My Steiff
Wishlist
Shopping cart

Privacy Policy

Steiff Retail GmbH offers extensive information to its contractual partners, customers and interested parties via the website https://www.steiff.com/. In doing so, we place particular value on handling your personal data and the data of your company in a trusted and secure manner.

The following Privacy Policy is the basis for our actions and a component of our business relationship with customers, prospects and third parties.

We adapt the Privacy Policy as needed based on legal and technical changes. The current version of the Privacy Policy published on the website is valid.

The Privacy Policy includes the following points:

1. Name and address of the controller (person responsible for processing)

The controller as defined by the General Data Protection Regulation, other privacy laws valid in the member states of the European Union and other provisions with a privacy/data protection character is:

Steiff Retail GmbH
Richard-Steiff-Str.4

89537 Giengen/Brenz
Tel.: +49 / (0)7322 131 222
Fax: +49 / (0)711 725 230 799
info@steiff.de
Website: https://www.steiff.com/

2. Name and address of the data protection officer

The data protection officer of the processing controller is

Dirk Janthur
Datenschutzberatung Janthur GmbH
Hedelfinger Straße 12
73734 Esslingen
Tel.-Nr.: +49 711 71530104
dirk.janthur@janthur.net

3. Use of cookies and pixels

Adjust individual settings

The websites of Steiff Retail GmbH use cookies. Cookies are data that are stored by the web browser on the user's computer system. When the user accesses a page, the cookies can be transmitted to this page and thus make it possible to assign this activity to the user. Cookies help make it easier for the user to view websites.

You can opt out of the setting of cookies by making corresponding changes to the settings in the web browser. Cookies that have been set may be deleted. Please note that if cookies are disabled, not all functions of our website may be able to be used in their entirety. The following cookies are used:

3.1. Google Tag Manager

The Google Tag Manager is used on our website. The Google Tag Manager is a solution from Google Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, USA, with which we can manage our website tags via an interface. The Google Tag Manager is a cookie-free domain that does not collect any personal data. The Google Tag Manager triggers other tags (cookies and pixels), which in turn may collect data. We hereby point this out separately. The Google Tag Manager does not access this data. If the user has made a deactivation at the domain or cookie level, this remains in effect for all tracking tags that are implemented with Google Tag Manager.

Using technical protocols such as HTTPS, your browser sends personal data such as your IP address, device information and browser information to the Google Tag Manager when you visit our website. However, the Google Tag Manager does not collect or process this data.

3.2. Usercentrics

We use the Usercentrics Consent Management Platform to fulfill the legal obligation according to Article 7 Paragraph 1 GDPR. The operator is Usercentrics GmbH, Rosental 4, 80331 Munich, Germany. The Usercentrics Consent Management Platform collects log file data, user agent (device, browser type, browser language, browser version, resolution) and consent data (consent yes / no, time stamp, data volume, data attributes, controller ID, processor ID, consent ID) via a JavaScript. This JavaScript enables Usercentrics to inform you about certain tags and web technologies on our website and to obtain, manage and document your consent. The legal basis for processing the data is Article 6 Paragraph 1 c GDPR, as we are legally obliged to provide evidence of consent (in accordance with Article 7 Paragraph 1 GDPR).

For further details on data processing, please refer to the Usercentrics data protection provisions: usercentrics.com/de/datenschutzerklaerung/

3.3. Google Maps

We partially integrate Google Maps from Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, a service for displaying interactive maps on our website. This enables you to view our shops and dealers.

When you visit the websites on which Google Maps is integrated, certain information, in particular your IP address, the browser software you use and its settings are collected by Google, transferred to the USA and saved. Google collects and stores this data on its own responsibility and evaluates it for its own purposes. A contract was concluded with Google in accordance with the EU standard contractual clauses to ensure an adequate level of data protection when transferring personal data to third countries. You can view Google's terms of use at http://www.google.de/intl/de/policies/terms/regional.html, the additional terms of use for Google Maps can be found at https://www.google.com/intl/de_US/help/terms_maps.html. You can find detailed information on data protection in connection with the use of Google Maps on the Google website (“Google Privacy Policy”): http://www.google.de/intl/de/policies/privacy/. If you would like to object to data collection and processing by Google LLC, you can do so at https://adssettings.google.com/authenticated.

3.4. Floodlight pixels

Floodlight records various types of information as part of the HTTP request for websites and apps that use Floodlight, including but not limited to the following: IP addresses (and geographical locations derived from IP addresses), cookie IDs, user agent, page referrer URL, time of the advertisement request, advertisement request URL (and DCM IDs contained in the URL), publisher click tracker URL, user-defined values defined by the publisher, user-defined values defined by the advertiser, additional configurations and disabling exceptions, device identification, identification of mobile apps.

3.5. Conversion tracking

For conversion tracking purposes, we can store and read cookies in Google domains and the DoubleClick domain. For app-based conversions, we store the click ID, IDFA (for iOS) and AdId (Android). For imported click conversions, we store the click IDs sent to us by the advertiser. If users interact with an advertisement in a browser (by clicking a text advertisement or showing a video advertisement), AdWords stores a cookie in a Google domain that contains information about the interaction. If someone converts on the advertiser's website, the conversion tracking tag he or she has installed reads this cookie and sends it back to AdWords with the conversion information.
If the advertiser uses the new global website tag from his or her AdWords account or has installed a Google Analytics tag on its target page or uses the conversion linker tag in GTM, in these solutions, a cookie is also stored on its domain about the last advertisement click. If no click information about the same devices is available, but the user is logged in with Google, we read the login information from cookies in Google domains and send it to Google along with the conversion information. If a search click has been made by the same logged-in user on another device or in another browser, we can allocate the conversion as a cross-device conversion.

Remarketing:
For remarketing lists for search advertisements (RLSA) and remarketing in the Display Network, advertisers can use the AdWords remarketing/conversion tag or the Google Analytics tag to link various users with one or more remarketing lists. AdWords collects data that pertain to the device/browser, the IP address and the activities on the site/app, including page and link URLs. The data are collected based on IDFA / ADID, DoubleClick ID, Google non-authenticated cookies and Google authenticated cookies, which are stored and used in different ways.

For telephone advertisement products:
(click-to-call and click-to-message advertisements) we collect the user's caller ID (i.e. the user's phone number) and other call details such as the duration of the call, time of day the call was placed, etc. For click-to-message advertisements: We do not share the telephone number directly with the advertiser, but store it so that after receiving a text message, advertisers can call and respond to the user. For click-to-message advertisements, we share the user's caller ID for e-mail, CRM and lead customers (but not immediately at the time the message is sent). For click-to-call advertisements, we forward the phone number information to the advertiser.

Display:
If AdWords functions via display, it uses IP addresses and cookie IDs and, depending on a user's specific settings, it can use location data or Google account information. Depending on the product used, other identifiers can be used (e.g. Customer Match).

Apps:
If you use a Google SDK or an SDK from third-party suppliers in your mobile app to send mobile IDs to Google, in most cases, you have to obtain the consent of your users in the European Economic Area to comply with Google's EC user consent guidelines. Our guidelines require consent for the use of mobile identifiers where legally prescribed and consent for the collection, forwarding and use of personal data (including Mobile Identifier) for the personalisation of advertisements or other services. For example, if you use an app attribution partner to send Google IDFAs or ADIDs for advertisements for repeated interaction or remarketing, you have to obtain the consent of the users to collect and forward these data with the app attribution partner and Google.

3.6. Duration of storage

We anonymise IP addresses in logs by removing a part of the address after 9 months. After 18 months, we further anonymise the log data by removing cookies or advertiser ID information, both in the logs and the ad serving databases. User profile information about advertising cookies and advertising IDs is also stored in databases that can be accessed for advertisements served in real time. The data stored in these databases are either stored or anonymised after 18 months.

3.7. Google Consent Mode

The Google service "Google Consent Mode" of the provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, 94043, California, USA is a service that enables Steiff Retail GmbH to carry out a so-called conversion measurement.
When using the extended version of the service, a so-called Boolean is placed on the website, which can have two different values. The value is set to "True" or "False" depending on the user's consent.
If consent has been given for processing, data is then transmitted to Google in the form of a ping. This allows Google to increase the accuracy of conversions. The legal basis for this processing is Art. 6 para. 1 lit. a GDPR. Consent can be withdrawn at any time.
If you do not give your consent, the data collected will be anonymized in the legitimate interest of Steiff and only used for statistical purposes. This is done on the basis of Art. 6 para. 1 lit. f GDPR. Steiff's legitimate interest in the processing is the evaluation of anonymized statistical data to increase sales and measure advertising campaigns. You may have the right to object to this in accordance with Art. 21 GDPR.
We have concluded an order processing contract with Google to contractually secure the processing. When processing your data, your personal data may be transferred to the USA. We have concluded corresponding standard contractual clauses with Google and ensured that Google takes technical and organizational measures to adequately secure your personal data. In addition, Google is also certified under the EU-US Data Privacy Framework, in which the EU Commission has certified that the certified companies have an adequate level of data protection.

