your bank and you will be immediately redirected to your bank's online banking website, where you will be able to log in as usual with your access data and we will not collect or process any data in this context.

• Can I also shop without registering in the online shop?

A purchase in our online shop is also possible without registration. The data collected by us for processing the purchase will be recorded and stored in the shop system in order to fulfil our contract with you.

• Disclosure of personal data

In addition, we will not disclose personal data without your express consent, unless we are legally permitted to do so, e.g. if we are required by law to disclose data (to law enforcement agencies and courts, to public bodies that receive data due to statutory regulations, such as social insurance agencies, tax authorities, etc.) or if we involve third parties to enforce our claims for professional secrecy.

10. Log files

Each time the website is accessed, we or the site provider collect data and information through an automated system. These are stored in the log files of the server.

The following data can be collected here:

• Information about the browser type and version used
• The user’s operating system
• The user’s Internet service provider
• The user’s IP address
• Date and time of access
• Websites from which the user's system is accessed on our website (referrer)
• Web pages accessed by the user's system through our website

The processing of the data serves to deliver the contents of our website, to ensure the functionality of our information technology systems and to optimize our website. The data of the log files are always stored separately from other personal data of the users.

11. Social plugins

(1) This website uses social plugins from social networks. Separate data protection and liability rules apply to social networks and the websites of third parties in general. The saving and use of personal data by the relevant website operators (service providers) upon the use of their services may exceed the extent provided for under this data protection policy. CHOCOVERSUM cannot influence what data an activated plugin collects and how the provider uses this data. CHOCOVERSUM does not collect any personal information itself by means of or through the use of social plugins.

(2) To increase the protection of your data, the plugins are not embedded in the website without restriction, but only when using an HTML link (so-called “Shariff solution” by c’t). Such embedding guarantees that no connection is made with the social network provider’s servers upon visiting a site containing such plugins. If you click on one of the buttons, a new window opens in your browser and calls up the relevant service provider’s website, where (after entering any applicable login information) you are able to activate, for example, the “like” or “share” buttons. Please refer to the relevant provider’s data protection policy for information about the purpose and extent of data collection and the provider’s further processing and use of the data, as well as your rights in this regard and the settings you can choose to protect your privacy.

Facebook
Operator: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA
Website: www.facebook.com
Data protection: http://www.facebook.com/policy.php

The rights of data subjects can be enforced with Facebook Ireland, as well as Hachez Chocoversum GmbH.

According to the General Data Protection Regulation (GDPR), Facebook is primarily responsible for processing insight data and fulfils all obligations relating to the processing of insight data under the GDPR.

The substance of the page insights controller addendum is made available to data subjects by Facebook Ireland.

As operator, we do not make any decisions relating to the processing of insight data or any other data resulting from Art. 13 GDPR, including legal basis, identity of the controller and the duration for which cookies are saved on users’ terminals.

Instagram
Operator: Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA
Website: https://www.instagram.com
Data protection: https://help.instagram.com/155833707900388

Tripadvisor
Operator: TripAdvisor LLC, 400 1st Avenue, Needham, MA 02494 USA
Website: https://www.tripadvisor.de
Data protection: https://tripadvisor.mediaroom.com/DE-privacy-policy

12. Cookies

(1) Our webpages employ so-called “cookies”. Cookies are small text files that are saved on browser's cache for the duration of your session (so-called “session cookies”) or on your hard drive for a particular time (so-called “permanent cookies”). Cookies enable recognition of the internet browser, so that when you next visit our website, you can be provided more quickly with targeted content which is tailored to your wishes and requirements. We therefore use cookies that are technically necessary to our legitimate interest in providing a website tailored to our visitors’ wishes. The cookies do not save any personal data.

(2) If, in addition to cookies that are technically necessary, we also wish to use marketing, tracking or analysis cookies, your express prior consent is required. This is requested on the cookie banner that appears on our website when you begin to use it. This cookie banner provides information about our cookie policy and gives you the opportunity to choose whether to refuse or grant consent to all or particular types of cookies.

