Privacy Notice

This privacy notice outlines how we process personal data on this website, including when providing the services offered here.

To learn more about how we process your personal data, please contact us through any of the channels listed below.

1. General information

Publisher:

Bohemia Cristal Handelsgesellschaft mbH
Christian-Höfer-Ring 54
95100 Selb, Germany

Phone: +49 9287 86-0
E-Mail: info@bohemiacristal.de

Person responsible for website content:
Yvonne Stäudel, Head of Marketing

Person responsible for data protection:
Bohemia Cristal Handelsgesellschaft mbH
Gerhard Schuh and Jana Motkova
E-Mail: info@bohemiacristal.de

External data protection officers:

Theresa Küspert

BM Digital Consulting GmbH

Albert-Einstein-Str. 1

95028 Hof

Telefon: +49(0)9281 180070

E-Mail: info@bm-digital-consulting.de

Directors:

Gerhard Schuh and Jana Motkova
Phone: +49 928786-0
E-Mail: info@bohemiacristal.de

2. Legal basis of data processing on this website

If you have consented to data processing, we process your personal data based on point (a) of Art. 6 (1) GDPR or, where special categories of personal data pursuant to Art. 9 (1) GDPR are concerned, based on point (a) of Art. 9 (2) GDPR. If you have expressly consented to the transfer of personal data to third countries, the data processing is additionally based on point (a) of Art. 49 (1) GDPR. If you have consented to the storage of cookies or to the access to information in your terminal device (e.g. via device fingerprinting), the data processing is additionally based on Sec. 25 (1) TTDSG (Telecommunications-Telemedia Data Protection Act). You can withdraw your consent at any time. If your data are necessary for the performance of a contract or for the implementation of pre-contractual measures, we process your data based on point (b) of Art. 6 (1) GDPR. Furthermore, if your data are necessary for compliance with a legal obligation, we process your data based on point (c) of Art. 6 (1) GDPR. In addition, the data processing may be carried out for the purposes of our legitimate interests pursuant to point (f) of Art. 6 (1) GDPR. Information on the relevant legal basis in each individual case is provided in the following paragraphs of this Privacy Policy.

3. Period of storage of personal data

Unless a more specific storage period has been specified in this Privacy Policy, we will store your personal data until the purpose of data processing ceases to apply. If you make a justified request for erasure or withdraw your consent to data processing, your data will be erased, unless we have other legitimate grounds for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, your data will be erased after these grounds cease to apply.

4. Information on data transfer to third countries that are considered insecure in terms of data protection and on data transfer to U.S. companies that are not DPF-certified

Among other technologies, we use tools of companies domiciled in third countries that are considered insecure in terms of data protection as well as U.S. tools whose providers are not certified under the EU-US-Data Privacy Framework (DPF). When these tools are active, your personal data may be transferred to and processed in these countries. Please note that these countries do not guarantee a level of data protection comparable to that of the EU.

Please note that the U.S., as a secure third country, generally offers a level of data protection comparable to that of the EU. Data transfer to the U.S. is therefore permitted if the recipient is certified under the “EU-US Data Privacy Framework” (DPF) or provides additional appropriate safeguards. Information on data transfer to third countries, including the recipients, is provided in this Privacy Policy.

5. Recipients of personal data

As part of our business activities, we work with various external entities. In some cases, it is also necessary to transfer personal data to these external entities. We only disclose personal data to external entities if this is necessary for the performance of a contract, if we are legally obliged to do so (e.g. disclosure of data to tax authorities), if we have a legitimate interest in the disclosure pursuant to point (f) of Art. 6 (1) or if there is another legal basis permitting the disclosure of data. When using the services of processors, we only disclose personal data of our customers on the basis of a valid data processing agreement. In the event of joint processing, a joint data processing agreement is concluded.

6. Rights of the data subjects

To the extent that we process your personal data, you have the following rights as the data subject:

 

Right of access:

If your personal data are processed, you have the right obtain information about the personal data stored concerning you (Art. 15 GDPR).

Right to rectification:

If inaccurate data are processed, you have the right to rectification (Art. 16 GDPR).

Right to erasure:

If the legal requirements are met, you have the right to request erasure or restriction of processing (Art. 17, 18 GDPR).

Right to data portability:

If you have consented to processing or there is a data processing agreement and the data processing is carried out by automated means, you may have the right to data portability (Art. 20 GDPR).

Right of withdrawal:

If you have consented to processing and the processing is based on this consent, you can withdraw your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You have the right to object, on grounds relating to your particular situation, at any time to the processing of your data, if the processing is based on point (e) of Art. 6 (1) GDPR (Art. 21 (1) sentence 1 GDPR).

Right to restriction of processing:

You have the right to request restriction of processing of your personal data. To do so, you can contact us at any time. You can exercise your right to restriction of processing in the following cases:

  • If you contest the accuracy of your personal data stored by us, we usually need some time to verify the accuracy of the data. For the period of verification, you have the right to request restriction of processing of your personal data.
  • If the processing of your personal data was/is unlawful, you can request restriction of processing instead of erasure.
  • If we no longer need your personal data, but you require them for the establishment, exercise or defence of legal claims, you have the right to request restriction of processing of your personal data instead of erasure.
  • If you have objected to processing pursuant to Art. 21 (1) GDPR, your and our interests have to be weighed against each other. As long as it is not verified which interests are overriding, you have the right to request restriction of processing of your personal data.
  • If you have restricted the processing of your personal data, such data may – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state.

7. How to withdraw your consent to data being processed

Many data processing procedures may only be performed with your express consent. You may, at any time, withdraw any consent that you have provided. The lawful nature of the data processing performed until receipt of your withdrawal of consent will remain unaffected. Right to object to data processing in special cases and for direct marketing purposes pursuant to Article 21 GDPR:

a) Direct advertising (Art. 21 GDPR)

Should data be processed on the basis of Art. 6(1)(e) or (f) GDPR, you have the right, at any time – on grounds arising from your particular situation – to object to your personal data being processed; this also applies to any form of profiling based on the aforementioned provisions. The legal basis on which any processing of data is founded is outlined in this Privacy Notice. In the event that you object, we will cease processing your personal data unless we can prove that compelling, legitimate interests exist that override your interests, rights and freedoms or that the processing of your data serves to assert, exercise or defend legal claims (Right to object pursuant to Art. 21(1) GDPR).

Should your personal data be processed in order to conduct direct advertising, you have the right, at any time, to object to such personal data being processed for the purpose of such advertising; this also applies in the case of profiling to the extent that this occurs in connection with such direct advertising. In the event that you object, your personal data will subsequently cease to be used for the purpose of direct advertising (Right to object pursuant to Art. 21(2) GDPR).

8. Right to lodge a complaint with a supervisory authority

You furthermore have the right to lodge a complaint with the Bavarian Data Protection Authority (BayLDA). The authority can be contacted as follows:

Bayrisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
www.lda.bayern.de
Phone: +49 981 180093-0
Fax: +49 981 180093-800
E-Mail: poststelle@lda.bayern.de

9. Further information

To learn more about how we process your personal data, please contact us through any of the channels listed above (at the beginning of this privacy notice).

10. SSL and/or TLS encyption

For security reasons and to safeguard the transmission of confidential content, such as orders or enquiries that you send us as the operator of the website, this website uses SSL and/or TLS encryption.

Encrypted connections are discernible through a change in the address bar in your browser – from “http://” to “https://”, and the padlock icon displayed in your browser address bar.

If SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.

11. Information particular to this website

a) External web hosting

Our web server is operated by the ProComp GmbH company. The personal data transmitted during your visit to our website are therefore processed by ProComp GmbH on our behalf.

Contact details:
Name of third-party processor: ProComp GmbH
Postal address: Industriealle 1, 95615 Marktredwitz, Germany
E-Mail: info@procomp.de

The personal data collected on this website are stored on the web hoster’s servers. This may include IP addresses, contact enquiries, metadata, data used for communication, contract-related data, contact details, names, website access and other data generated via a website.

The web hoster’s services are employed to enable us to fulfil contracts with our potential and existing clients (Art. 6(1)(b) GDPR) and to ensure the swift, secure and efficient provision of our online services through a professional provider (Art. 6(1)(f) GDPR).

Our web hoster will only process your data within the bounds of what is necessary for the web hoster to perform its service obligations and will abide by our instructions as far as such data are concerned.