3.8. Enhanced Conversions

Steiff Retail GmbH uses the "Enhanced Conversions" service provided by Google Inc. This is a service linked to Google Ads that enables us to record user interactions taking place on our website more precisely and thus to be able to use the resources used in the area of marketing and advertising via Google Ads even more effectively.
For this purpose, your interactions are linked to your existing so-called "conversion tags" and thus enhanced with your customer data. The data is then pseudonymized and passed on to Google. Google cannot convert the data into personal data again, but can compare it with existing data records. This improves conversion measurement.
The legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time.
Google acts as a processor on behalf of Steiff. We have concluded an order processing contract with Google that precisely regulates the processing of personal data. As a result of Google processing your personal data, personal data may be transferred to the USA. Steiff has concluded standard contractual clauses with Google for this transfer. At the same time, Google is certified under the EU-US Data Privacy Framework, in which the EU Commission has certified that the certified companies have an adequate level of data protection.

3.9. Customer Match

Steiff Retail GmbH uses the "Customer Match" service. This is a service offered by Google Inc. in the context of which Steiff can pass on data from website visitors to Google in pseudonymized form, provided that the website visitor has given their consent.
Google is then able to assign the hash values to the Google account of the respective user by comparing the data with data already stored by Google. In this way, the respective user can be shown even more targeted advertising measures.
The legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time.
Google acts as a processor on behalf of Steiff. We have concluded an order processing contract with Google that precisely regulates the processing of personal data.
As a result of Google processing your personal data, personal data may be transferred to the USA. Steiff has concluded standard contractual clauses with Google for this transfer. At the same time, Google is certified under the EU-US Data Privacy Framework, in which the EU Commission has certified that the certified companies have an adequate level of data protection.

3.10. Microsoft Clarity

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

3.11. Microsoft Advertising

We have integrated Microsoft Advertising on our website. Microsoft Advertising is a service provided by Microsoft Corporation to display targeted advertising to users. Microsoft Advertising uses cookies and other browser technologies to evaluate user behaviour and recognise users.
Microsoft Advertising collects information about visitor behaviour on various websites. This information is used to optimise the relevance of advertising. Furthermore, Microsoft Advertising delivers targeted advertising based on behavioural profiles and geographical location. Your IP address and other identification features such as your user agent are transmitted to the provider.
In this case, your data will be passed on to the operator of Microsoft Advertising, Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399, United States.

Purpose and legal basis
The use of Microsoft Advertising is based on your consent in accordance with Art. 6 para. 1 lit. a. GDPR and § 25 para. 1 TTDSG.
We intend to transfer personal data to third countries outside the European Economic Area, in particular the USA. The data transfer to the USA is carried out in accordance with Art. 45 para. 1 GDPR on the basis of the adequacy decision of the European Commission. The US companies involved and/or their US subcontractors are certified in accordance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF).
In cases where no adequacy decision of the European Commission exists (including US companies that are not certified under the EU-U.S. DPF), we have agreed other appropriate safeguards with the recipients of the data within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses of the EU Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021. You can view a copy of these standard contractual clauses at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914

In addition, before such a third country transfer, we obtain your consent in accordance with Art. 49 para. 1 sentence 1 lit. a. GDPR, which you give via the consent in the Consent Manager (or other forms, registrations, etc.). We would like to point out that in the case of third country transfers, there may be risks that are unknown in detail (e.g. data processing by security authorities in the third country, the exact scope and consequences of which for you we do not know, over which we have no influence and of which you may not become aware).
Storage period
The specific storage period of the processed data cannot be influenced by us, but is determined by Microsoft Corporation. Further information can be found in the privacy policy for Microsoft Advertising: https://privacy.microsoft.com/en-gb/privacystatement.

4. Creation of log files

Each time the website is accessed, Steiff Retail GmbH uses an automated system to collect data and information. These are stored in the log files of the server.

