1. Responsible Body
The responsible body for the processing of personal data is:
Mister Spex AG,
Greifswalder Straße 156,
Customer Service: +49 (0)800 472 54 57
Our Data Protection Officer may be contacted as follows:
Mister Spex AG,
- Data Protection Officer of Mister Spex AG -
Greifswalder Straße 156,
2. Purposes of Data Processing, Legal Bases, Legitimate Interests and Categories of Recipients
a) Data Processing upon the Conclusion of a Contract
We collect, store and process personal data exclusively in accordance with the valid legal stipulations and inasmuch as this should be necessary and requisite for the fulfilment of the contractually assumed performance obligations between ourselves and the user or for the provision of the products ordered. This comprises of:
- First Name, Family Name
- Invoice and Delivery Address
- E-Mail Address
- Invoice and Payment Data
- Date of Birth
- Telephone Number (optional)
Should you purchase contact lenses or corrective spectacles from us, we also gather and store your correction values.
The legal basis for this is Art. 6 Para. 1 lit. b) General Data Protection Regulation (GDPR) as the collection of these data is necessary for the fulfilment of our contract or in order to implement pre-contractual measures. The legal basis for collecting the date of birth is Art. 6 Para 1 lit. f) GDPR. