Data Protection

 

1. Data protection at a glance


General Information

The following information provides a simple overview of what happens to your personal data when you use this website. Personal data are any data which can be used to personally identify you. For detailed information on data protection, please refer to our Privacy Policy, which you can find below.

Data collection on this website

Who is responsible for data collection on this website?

The website operator is responsible for processing data on this website. You can find the contact details of the website operator in the section of this Privacy Policy titled “Information on the responsible party”.

How do we collect your data?

We partly collect your data by means of you sharing them with us. Such data may include information that you enter in a contact form. 

Other data are collected by our IT systems, either automatically or following your consent, when you visit the website. These are mainly technical data (e.g. internet browser, operating system and the date and time of your visit to the page). The collection of these data takes place automatically as soon as you visit the website.

How do we use your data?

Some of the data are collected to ensure that we can provide the website without errors. Other data may be used to analyse your user behaviour.

What are your rights with regard to your data?

You have the right to receive information about the origin, recipients and purpose of your personal data stored by us free of charge at any time. You also have the right to demand the correction or deletion of these data. If you have consented to the processing of your data, you may revoke this consent with future effect at any time. You also have the right, under some circumstances, to demand restriction of the processing of your personal data. Furthermore, you have right to appeal to the competent supervisory authority.

You may contact us concerning this or any other questions about data protection at any time.

Analysis tools and tools of third parties

When you visit this website, your browsing behaviour may be statistically evaluated. This is mostly carried out with analysis programs. 

For detailed information on these analysis programs, please refer to the following Privacy Policy.

2. Hosting

The content on our website is hosted by the following provider:

Hetzner

The provider is Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (hereinafter “Hetzner”).

For further details, please refer to the Hetzner privacy policy: https://www.hetzner.com/legal/privacy-policy?country=gb.

Our use of Hetzner’s services is based on Art. 6 (1) (f) GDPR. We have a legitimate interest in ensuring that our website is presented as reliably as possible. Provided that appropriate consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) (f) GDPR, and § 25 (1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG) if the consent covers storage of cookies or access to information on the terminal device of the user (e.g. device fingerprinting) within the meaning of TTDSG. You may revoke your consent at any time.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required under data protection law which ensures that this service provider will only process the personal data of visitors to our website in accordance with our instructions and the GDPR.

3. General and obligatory information


Data protection

The operators of these web pages take the protection of your personal data very seriously. We treat your personal data in a confidential manner as well as in line with statutory data protection regulations and this Privacy Policy. 

Various personal data are collected when you use this website. Personal data are data which can be used to personally identify you. This Privacy Policy explains which data we collect and what we use them for. It also explains how and for what purpose this takes place. 

We would like to point out that there may be some security gaps in online data transfer (e.g. in email communications). Complete protection of data against third-party access is not possible.

Information on the responsible party

The responsible party for data processing on this website is:

MGM Cosmetics GmbH
Mittelweg 162
20148 Hamburg

Germany Phone:: +49 (0) 123 44 55 66
E-Mail: service@mgm-cosmetics.com

The responsible party is the natural or legal person who decides, either alone or with others, on the purposes and means of processing personal data (e.g. name, email address).

Storage period

If no specific storage period has been specified in this Privacy Policy, we will retain your personal data until the purpose of the data processing no longer applies. If you make a justified request for deletion or revoke your consent to data processing, your data will be deleted provided that we do not have any other legally permissible grounds to store your personal data (e.g. retention periods under fiscal or business law); in the latter case, the data are deleted once these reasons cease to apply.

General information on the legal bases of data processing on this website

If you consent to data processing, we will process your personal data on the basis of Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR if special data categories are processed in line with Art. 9 (1) GDPR. In the event of express consent to the transfer of personal data to third countries, data processing is also based on Art. 49 (1) (a) GDPR. If you consent to the storage of cookies or permit access to information on your terminal device (e.g. via device fingerprinting), data processing is also based on § 25 (1) TTDSG. You may revoke your consent at any time. If your data are required to fulfil the contract or perform pre-contractual measures, we process your data on the basis of Art. 6 (1) (b) GDPR. Furthermore, we process your data provided that they are required to fulfil a legal obligation on the basis of Art. 6 (1) (c) GDPR. Data processing may also be carried out on the basis of our legitimate interest in line with Art. 6 (1) (f) GDPR. Information about the applicable legal basis in each individual case is provided in the subsequent paragraphs of this Privacy Policy.