The following data can be gathered during this process:

(1) Information about the browser type and the version used
(2) The user's operating system
(3) The user's Internet Service Provider
(4) The user's IP address
(5) Date and time of the access
(6) Websites from which the user's system reaches our website (referrer)
(7) Websites called up via our website by the user's system

The data are processed for the purpose of delivering the content of our website, guaranteeing the function of our information technology systems and optimizing our website. The data of the log files are always stored separately from other personal data of users.

5. Analytics tools

Steiff Retail GmbH uses Google Analytics, a web analytics service from Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how you use the site. The information generated by the cookie about your use of this website (including your IP address) is sent to a server in the United States operated by Google and stored there. Google will use this information to evaluate your use of the website, compile reports about the website activity for the website operators and render other services associated with website use and Internet use. Google may also transmit this information to third parties if required by law or if third parties process this data on Google's behalf. Google will never associate your IP address with other Google data. You may refuse the installation of cookies by selecting the appropriate settings on your browser, however please note that you may not be able to use the full functionality of this website if you do so. By using this website, you declare your consent to Google's processing of the data collected about you in the above-mentioned manner and for the above-mentioned purpose. Furthermore, you can prevent Google's collection of data generated by the cookie and related to your use of the website (including your IP address) as well as the processing of these data by opting out at the following deactivation link from Google.

6. Links and content to third-party websites

The website contains links to third-party content. Steiff Retail GmbH assumes no liability for these pages and the respective handling of personal data. Liability notice:In its decision of May 12, 1998, the district court of Hamburg stated that providing a link may entail shared responsibility for the content of the linked site. According to the regional court of Hamburg, this can only be prevented if the operator expressly distances itself from this content. Steiff Retail GmbH has placed links to other Internet sites on its pages. The following applies for all these links: Steiff Retail GmbH expressly states that Steiff Retail GmbH has no influence whatsoever on the design and content of the linked pages. Therefore, Steiff Retail GmbH hereby distances itself from all content of all pages linked on the main website and does not make this content its own. This statement applies to all links displayed on the main website and for all content of the sites to which the banners, buttons and links visible at Steiff Retail GmbH direct visitors.

7. SSL encryption

For security reasons and to protect the transmission of confidential content, like the requests you send us as the page operator, this site uses SSL encryption. You can identify an encrypted connection by the fact that the browser's address bar switches from "http://" to "https://" and the lock icon near the address bar. If SSL encryption is enabled, the data you transmit to us cannot be intercepted by third parties.

8. Registration for our website

If the involved person makes use of the option to register on the website of the controller of the processing and specifies personal data, the data are transmitted to the controller of processing in the respective input mask. The data are stored exclusively for the purpose of internal use by the controller of the processing.
During registration, the user's IP address and the date and time of registration are stored. This serves to prevent misuse of the services. The data are not forwarded to third parties. An exception is made if a legal obligation for such forwarding exists.
The registration of the data is required in order to provide content or services. Registered persons have the ability to have the stored data deleted or modified at any time. The involved person can receive information about the personal data stored about him or her at any time.

9. Newsletter

If the user subscribes to our company's newsletter, the data is transmitted to the controller of the processing in the respective input mask.
During registration for the newsletter, the user's IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the involved person. The data is not forwarded to third parties. The newsletter is sent via a service provider that acts on behalf of Steiff Retail GmbH. A contractual obligation in accordance with Article 28 of the General Data Protection Regulation ( GDPR) is agreed. An exception is made if a legal obligation for such forwarding exists.
The data is used exclusively to send the newsletter. The newsletter subscription can be cancelled at any time by the involved person. Likewise, the consent to storage of personal data can be revoked at any time. A corresponding link is provided for this purpose in each newsletter.

Confirmation is required when registering for the user account and subscribing to the newsletter. This will be sent by e-mail to the specified e-mail address. There the user must confirm the registration by clicking on a predefined link. This leads via the stored URL to the Steiff Online Shop and for technical reasons receives the specified e-mail address for identification purposes. URLs are included in the Google Analytics tool, provided that the user has agreed to the statistics.
For the data views, the parameters in Google Analytics that follow "email" in the URL are excluded. With this setting, no personal data can be evaluated in Google Analytics.

10. Purchasing in the online shop

Each user of the website has the ability to make purchases in the online store. You have the ability to make these purchases as a guest, with or without registering.
In every case, we collect the data necessary for the ordering process according to the entry form. Specifically, this includes the following information: Last name, first name, mailing address, e-mail address and date of birth of the person placing the order.
If you do not register, you receive a confirmation e-mail with all information and data we process about you for the purpose of the business transaction. This also includes our storing your data corresponding to legal mandates.
If you shop as a registered user, you can see which of your data we process in your account at any time.

11. Payment in the online shop

Payment transaction

To ensure that the payment transaction is as simple and—most importantly—as secure as possible, we have integrated Ayden as the payment provider.

Ayden carries out the payment transaction. The order is not completed until after a successful payment transaction.

Additional information about Ayden and payment transactions can be found here

12. Thank-you page / gifts

Coupon offers from Sovendus GmbH: For selecting one of the coupon offers currently of interest to you, we transmit the hash value of your e-mail address and your IP address to Sovendus GmbH, Moltkestr. 11, 76133 Karlsruhe, Germany (Sovendus) in pseudonymised and encrypted form (Art. 6 Par.1 f GDPR). The pseudonymised hash value of the e-mail address is used to take into account any possible objection to advertisement from Sovendus (Art. 21 Par.3, Art. 6 Par.1 c GDPR). The IP address is exclusively used by Sovendus for the purposes of data security and is normally anonymised after seven days (Art. 6 Par.1 f GDPR). Furthermore, for crediting purposes, we transmit the pseudonymised order number, order value with currency, session ID, coupon code and time stamp to Sovendus (Art. 6 Par.1 f GDPR). If you are interested in a coupon offer from Sovendus and click on the coupon banner, which is only displayed in the case that there is no objection associated with your e-mail address, we transmit an encrypted title, name and your e-mail address to Sovendus for the preparation of the coupon (Art. 6 Par.1 b, f GDPR).

Additional information about the processing of your data by Sovendus can be found in the online data protection notices at Sovendus Datenschutz and Sovendus Endkunden FAQ

13. Contacting options

There is a contact form on the Steiff Retail GmbH website that can be used to make contact electronically. As an alternative, we can be contacted using the provided e-mail address. If the involved person makes contact with the controller of the processing using one of these channels, the personal data transmitted by the involved person is stored automatically. Storage only serves the purposes of processing or of making contact with the involved person. The data are not forwarded to third parties.

This refers to voluntarily given personal data. Steiff Retail GmbH has taken all technical and organisational measures to make sure that these data are secure.

However, be very careful when entering information and do not transmit any sensitive data, such as your bank details, using the contact form.

14. Routine erasure and locking of personal data

The processing controller processes and stores personal data of the involved person only as long as it is necessary for fulfilling the purpose of the storage. Furthermore, storage can only take place insofar as it has been permitted by European or national legislation in legal regulations, laws or other provisions to which the controller of the processing is subject.

As soon as the purpose for storage no longer exists or the storage period prescribed by the mentioned regulations has expired, the personal data are routinely locked or erased.

15. Use of social plugins

Facebook plugin

Plugins from the social network Facebook—provider: Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA—have been integrated into our pages. Facebook plugins can be identified by the Facebook logo or the "Like" button on our page. You can find an overview of Facebook plugins here: https://developers.facebook.com/docs/plugins/. Whenever you visit our pages, the plugin creates a direct connection between your browser and the Facebook server. This allows Facebook to receive the information that you have visited our page with your IP address. If you click the Facebook "Like" button while you are logged in to your Facebook account, you can link the content of our pages on your Facebook profile. Facebook can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by Facebook. You can find further information on this in the Privacy Policy of Facebook at. If you do not want Facebook to attribute your visit to our pages to your Facebook user account, log out of your Facebook user account.

YouTube plugin

We have added a YouTube plugin—YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA—to our page. Whenever you visit our pages, the plugin creates a direct connection between your browser and the YouTube server. This allows YouTube to receive the information that you have visited our page with your IP address. If you click the YouTube button while you are logged in to your YouTube account, you can link the content of our pages on your YouTube profile. YouTube can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by YouTube. You can find further information on this in the Privacy Policy of YouTube at. WIf you do not want YouTube to attribute your visit to our pages to your YouTube user account, log out of your YouTube user account.

Instagram plugin

We have added an Instagram plugin—Instagram LLC, represented by Kevin Systrom and Mike Krieger, 1601 Willow Rd, Menlo Park, CA 94025, USA—to our page. Whenever you visit our pages, the plugin creates a direct connection between your browser and the Instagram server. This allows Instagram to receive the information that you have visited our page with your IP address. If you click the Instagram button while you are logged in to your Instagram account, you can link the content of our pages on your Instagram profile. Instagram can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by Instagram. You can find further information on this in the Privacy Policy of Instagram at. If you do not want Instagram to attribute your visit to our pages to your Instagram user account, log out of your Instagram user account.

Twitter plugin

We have added a Twitter plugin—Twitter International Company, One Cumberland Place Fenian Street, Dublin 2 D02 AX07 Ireland—to our page. Whenever you visit our pages, the plugin creates a direct connection between your browser and the Twitter server. This allows Twitter to receive the information that you have visited our page with your IP address. If you click the Twitter button while you are logged in to your Twitter account, you can link the content of our pages on your Twitter profile. Twitter can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by Twitter. You can find further information on this in the Privacy Policy of Twitter at. If you do not want Twitter to attribute your visit to our pages to your Twitter user account, log out of your Twitter user account.

Pinterest plugin

We have added a Pinterest plugin—Pinterest Europe Ltd., Palmerston House, 2nd Floor Fenian Street Dublin 2, Ireland—to our page. Whenever you visit our pages, the plugin creates a direct connection between your browser and the Pinterest server. This allows Pinterest to receive the information that you have visited our page with your IP address. If you click the Pinterest button while you are logged in to your Pinterest account, you can link the content of our pages on your Pinterest profile. Pinterest can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by Pinterest. You can find further information on this in the Privacy Policy of Pinterest at. If you do not want Pinterest to attribute your visit to our pages to your Pinterest user account, please log out of your Pinterest user account.

16. Rights of the data subject

WIf your personal data are processed, you are the data subject within the meaning of the GDPR. You are thus entitled to the following rights with respect to the controller: You may claim all these rights to the company according to the contact data in Item 1 or to our data protection officer according to the contact data in Item 2

16.1. Right of access

You may request confirmation from the controller about whether personal data concerning you are processed by us.

If such processing is taking place, you may request information on the following from the controller:
a. The purposes for which the personal data are processed
b. The categories of personal data that are processed
c. The recipients or the categories of recipients to whom the personal data concerning you have been disclosed or are still being disclosed
d. The planned period of storage of the personal data concerning you or, if actual information on this is not possible, the criteria for the definition of the storage period
e. The existence of a right for rectification or erasure of the personal data concerning you, a right of restriction of processing by the controller or a right to object to this processing
f. The existence of a right of appeal to a supervisory authority
g. All available information on the origin of the data, if the personal data have not been collected from the data subject
h. The existence of automated decision-making including, profiling in accordance with Article 22 Par.1 and 4 GDPR and—at least in these cases—meaningful information on the logic involved and on the scope and the intended effects of such processing for the data subject

You have the right to request information on whether the personal data concerning you are transmitted to a third country or to an international organisation. In this context, you may request to be informed about the suitable guarantees in accordance with Art. 46 GDPR in connection with transmission.

For data processing for the purposes of scientific or historical research or statistical research: This access right can be restricted insofar as it is expected to prevent or seriously impede the implementation of the purposes of research or statistics and the restriction is necessary for the fulfilment of the purposes of research or statistics.

16.2. Right of correction

You have the right to rectification and/or completion with respect to the controller insofar as the processed personal data concerning you are incorrect or incomplete. The controller must implement the correction immediately.

For data processing for the purposes of scientific or historical research or statistical research:

Your right to rectification can be restricted insofar as it is expected to prevent or seriously impede the implementation of the purposes of research or statistics and the restriction is necessary for the fulfilment of the purposes of research or statistics.

16.3. Right of restriction of processing
Under the following conditions, you may request that the processing of personal data concerning you is restricted:
a. If you dispute the correctness of the personal data concerning you for a period of time long enough to allow the controller to check the correctness of the personal data
b. If processing is unlawful and you reject the deletion of the personal data, requesting a restriction of the use of the personal data instead
c. If the controller no longer needs the personal data for the purpose of the processing, but you require the data for asserting, enforcing or defending legal claims, or
d. If you have filed an objection to processing in accordance with Art. 21 Par.1 GDPR and it has not yet been established whether the justified grounds of the controller supersede your grounds for restriction

If the processing of personal data concerning you has been restricted, these data—apart from their storage—may be processed only with your consent or for asserting, enforcing or defending legal claims or for the protection of the rights of another natural or legal entity or for causes of an important public interest of the European Union or one of its member states.

If the restriction has taken effect in accordance with the above conditions,you will be notified by the controller before the restriction is lifted.

For data processing for the purposes of scientific or historical research or statistical research:

Your right of restriction of processing can be restricted insofar as it is expected to prevent or seriously impede the implementation of the purposes of research or statistics and the restriction is necessary for the fulfilment of the purposes of research or statistics.

16.4. Right of erasure

16.4.1. You may request that the controller erases the personal data concerning you immediately, and the controller is obliged to erase these data immediately if one of the following grounds for erasure applies:
a. The personal data concerning you are no longer needed for the purposes for which they have been collected or otherwise processed
b. You revoke your consent on which processing was based in accordance with Art. 6 Par.1 subparagraph a or Art. 9 Par.2 subparagraph a GDPR, and there is no other legal basis for processing
c. You file an objection to processing in accordance with Art. 21 Par.1 GDPR and there are no justified grounds of higher priority, or you file an objection to processing in accordance with Art.21 Par.2 GDPR
d. The personal data concerning you have been processed unlawfully
e. The erasure of the personal data concerning you is required for compliance with a legal obligation in accordance with European Union law or the law of the member states to which the controller is subject
f. The personal data concerning you have been collected with regard to solicited services of information society in accordance with Art. 8 Par.1 GDPR

16.4.2. If the controller has published the personal data concerning you and is obliged to erase the data in accordance with Art. 17 Par.1 GDPR, the controller shall initiate measures, including those of a technical nature, that are appropriate under consideration of the available technology and costs of implementation in order to notify all other data processing controllers who process these personal data of the fact that you as the involved person have requested the erasure of all links to these personal data or of copies or replications of these data.

16.4.3. The right of erasure does not exist insofar as processing is required for the following reasons: a. For executing the right to free speech and information
b. For complying with a legal obligation requiring the processing in accordance with the law of the European Union or the member states to which the controller is subject, or for exercising a duty that is in the public interest or occurs in execution of public authority that has been transferred to the controller
c. For causes of public interest in the area of public health in accordance with Art. 9 Par.2 subparagraph h and i as well as Art. 9 Par.3 GDPR
d. For archival purposes in the public interest, for the purposes of scientific or historical research or statistical purposes in accordance with Art. 89 Par. 1 GDPR, insofar as the right specified in Par.1 is expected to prevent or seriously impede the implementation of the goals of this processing e. For asserting, enforcing or defending legal claims

16.5. Right of information

If you have asserted your right of correction, erasure or restriction of processing to the controller, the controller is obliged to communicate this correction or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this is shown to be impossible or to involve a disproportionate effort.

With respect to the controller, you have the right to be notified of these recipients.

16.6. Right of data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to transfer these data to another controller without obstruction by the controller to whom the personal data have been provided insofar as:
a. The processing is based on consent in accordance with Art. 6 Par.1 subparagraph a GDPR or Art. 9 Par.2 subparagraph a GDPR or a contract in accordance with Art. 6 Par.1 subparagraph b GDPR, andd
b. Processing is done using automated procedures

In exerting this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, if as this is technically possible. In doing so, the freedoms and rights of other persons shall not be impeded.

The right of data portability shall not apply to the personal data processing that is required for exercising a duty in the public interest or occurs in execution of public authority that has been transferred to the controller.

16.7. Right of objection
At any time, you have to right to file an objection to the processing of personal data concerning you that is carried out on the basis of Art. 6 Par.1 subparagraph e or f GDPR for grounds relating to your specific situation; this shall also apply to any profiling based on these clauses.
The controller will no longer process personal data concerning you, unless the existence of compelling grounds for the processing that are worthy of protection and supersede your interests, rights and freedoms can be proved, or the processing is for asserting, enforcing or defending legal claims.
If the personal data concerning you are processed in order to practice direct marketing, you have the right to file an objection to processing personal data concerning you for the purpose of such marketing at any time; this shall also apply to profiling insofar as it is connected to such direct marketing.
If you object to processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for these purposes.
In connection with the use of services of information society, you have the option of asserting your right of objection, irrespective of the 2202/58/EC directive, using automated means, which involve the use of technical specifications.
For data processing for the purposes of scientific or historical research or statistical research:
You also have the right to object to the processing of personal data concerning you that is carried out for the purposes of scientific or historical research or statistical purposes, for reasons based on your specific situation, in accordance with Art. 89 Par. 1 GDPR.
Your right to objection can be restricted insofar as it is expected to prevent or seriously impede the implementation of the purposes of research or statistics and the restriction is necessary for the fulfilment of the purposes of research or statistics.