(3) If you grant consent, the legal basis for processing personal data is Art. 6 (1) (a) GDPR.  You can change your cookie settings or revoke your consent using the blue button at the bottom right of your browser window.

13. Google (Universal) Analytics

(1) This website uses Google Universal Analytics, a web analysis service of Google Inc. (referred to below as “Google”).  Google Universal Analytics also uses cookies.

Your express consent is required for the use of Google Universal Analytics. You have the opportunity to refuse or grant consent to this and to obtain information about our company’s data protection policy through the cookie banner when you begin to use our website.

(2) If you grant consent, the legal basis for processing personal data is Art. 6 (1) (a) GDPR.

You can withdraw your given consent at any time without giving reasons. You can do this by, for example, sending an email to: info@chocoversum.de. In our Legal notice, you will find further contact details to which you can address the withdrawal.

(3) The information about your use of the website created by the cookie is normally transmitted to a Google server in the USA and saved there. IP anonymisation is instituted on our website, so that your IP address is first abbreviated by Google within the member states of the European Union or other contracting states of the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. Google has agreed to comply with the Privacy Shield Agreement concerning the collection, use and saving of personal data from EU member states that was made between the EU and the USA and published by the US Department of Trade, and holds a corresponding Privacy Shield Certificate.

In a decision dated 16/07/2020, the European Court of Justice declared that the Privacy Shield data protection agreement between the USA and the EU is invalid.

14. Facebook Remarketing

(1) Our website uses the “Custom Audiences” remarketing function of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). This enables us to present our website’s visitors with interest-related advertisements during visits to the Facebook social network (“Facebook ads”). On visiting our website, the Facebook remarketing tag (cookie) implemented on the site creates a direct connection to Facebook’s servers and the Facebook server is informed that you have visited this website. Facebook lists this information on your personal Facebook user account. More detailed information about the collection and use of the information by Facebook, as well as your rights in this regard and the possible ways to protect your privacy can be found in Facebook’s data protection policy at https://www.facebook.com/about/privacy/.

(2) Your express consent is required in order to employ tracking and marketing cookies. You have the opportunity to refuse or grant consent to these cookies and to obtain information about our company’s data protection policy via the cookie banner when you begin to use our website.

(3) If you grant consent, the legal basis for processing personal data is Art. 6 (1) (a) GDPR.

You can withdraw your given consent at any time without giving reasons. You can do this by, for example, sending an email to: info@chocoversum.de. In our Legal notice, you will find further contact details to which you can address the withdrawal.

You can also object to the use of cookies at any time and deactivate the “Custom Audiences” remarketing function. In addition, you can adjust your settings on Facebook itself via the following link: https://www.facebook.com/settings/?tab=ads#_=_. You must be registered with Facebook in order to do this.

15. “Facebook Pixel”

(1) We use the so-called “Facebook Pixel” from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, within our website for the purposes of analysis, optimisation and for our commercial operations. This enables a user’s behaviour to be tracked after the user has clicked on a Facebook advertisement and been transferred to the supplier’s website. This process serves the evaluation of Facebook advertisements for market research and statistical purposes and can contribute to the optimisation of future marketing measures. The collected data is anonymous to us and therefore does not enable us to identify the user. However, the data is saved and processed by Facebook, so that a link to the relevant user profile is possible and Facebook can use the data for its own advertising purposes in accordance

with Facebook’s privacy policy (https://www.facebook.com/about/privacy/). This only affects users who have a Facebook account and are logged in to Facebook’s member area. Users who are not members of Facebook are not affected by this data processing.

(2) Your express consent is required in order to employ tracking and marketing cookies. You have the opportunity to refuse or grant consent to this and to obtain information about our company’s data protection policy via the cookie banner when you begin to use our website.

If you grant consent, the legal basis for processing personal data is Art. 6 (1) (a) GDPR.

You can withdraw your given consent at any time without giving reasons. You can do this by, for example, sending an email to: info@chocoversum.de. In our Legal notice, you will find further contact details to which you can address the withdrawal.