Information on data transfer to the USA and other third countries

Some of the tools we use are provided by companies headquartered in the USA and other third countries that are not secure in terms of data protection law. If these tools are active, your personal data may be transferred to these third countries and processed there. We hereby advise you that a level of data protection comparable to that in the EU cannot be guaranteed in these countries. For example, US companies are obliged to surrender personal data to security services without any possibility for you, as the affected party, to take legal action against this. Therefore, the possibility of US authorities (e.g. secret services) processing, analysing and permanently storing your data stored on US servers for surveillance purposes cannot be ruled out. We have no influence over this data processing.

Revocation of consent to data processing

Many data processing operations are only possible with your express consent. You may revoke previously issued consent at any time. The lawfulness of the data processing carried out until the time of the revocation remains unaffected by the revocation.

Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)

If data processing is carried out on the basis of Art. 6 (1) (E) GDPR, you have the right to object at any time to the processing of your personal data for reasons arising from your specific situation; this also applies to profiling based on these provisions. The relevant legal basis on which processing is based can be found in this Privacy Policy. If you object, we will no longer process your personal data unless we are able prove compelling grounds for processing worthy of protection which outweigh your interests, rights and liberties or the processing serves the purpose of asserting, exercising or defending legal claims (objection according to Art. 21 (1) GDPR).

If your personal data are processed for the purpose of direct advertising, you have the right, at any time, to object to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling if it is related to such direct advertising. If you object, your personal data will cease to be used for the purpose of direct advertising (objection according to Art. 21 (2) GDPR).

Right to appeal to the competent supervisory authority

In the event of violations of GDPR, affected parties have a right to appeal to a supervisory authority, particularly in the member state of their habitual residence, their place of work or the location of the alleged violation. The right of appeal is without prejudice to any other administrative or judicial remedy.

Right to data portability

You have the right to have data which we process automatically on the basis of your consent or in the performance of a contract provided to you or third parties in a common, machine-readable format. If you demand the direct transfer of the data to another responsible party, this will only take place to the extent that it is technically feasible.

Information, correction and deletion

In line with the applicable legal provisions, you have the right, at any time and free of charge, to receive information about your stored personal data, their origin and recipients as well as the purpose of data processing, and, if applicable, a right to correction or deletion of these data. You may contact us concerning this or any other questions about personal data at any time.

Right to restriction of processing

You have the right to demand restriction of the processing of your personal data. You may contact us concerning this at any time. The right to restriction of processing exists in the following cases:

  • If you dispute the accuracy of your personal data stored by us, we usually need time to check this. You have the right, for the duration of the check, to demand restriction of the processing of your personal data.
  • If your personal data are/were processed unlawfully, you may demand restriction of the data processing instead of deletion.
  • If we no longer require your personal data, but you require them to exercise, defend or assert legal claims, you have the right to demand restriction of the processing of your personal data instead of deletion.
  • If you have objected in line with Art. 21 (1) GDPR, our respective interests must be weighed against one another. Until it is determined whose interests prevail, you have the right to demand restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data may – regardless of your storage – only be processed with your consent, for the purpose of asserting, exercising or defending legal claims, to protect the rights of another natural or legal person, or on grounds of an important public interest of the European Union or a member state.

SSL/TLS encryption

This website uses SSL/TLS encryption for the purposes of security and protection of the transmission of sensitive content, such as orders or queries you send to us as the site operator. You can identify an encrypted connection by the browser’s address bar being changed from “http://” to “https://” and by the padlock icon in the address bar.

If SSL/TLS encryption is activated, the data you transmit to us cannot be accessed by third parties.

Encrypted transactions on this website

If, after conclusion of a fee-based contract, there is an obligation to provide us with your payment details (e.g. account number in case of direct debit mandate), these data are required to process transactions.