To ensure that data are processed in compliance with the data protection regulations, we have concluded a third-party processing agreement with our web hoster.

b) Data logging

Whenever you access this or other websites, data are transmitted to the web server via your browser. The following data are recorded during the time that your internet browser communicates with our web server:

  • Date and time of the request
  • The page requesting the file
  • The web browser used

These data are erased when the connection is closed.

12. Cookies

a) Session cookie (technical cookie - essential)

When you access this website, technical cookies (small files) are stored on your device and remain active throughout your visit to the website. These are known as session cookies. These cookies are used only during your visit to our website and only the current browser session ID is stored. The cookie is removed when the browser session is closed. No IP addresses are stored.

b) Contailor cookie (technical cookie – essential)

This cookie enables administrators/authors to log in to the Admin portal to perform editing tasks. The following personal data are collected:

  • Username (encrypted)
  • Password (in accordance with an established password policy) (encrypted)
  • Last login

The data are saved for three (3) months following the initial log-in. The three-monthly cycle recommences as soon as the user in question logs in to the platform.

c) Cookie consent through Usercentrics

This website uses Usercentric’s cookie consent technology to obtain your consent to certain cookies being stored on your end device or for certain technologies to be employed, and to document your consent in compliance with the data protection regulations.

This technology is provided by Usercentrics GmbH, Rosental 4, 80331 Munich, Germany; website: https://usercentrics.com/de/ (hereinafter referred to as “Usercentrics”).

When you enter our website, the following personal data are forwarded to Usercentrics:

  • Your consent and/or revocation of your consent
  • Your IP address
  • Information concerning your browser
  • Information concerning your end device
  • The date/time you visited the website

Usercentrics furthermore stores a cookie on your browser linking you to all forms of issued and/or withdrawn consent. Data recorded here are stored until you ask us to erase them, until you erase the Usercentrics cookie yourself, or until the purpose for which the data were stored ceases to exist. Mandatory legal obligations to retain data will remain unaffected. Usercentrics is used in order to obtain the forms of consent prescribed by law for using certain technologies. The legal basis for doing so is founded on Art. 6(1)(1)(c) GDPR.

Third-party processing agreement

We have concluded an agreement with Usercentrics governing the processing of data by a third party. This form of contract is prescribed by the data protection regulations and ensures that Usercentrics only processes personal data belonging to our website users in accordance with our instructions and in compliance with the GDPR.

13. Analysis of user behaviour (web tracking systems; web audience measurement)

No user behaviour is analysed using so-called web tracking systems.

14. Use of plug-ins

a) Google Maps

This website uses the Google Maps service. It is provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Using the Google Maps features requires your IP address to be stored. This information is typically forwarded to a Google server based in the USA and stored there. As the website provider, we have no influence over the transmission of such data.

Google Maps is used in the interest of presenting our range of online services as attractively as possible and enabling locations shown by us on the website to be found without difficulty. This represents a legitimate interest within the meaning of Art. 6(1)(f) GDPR. Where your consent has been obtained as required, data will be processed solely on the basis of Art. 6(1)(a) GDPR; you may withdraw your consent at any time. Data are transmitted to the USA on the basis of the EU Commission’s standard contractual clauses..

Further details can be found here:
https://privacy.google.com/businesses/gdprcontrollerterms/ and
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

To learn more about how user data are handled, please consukt Google's privacy policy: https://policies.google.com/privacy?hl=de.

b) YouTube

We use the YouTube.com platform to post our videos and make them publicly available. YouTube is a service offered by a third party with which we are not affiliated, namely YouTube LLC.

Some of our web pages incorporate links or shortcuts to services offered by YouTube. As a general rule, we are not responsible for the content presented on any linked websites. Should you click on a link to YouTube, please note that YouTube stores user-related data (e.g. personal details, IP addresses) in accordance with its own data processing policies and uses such data for business purposes.

YouTube may additionally store various cookies on your end device or use comparable recognition technology (e.g. device fingerprinting). These tools enable YouTube to collect information on its website visitors. The information in question may, for example, be used to collect statistics on video clips, to improve the user experience, and to prevent fraudulent practices.

By being logged in to your YouTube account, you enable YouTube to attribute your Internet surfing behaviour directly to your personal profile. You can prevent this from occurring by logging out of your YouTube account.

YouTube is used in the interest of presenting our range of online services as attractively as possible. This represents a legitimate interest within the meaning of Art. 6(1)(f) GDPR. Where your consent has been obtained as required, data will be processed solely on the basis of Art. 6(1)(a) GDPR; you may withdraw your consent at any time.