You can also object to the use of cookies and deactivate their function at any time. In addition, you can adjust your settings on Facebook itself via the following link: https://www.facebook.com/settings/?tab=ads#_=_. You must be registered with Facebook in order to do this.

16. Newsletter

(1)   On our website you have the opportunity to subscribe to our newsletter. For this, we need your name as well as your e-mail address to send you the newsletter.

(2)   The legal basis for this is the consent (Article 6 (1) sentence 1 (a) GDPR). When registering for the newsletter, you agree to us sending a newsletter to your e-mail address. By registering, you agree to the following consent text:

“I hereby agree that [name] may send me e-mails to the e-mail address specified by me. I have the right at any time to revoke this consent with effect for the future. I have read the privacy policy with further information on data processing. “

(3)   You can revoke this consent at any time in the future by unsubscribing from the newsletter. At the end of each Newsmail, you will find a link through which you can unsubscribe from the newsletter. Your entry will be deleted automatically.

(4)   Registration for our newsletter takes place in a so-called double opt-in procedure. In other words, you will receive an e-mail after logging in, requesting confirmation of your registration. As proof of the registration for the newsletter, the registration and confirmation times as well as the IP address are stored.

(5)   The statistical survey, analysis and logging of the registration procedure is based on legitimate interests (Article 6 (1) sentence 1 (f) GDPR). The legitimate interest here is the proper and technically flawless execution of the e-mail dispatch.

(6)   We only save the e-mail address you have provided when ordering the newsletter for as long as you have subscribed to the newsletter. As soon as you have unsubscribed from the newsletter, we will delete your e-mail address.

(7)   The Newsletter Software uses Rapidmail (https://www.rapidmail.de). Your data will be transmitted to Rapidmail GmbH. Rapidmail is prohibited from selling and using your data for any purpose other than sending newsletters. Rapidmail is a German, certified provider that has been selected according to the requirements of the General Data Protection Regulation and the Federal Data Protection Act.

(8)   In addition, we will not forward the e-mail address you provided us with to third parties.

17. Waiting List

(1)   When you register for a “list of events”, the information given here will be collected, stored, processed and used. The legal basis for this is the consent (Art. 6 (1) sentence 1 (a) GDPR). When you register on the waiting list, you consent to us sending an e-mail with information about your waiting list topic to your e-mail address.

(2)   As soon as the next information about your waiting list topic is available, you will receive an e-mail to the address you have specified. Your data will then be deleted.

(3)   You can revoke your consent to the storage of the data, the e-mail address and its use for sending the waiting list notification at any time by e-mail to info@chocoversum.de.

18. Offer forms – school classes and companies

On our website, we offer you the opportunity to register school classes or companies via an online form and to request a corresponding offer. When using these forms, please provide the name, e-mail and telephone number or, in the case of school classes, the telephone number of a chaperone (the processing of this data is based on Article 6 (1) (f) of the GDPR and serves our legitimate interests to provide you with further way to make specific contact and get a contact before an offer is submitted. The storage of this data is only to the extent necessary for the preparation of the offer and execution of the booked event.

19. Google Maps

The website of CHOCOVERSUM has integrated the Google Maps service to visualise and display the contact address. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. During use, Google collects and processes data about the use of the map function by the user. For more information about data processing, see the Google Privacy Policy (https://policies.google.com/privacy?hl=en)

20. Integration and linking of videos via YouTube

We use the social network YouTube, provider Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland to integrate and link videos.

YouTube video integration

We embed our videos in the so-called "extended data protection mode" to give you a privacy-friendly view. Like most online presences, however, YouTube also uses cookies to collect information about the visitors to your online presence. YouTube uses these, among other things, to collect video statistics, to prevent fraud and to improve user-friendliness. This also leads to a connection being established with the Google DoubleClick network. If you play videos on our website, this could trigger further data processing operations. Unfortunately, we have no influence on this.

If you do not want YouTube to be able to assign your visit to our online presence while playing a video to your YouTube user account, please log out of your YouTube user account before clicking the play button.

YouTube linking

Links to the YouTube social network are integrated into our online presence. You can recognize the YouTube links by the YouTube logo on our online presence. If you click on one of the YouTube “buttons” while you are logged into your YouTube account with the same browser, YouTube can assign your visit to our online presence to your user account. We would like to point out that, as the provider of the online presence, we have no knowledge of the content of the transmitted data or their use by YouTube.

If you do not want YouTube to be able to assign your visit to our online presence to your YouTube user account after clicking on one of the YouTube “buttons”, please log out of your YouTube user account before clicking the YouTube “button” .

For more information on how your personal data is handled when you visit the YouTube website and play YouTube videos, see the YouTube privacy policy.

21. Welcoming guests

We process personal data to greet individual guests if there are special occasions or if this is requested by guests. The name and information relating to the occasion (such as the guest's birthday and age) are displayed on a screen in the museum foyer.

Processing takes place on the basis of Art. 6 Para. 1 lit.f GDPR to safeguard our legitimate interests and the interests of the person concerned. The person in charge would like to offer her guests a special experience and make their stay a pleasant one. This also includes a personal address in order to highlight the special features of the visit and to give the respective guest a special welcome. This guarantees our interest in providing service-oriented, customer-oriented services.

As a rule, only the employees of the responsible persons and the guests of the respective group have the possibility to see the advertisement in the foyer. Viewing by unauthorized third parties is fundamentally excluded. The personal data for welcoming the guest will be deleted after the event has taken place, unless there are statutory

22. Chatbot

For service inquiries, we offer you the opportunity to obtain information on our website using a chat bot, to have self-care solutions communicated, and to establish contact with our messenger service.

Our technical service provider for the chat bot service is knowhere GmbH, Steinhöft 9, 20459 Hamburg. Information on data protection can be found at https://www.moin.ai/chatbots-dsgvo

No further information is required from you to use the chat bot. To optimize the artificial intelligence of the chat bot, log files and chat histories are stored for 30 days.

In particular, we would like to point out that you do not have to provide any personal data. Further information can be found in our terms of use for the messenger or the chat bot.

Contract-related service requests are an exception. If you would like to use this service, you can provide our customer service with an email address

The data processing takes place on the basis of our legitimate interests in accordance with Art. 6 Para. 1 S. 1 Letter f) GDPR

23. Recording of customer contact details in accordance with the Hamburg SARS-CoV-2 containment regulation (HmbSARS-CoV-2 containment regulation)

(1) Purpose: Your data will be used exclusively for the purpose of tracking SARS-CoV-2 infection chains. The use of your data for our own purposes or services, especially advertising, is excluded.

(2) Legal basis: The legal basis for processing your data is Art. 6 Paragraph 1 lit. c General Data Protection Regulation (GDPR) in conjunction with Section 26 Paragraph 2 No. 2 of the HmbSARS-CoV-2 containment regulation.

(3) We use the digital solution from https://darfichrein.de for data acquisition.

(4) Transmission to third parties: Your data will be presented to the competent authority (health authority) upon request.

Retention periods / deletion periods: Your data will be deleted after the retention period of 4 weeks has expired.

You are entitled to all data subject rights according to Art. 15 ff. GDPR, in particular information, deletion and restriction of processing.

24. Your rights as an affected person

If CHOCOVERSUM GmbH processes personal data about you, you are a victim within the meaning of the General Data Protection Regulation and you have the following rights against CHOCOVERSUM GmbH as the person responsible:

1. Right to information

You may ask the person in charge to confirm if personal data concerning you is processed by us.

If such processing is available, you can request information from the person responsible about the following information:

1. the purposes for which the personal data are processed;
2. the categories of personal data that are processed;
3. the recipients or categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
4. the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the storage duration;
5. the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
6. the existence of a right of appeal to a supervisory authority;
7. all available information on the source of the data if the personal data are not collected from the data subject;
8. the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.

You have the right to request information about whether your personal data is transferred to a third country or an international organisation. In this context, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transmission of information.