Transactions using common payment methods (Visa/Mastercard, direct debit) are only carried out via an encrypted SSL/TLS connection. You can identify an encrypted connection by the browser’s address bar being changed from “http://” to “https://” and by the padlock icon in the address bar.

In the event of encrypted communication, the payment details you transmit to us cannot be accessed by third parties.

4. Data collection on this website


Cookies

Cookies Our web pages use “cookies”. Cookies are small data packets which do not cause any damage to your terminal device. They are stored on your terminal device either temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are deleted automatically after your visit ends. Persistent cookies remain stored on your terminal device until you delete them yourself or they are deleted automatically by your internet browser.

Cookies may be generated by us (first-party cookies) or third-party companies (third-party cookies). Third-party cookies enable the integration of certain services offered by third-party companies in websites (e.g. cookies for processing payment services).

Cookies serve various functions. Many cookies are technically necessary since certain website functions would not work without them (e.g. shopping cart or videos). Other cookies can be used for analysis of user behaviour or for advertising purposes.

Cookies which are necessary to complete the electronic communication process, to provide certain functions desired by you (e.g. the shopping cart) or to optimise the website (e.g. cookies for measuring the web audience) – known as essential cookies – are stored on the basis of Art. 6 (1) (f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing essential cookies to allow it to provide its services in an optimised manner without technical errors. If consent to the storage of cookies and comparable recognition technology has been requested, the processing is carried out exclusively on the basis of this consent (Art. 6 (1) (a) GDPR and § 25 (1) TTDSG); the consent can be revoked at any time.

You can set your browser to inform you when cookies are place, only allow cookies in an individual case, prevent the acceptance of cookies generally or in certain cases, or automatically delete cookies when you close the browser. Deactivating cookies may affect the functionality of this website.

You can find out about which cookies and services are used on this website in this Privacy Policy.

Consent with Usercentrics

This website uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your terminal device or to the use of certain technologies and document this consent in a manner compliant with data protection law. The provider of this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany; website: https://usercentrics.com (hereinafter “Usercentrics”).

If you access our website, the following personal data are transmitted to Usercentrics:

  • your consent, or the revocation of your consent
  • your IP address
  • information about your browser
  • information about your terminal device
  • time of your visit to the website

Usercentrics also stores a cookie in your browser to allow it to attribute to you the issued consent or its revocation. The data collected here are stored until you ask us to delete them, delete the Usercentrics cookie yourself or if the purpose of data storage ceases to apply. Mandatory statutory retention periods remain unaffected.

The Usercentrics banner on this website was configured with the help of eRecht24. You can recognise this by the eRecht24 logo in the banner. A connection to the eRecht24 image server is established to allow the eRecht24 logo to be displayed. The IP address is also transmitted here, but it is only stored in the server logs in anonymised form. The eRecht24 image server is operated in Germany by a German service provider. The banner itself is exclusively provided by usercentrics.

Usercentrics is used to obtain the legally required consent to the use of certain technologies. The legal basis for this is Art. 6 (1) (c) GDPR.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required under data protection law which ensures that this service provider will only process the personal data of visitors to our website in accordance with our instructions and the GDPR.

Server log files

The provider of the web pages automatically collects and stores information in server log files and your server transmits it to us automatically. This information is:

  • browser type and browser version
  • operating system used
  • referrer URL
  • host name of the accessing computer
  • time of the server request
  • IP address

These data are not merged with other data sources.

The collection of these data is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in optimising its website and presenting it without technical errors – this requires server log files to be gathered.

Contact form

If you send us queries via the contact form, we will store the information and contact details you enter for the purpose of processing the query and in case of follow-up questions. We will not pass these data on without your consent.

The processing of these data is based on Art. 6 (1) (b) GDPR if your query is related to the performance of a contract or necessary for the execution of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of the queries sent to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested; you may revoke your consent at any time.

We will retain the data you enter in the contact form until you request their deletion, revoke your consent to their storage or if the purpose of data processing ceases to apply (e.g. after your query has been handled). Mandatory legal provisions – in particular retention periods – remain unaffected by this.