16.8. Right of withdrawal of your declaration of consent under data protection legislation
You have the right to withdraw your declaration of consent under data protection legislation at any time. The withdrawal does not affect the legality of processing that was based on consent and completed before the withdrawal.

16.9. Automated decision on a case-by-case basis including profiling
You have the right of not being subjected to a decision based exclusively on automatic processing—including profiling—that takes legal effect with respect to you or has a substantial adverse effect on you. This does not apply in the following cases:
a. If the decision is necessary for the conclusion or fulfilment of a contract between you and the controller.
b. If the decision is permissible due to legal regulations of the Union or the member states to whom the controller is subject and these legal regulations include appropriate measures for protecting your rights and freedoms and your legitimate interests.
c. If the decision is made with your express consent.
However, these decisions shall not be based on special categories of personal data in accordance with Art. 9 Par.1 GDPR unless Art. 9 Par.2 subparagraph a or g applies and appropriate measures for the protection of the rights and freedoms and your legitimate interests have been provided.
Regarding the cases mentioned in a. and c., the controller shall implement appropriate measures in order to protect the rights and freedoms and your legitimate interests, which include at the least the rights of obtaining an intervention of a person on the part of the controller, of explaining your own stance and of disputing the decision.

16.10. Right of complaint to a supervisory authority
Irrespective of any other remedies of administrative law or judicial remedies, you are entitled to the right of complaint to a supervisory authority, particularly in the member state of your whereabouts, your place of employment or the place of the presumed infringement if you are of the opinion that the processing of the personal data concerning you violates the GDPR.
The supervisory authority to which the complaint has been submitted shall notify the plaintiff about the status and the results of the complaint including the option of a judicial remedy in accordance with Art. 78 GDPR.

17. Transfer of data to third parties

Data are generally not transferred. Any exceptions are regulated in the items above. In particular, there is no transfer for commercial purposes (address trading).

18. Legal basis of processing

Insofar as we obtain the consent of the involved person for processing personal data, Article 6 Section 1 subparagraph a of the EU General Data Protection Regulation (GDPR) is the legal basis.

When processing personal data that are required for fulfilment of a contract whose party is the involved person, Article 6 Section 1 subparagraph b GDPR is the legal basis. This shall also apply for processing procedures necessary for carrying out pre-contract measures.

Insofar as processing personal data is required for fulfilment of a legal obligation to which our company is subject, Article 6 Section 1 subparagraph c GDPR is the legal basis.

In case vital interests of the involved person or another natural person require processing personal data, Article 6 Section 1 subparagraph d GDPR is the legal basis.

If the processing is required for the protection of a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the involved person do not take precedence over the former interest, Article 6 Section 1 subparagraph f GDPR is the legal basis for processing. The legitimate interest of our company is the execution of our business activities.

19. Duration of storage of personal data

Personal data are stored for the duration of the respective statutory storage term. After expiry of the term, data are deleted routinely unless there is a requirement for concluding or fulfilling a contract.

If you have questions and suggestions, please send an e-mail message to uk.service@steiff.com

20. Steiff Club

By submitting your application for a membership, you confirm that you give consent to your data being processed by Margarete Steiff GmbH, the Steiff Club and your Steiff Club Store.

The data will be processed confidentially and in accordance with the data protection regulations of Margarete Steiff GmbH, the EDPR, and further statutory regulations. Any passing on of data to third parties will take place exclusively for the purpose of the contractual relationship, e.g. for handling payment transactions, sending Club information, and invitation to Club events.

If you have any further questions, comments or require information about your data, please contact the Steiff Club, Margarete Steiff GmbH, Postfach 15 60, 89530 Giengen an der Brenz.

21. Workshop as part of the Steiff Summer

Nature and scope of the processing

For participation in the workshop as part of the Steiff Summer, we process your personal data for the preparation incl. payment processing, implementation and follow-up of the workshop.

Your personal data will only be passed on to third parties (e.g. shipping service providers / forwarding agents) and order processors in accordance with Art. 28 DSGVO if this is necessary for processing and implementation.

Purpose and legal basis

We process your personal data for the purpose of handling and implementing the workshop in accordance with Art. 6 Para. 1 lit. a DSGVO.

Storage period

The data will be stored for the duration of the implementation and processing of the respective workshop. Afterwards, the data will be completely deleted.