Users are actively required to furnish their consent before a connection is established to YouTube. You can withdraw your consent at any time.

The following data are transmitted to third-party providers:

  • IP address
  • Date and time of the request
  • Time zone difference: local time to Greenwich Mean Time (GMT)
  • Content of the request (specific web page)
  • Response status/HTTP response status code
  • Transmitted data volume (in bytes)
  • Website sending the request (link)
  • Browser used
  • Operating system, including its interface
  • Browser software language and version

As soon as you click on an embedded video to start watching and actively confirm your consent, YouTube stores a corresponding cookie on your device. These cookies can be disabled by making corresponding adjustments to the browser settings and add-ons.

Address and link to the third-party's privacy notice:
Google/YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland - Datenschutzerklärung: https://policies.google.com/privacy

15. Collection of other data

a) Contact form

Should you provide personal or business-related data through our website (e-mail addresses, names, postal addresses, etc.), these data will only be used to convey the requested information or for the purposes specified in the form. In the course of this process, your data will be encrypted using SSL software when transmitted to the mail server and protected from being viewed by third parties. The subsequent e-mail is transmitted unencrypted (see Clause 14) The data are not forwarded to third parties. The user is wholly at liberty to decide whether to use the services and service features offered there.

Data category:
Title (optional)
Name (compulsory)
Company (optional)
Street line 1 (optional)
Postcode (optional)
Town (optional)
Country (optional)
E-Mail address (compulsory)
Phone number (optional)
Message (compulsory)

b) Audioconferencing and videoconferening

data processing

Among other things, we use online conferencing tools to communicate with our clients. The specific tools that we use are listed below. Should you communicate with us using an online videoconferencing or audioconferencing tool, your personal data will be collected and processed by us and the provider of the corresponding conferencing tool. At the same time, conferencing tools collect all of the data that you provide/use when employing the tools (e-mail address and/or your phone number). Conferencing tools additionally process the duration of the conference, the start and end (times) of your participation in the conference, the number of participants, and miscellaneous “contextual information” related to the communications process (meta-data). The provider of the tool furthermore processes all of the technical data required in order to perform the online communications. This includes, but is not limited to, IP addresses, MAC addresses, device IDs, the device type, the type and version of the operating system used, the client version, camera type, microphone or loud speakers as well as the type of connection used. Any content exchanged, uploaded, or provided in any other shape or form within the tool will also be stored on the tool provider’s servers. Such content may include, but not be limited to, cloud recordings, chat messages, instant messages, voicemails, uploaded photos and videos; files, whiteboards and other information that is shared while using the service.

Please note that we only have limited influence over the data processing operations performed by the tools used. Our possibilities are largely governed by each provider’s corporate policy. To learn more about how data are processed by conferencing tools, please consult the privacy notice applicable to each of the employed tools, a full list of which is provided below.

Purpose and legal basis

Conferencing tools are used to communicate with prospective or existing contracting parties or to offer our clients specific services (Art. 6(1)(1)(b) GDPR). The tools are additionally employed in general to simplify and expedite communication with us and/or our company (legitimate interest within the meaning of Art. 6(1)(f) GDPR). Where your consent has been obtained, the corresponding tools will be employed on the basis of such consent; you may withdraw your consent at any time with future effect.

Storage period

The data that we directly collect through the videoconferencing and audioconferencing tools will be erased from our systems as soon as you request their erasure or withdraw your consent for data to be stored, or the purpose for which the data are collected ceases to exist. Stored cookies will remain on your end device until you erase them. Statutory data retention periods will remain unaffected. We have no influence over the length of time your data are stored by conferencing tool providers for their own purposes. For further details, please contact the conferencing tool providers directly.

We use the following conferencing tool:

Microsoft Teams
We use Microsoft Teams, a tool provided by the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. To learn more about how data are processed, please consult the Microsoft Teams privacy statement:
https://privacy.microsoft.com/de-de/privacystatement

Conclusion of a third-party processing agreement
We have concluded a third-party processing agreement with the Microsoft Teams provider and fully implement the strict requirements imposed by Germany's data protection authorities when using Microsoft Teams.