Registering on this website

You can register on this website to access additional functions on the website. We only use the data you enter in the registration process for the purpose of providing the offering or service you have registered for. The compulsory information requested in the registration process must be provided in full. Otherwise we will deny the registration.

We will use the email address provided during registration to inform you of any important changes, such as technically necessary changes or changes to the scope of offerings.

The data entered during registration are processed for the purpose of performing the user contract established by the registration and, if applicable, for the initiation of further contracts (Art. 6 (1) (b) GDPR).

We store the data collected during registration as long as you are registered on this website, after which they are deleted. Legal retention periods remain unaffected by this.

5. Analysis tools and advertising


Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool which allows us to integrate tracking or statistics tools and other technologies on our website. Google Tag Manager itself does not create a user profile, save cookies or perform any independent analysis. It is solely used to manage and present the tools it is used to integrate. However, Google Tag Manager collects your IP address, which may also be transmitted to the parent company of Google in the USA.

The use of Google Tag Manager is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the quick, simple integration and management of various tools on its website. Provided that appropriate consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) (f) GDPR, and § 25 (1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG) if the consent covers storage of cookies or access to information on the terminal device of the user (e.g. device fingerprinting) within the meaning of TTDSG. You may revoke your consent at any time.

The company is certified in line with the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA which is designed to ensure compliance with European data protection standards for data processing in the USA. Every company certified in line with the DPF is obliged to meet these data protection standards. You can find more information via the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active


Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited (”Google”), Gordon House, Barrow Street, Dublin 4, Ireland.


Google Analytics allows the website operator to analyse the behaviour of the website’s visitors. The website operator receives a range of usage data, such as the number of page views, the duration of each visit, the operating system used and the website that led the user to our website. These data are assigned to the user’s terminal device. They are not assigned to a user ID.

Furthermore, Google Analytics allows us to do things like record your mouse and scroller movements. Google Analytics also uses various modelling approaches to expand the collected data sets and uses machine learning technology in data analysis.

Google Analytics uses technologies which enable recognition of the user for the purpose of analysing user behaviour (e.g. cookies and device fingerprinting). The information collected by Google about the use of this website is usually transmitted to a server in the USA and stored there.

The use of this service is based on your consent in line with Art. 6 (1) (a) GDPR and § 25 (1) TTDSG. You may revoke your consent at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. For details, visit: https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified in line with the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA which is designed to ensure compliance with European data protection standards for data processing in the USA. Every company certified in line with the DPF is obliged to meet these data protection standards. You can find more information via the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

Browser Plugin

You can prevent Google collecting and processing your data by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

For more information on Google’s handling of user data, see the Google privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Data processing

We have concluded a data processing agreement (DPA) with Google and fully implement the strict requirements of the German data protection authorities in our use of Google Analytics.


Meta-Pixel (formerly Facebook Pixel)

This website uses the visitor action pixel of Facebook/Meta. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook’s statements, however, the collected data are transmitted to the USA and other third countries.

This allows the behaviour of website visitors to be tracked after they have been redirected to the provider’s website by clicking on a Facebook advertisement. This in turn allows the effectiveness of Facebook advertisements to be assessed for statistical and market-research purposes and future advertising measures to be optimised.

The collected data are anonymous for us as the operator of this website and do not allow us to make any inferences regarding the identity of the users. However, Facebook stores and processes the data to allow it to be linked to the respective user profile and so that Facebook can use the data for its own advertising in line with the Facebook Privacy Policy (https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0). This allows Facebook to enable placement of advertisements on pages inside and outside Facebook. As the site operator, we have no influence over this use of the data.

The use of this service is based on your consent in line with Art. 6 (1) (a) GDPR and § 25 (1) TTDSG. You may revoke your consent at any time.

We use the advanced matching function in the Meta Pixel.

Advanced matching allows us to transmit various forms of data pertaining to our customers and prospects that we collect via our website (e.g. town/city and state of residence, postcode, hashed email addresses, name, gender, date of birth and phone number) to Meta (Facebook). This activation allows us to customise our advertising campaigns on Facebook even more precisely to those who are interested in our offerings. Advanced matching also improves website conversion attribution and expands custom audiences.

If personal data are collected on our website and transmitted to Facebook using the tool described here, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). This joint responsibility is limited exclusively to the collection of data and their transmission to Facebook. The joint responsibility does not apply to the processing carried out by Facebook after the transmission. The obligations incumbent on us jointly were set out in a joint processing agreement. You can find the text of the agreement at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Facebook tool and implementing the tools on our website in a secure, data-protection-compliant manner. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. information requests) with regard to the data processed by Facebook directly with Facebook. If you assert data subject rights with us, we are obliged to pass them on to Facebook.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. For details, visit: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

You can find additional information about the protection of your privacy in the Facebook Privacy Policy: https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0.

You can also deactivate the custom audiences remarketing function in the ad preferences at https://accountscenter.facebook.com/ad_preferences. You have to be registered with Facebook for this.

If you do not have a Facebook account, you can disable usage-based advertising from Facebook on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

The company is certified in line with the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA which is designed to ensure compliance with European data protection standards for data processing in the USA. Every company certified in line with the DPF is obliged to meet these data protection standards. You can find more information via the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active

6. Plugins and Tools


Vimeo Do Not Track

This website uses plugins from the video portal Vimeo. The provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.

If you visit one of our pages containing Vimeo videos, a connection to the Vimeo servers will be established. In this process, the Vimeo server will receive information about which of our pages you have visited. Vimeo also obtains your IP address. However, we have set Vimeo not to track your user activity or place cookies. 

Vimeo is used in the interest of presenting our online offerings in an appealing manner. This represents a legitimate interest in line with Art. 6 (1) (f) GDPR. If appropriate consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR; the consent can be revoked at any time. 

Data transfer to the USA is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on “legitimate business interests”. For details, visit: https://vimeo.com/privacy

For more information on handling of user data, see the Vimeo privacy policy: https://vimeo.com/privacy.

7. eCommerce and payment providers

Processing of customer and contract data

We collect, process and use personal customer and contract data for the establishment, content design and amendment of our contractual relationships. We collect, process and use personal data about the use of the website (usage data) only to the extent necessary to enable the user to use the service or charge the user for the service. The legal basis for this is Art. 6 (1) (b) GDPR.

The collected customer data are deleted after completion of the order or the end of the business relationship and expiry of any legal retention periods. Legal retention periods remain unaffected by this.

Data transmission in conclusion of contracts for online shops, retailers and dispatch of goods

If you order goods from us, we will transmit your personal data to the logistics company charged with the delivery as well as to the payment service provider charged with payment processing. Only data required by the respective service provider for the completion of its task are required. The legal basis for this is Art. 6 (1) (b) GDPR, which permits data processing for the performance of a contract or for pre-contractual measures. If you have issued appropriate consent in line with Art. 6 (1) (a) GDPR, we will pass your email address on to the logistics company charged with the delivery so that it can inform you of the shipping status of your order via email; you may revoke this consent at any time.

Payment services

We integrate third-party payment services on our website. If you make a purchase from us, your payment details (e.g. name, payment sum, account details, credit card number) will be processed by the payment service provider for the purpose of processing the transaction. The contractual and data protection provisions of the respective provider apply to these transactions. Payment service providers are used on the basis of Art. 6 (1) (b) GDPR (contract implementation) and in the interest of making the payment process as simple, convenient and secure as possible (Art. 6 (1) (f) GDPR). If your consent is requested for certain actions, Art. 6 (1) (a) GDPR is the legal basis for data processing; consent can be revoked at any time with future effect. 

We use the following payment services / payment service providers on this website: 

Mollie 

The provider of this payment service is Mollie B.V., Keizersgracht 126, 1015CW Amsterdam, Netherlands (hereinafter “Mollie”). Mollie allows us to integrate various payment methods on our website. For further details, please refer to the Mollie privacy policy: https://www.mollie.com/de/privacy.