1. Right to rectification

You have a right of rectification and/or completion vis-à-vis the controller if the personal data processed is incorrect or incomplete. HACHEZ CHOCOVERSUM GmbH has to carry out the correction without delay.

1. Right to limit processing

You may request the restriction of the processing of your personal data under the following conditions:

1. if you contest the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal information;
2. the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
3. CHOCOVERSUM GmbH no longer requires the personal data for the purposes of the processing, but you need them to assert, exercise or defend legal claims, or
4. if you have filed an objection against the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the processing limitation has been restricted according to the abovementioned conditions, you will be informed by the person in charge before the restriction is lifted.

1. Right to erasure

You can demand from CHOCOVERSUM GmbH that the personal data concerning you be deleted immediately, and we are obliged to delete this data immediately, if one of the following reasons applies:

1. Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
2. You revoke your consent to the processing pursuant to Art. 6 (1)(a) or Art. 9 (2)(a) GDPR and there is no other legal basis for processing.
3. You file an objection against the processing pursuant to Art. 21 (1) GDPR and there are no prior justifiable reasons for the processing, or you file an objection against the processing pursuant to Art. 21 (2) GDPR.
4. Your personal data has been processed unlawfully.
5. The deletion of personal data concerning you is required to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
6. The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

If CHOCOVERSUM GmbH has made the personal data concerning you public and is, in accordance with Article 17 (1) of the GDPR, required to erase them, it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested the deletion of any links to such personal data or copies or replications of such personal data.

The right to erasure does not exist if the processing is necessary

1. to exercise the right to freedom of expression and information;
2. to fulfil a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task of public interest or in the exercise of official authority conferred on the controller;
3. for reasons of public interest in the field of public health pursuant to Art. 9 (2)(h) and (i) and Art. 9 (3) GDPR;
4. for archival purposes of public interest, scientific or historical research purposes or for statistical purposes pursuant to. Article 89 (1) of the GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
5. to assert, exercise or defend legal claims.

1. Right to information

If you have the right of rectification, erasure or restriction of processing against the controller, he/she is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

You have the right vis-à-vis us to be informed about these recipients.

1. Data transferability

You have the right to receive the personal data that you have provided to CHOCOVERSUM GmbH in a structured, conventional and machine-readable format. In addition, you have the right to transfer this data to another person without obstruction by the person responsible for providing the personal data, provided that

1. the processing is based on consent pursuant to Art. 6 (1)(a) GDPR or Art. 9 (2)(a) GDPR or on a contract pursuant to Art. 6 (1)(b) GDPR and
2. the processing is done using automated procedures

In exercising this right, you also have the right to request that your personal data be transmitted directly from data controller to another, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected by this.

The right to data transferability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

1. Right to object

You have the right to object at any time, for reasons that arise from your particular situation, to the processing of your personal data pursuant to Art. 6 (1)(e) GDPR; this also applies to profiling based on these provisions. CHOCOVERSUM GmbH will no longer process your personal data, unless it can prove compelling legitimate reasons for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Regardless of Directive 2002/58/EC, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.

1. Right to revoke the data protection consent declaration

You have the right to revoke your data protection declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until revocation.

1. Automated decision on a case-by-case basis, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect on you or, in a similar manner, significantly affects it. This does not apply if the decision

1. is required for the conclusion or fulfilment of a contract between you and CHOCOVERSUM GmbH,
2. is permissible on the basis of Union or Member State legislation to which the controller is subject, and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
3. with your express consent.

However, these decisions must not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2)(a) or (g) applies and reasonable measures have been taken to protect your rights and freedoms and your legitimate interests.

Regarding the cases mentioned in a. and c., CHOCOVERSUM GmbH shall take appropriate measures to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person by the person responsible, to express one's own position and to contest the decision.

1. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you believe that the processing of your personal data violates the GDPR.

The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

25. Advertising to us

The use of contact data published in the context of the imprint obligation by third parties for sending unsolicited advertising and information materials is hereby expressly prohibited. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

As of January 2022