16. Newsletter and postal advertising

If you wish to subscribe to the newsletter offered on our website, we require an e-mail address from you as well as certain details that permit us to verify that you are the owner of the e-mail address provided and that you consent to receiving the newsletter. No other data are collected except where voluntarily given. Your data will only be used to send you the requested information and will not be forwarded to third parties.

Data provided in the newsletter contact form are processed solely on the basis of your consent (Art. 6(1)(a) GDPR). You may, at any time, withdraw your consent to your data and e-mail address being stored and the data being used to send the newsletter, by clicking on the “Opt-out” link provided in the newsletter. The lawful nature of the data processing performed until receipt of your withdrawal of consent will remain unaffected.

Until you opt out of the newsletter, we and/or the newsletter provider will store the data needed for you to receive the newsletter and will erase the data from the newsletter distribution list once the newsletter has been cancelled. Data that we have stored for other purposes will remain unaffected.

After you have been removed from the newsletter distribution list, we and/or the newsletter provider may save your e-mail address to a blacklist to ensure that you do not receive any mail shots in future. The data on the blacklist will only be used for this purpose and will not be merged with other data. This is both in your own interest and in our interest of complying with the statutory requirements when sending newsletters (legitimate interest within the meaning of Art. 6(1)(f) GDPR). Storage of your data on the blacklist is not limited in time. You may object to the storage of your data provided that your interests outweigh our legitimate interest.

17. Electronic mail (e-mail)

Information that you send us unencrypted by electronic mail (e-mail) can potentially be read by third parties during its transmission. As a general rule, we also cannot verify your identity and do not know who is actually behind an e-mail address. Basic e-mails therefore do no not guarantee that the communication is legally sound. We use filters (SPAM filters) to counter unsolicited advertising. On rare occasions, these may also erroneously also automatically classify normal e-mails as unsolicited advertising and delete them. We automatically delete e-mails containing malware (“viruses”) without exception.

When sending us messages meriting protection, we recommend either using encryption and signing them to prevent unauthorised parties from accessing and falsifying them during their transmission or sending us your message by conventional post.

Please also let us know whether and how we can send encrypted e-mails in response to your communications. Should you not have any means of receiving encrypted e-mails, we ask you to inform us how you would like us to contact you to respond to your messages meriting protection.

18. Specific information on the job application procedure

Treatment of applicant data

You have the possibility of sending us your job application (e.g. by e-mail or conventional post). Below, you will find information concerning the scope of personal data that we collect, how such data are used and for what purposes. You may rest assured that your data will be collected, processed and used in compliance with the valid data protection regulations as well as all other statutory provisions, and that your data will be treated in strict confidence.

Scope and purpose of data collection

Should you forward your job application to us, we will process your personal data in this context (e.g. contact details and communications data, application documents, notes taken during job interviews, etc.) to the extent required in order to arrive at a decision on whether to employ you. The legal basis for this process under German law is founded on Section 26 of the newly revised Federal Data Protection Act [BDSG] (initiation of employment), Art. 6(1)(b) GDPR (general initiation of contract) and – to the extent that we have received your consent – Art. 6(1)(a) GDPR. You may withdraw your consent at any time. Your personal data will only be forwarded to those individuals within our company who are involved in processing your job application. Should your application be successful, the data that you have submitted will be stored in our data processing systems on the basis of Section 26 of the newly revised BDSG and Art. 6(1)(b) GDPR for the purpose of implementing the employment relationship.

Data retention periods

Should we be unable to offer you a position, you decline an offered job position or withdraw your application, we reserve the right to retain the data you have submitted to us for a period of up to three (3) months from the application process closing (rejection or withdrawal of the application). This is in keeping with our legitimate interests as defined in Art. 6(1)(f) GDPR.

The data will then be erased and any physical application documents destroyed. The above-mentioned retention period especially serves to enable evidence to be submitted in the event of a legal dispute. Where it becomes apparent that the data will be needed beyond expiry of the three-month period (e.g. in light of an imminent or impending legal dispute), the data will only be erased once the purpose for continuing to retain such data ceases to exist.

Longer data retention periods may also apply where you have provided your consent accordingly (Art. 6(1)(a) GDPR) or where legal obligations to retain such data override the erasure of such data.

Should we not make you a job offer and, by implication, you send us an unsolicited job application, the application will be rejected within five (5) days and returned. Your application will not be added to an applicant pool and no personal data will be stored.

Last revised: 27.11.2023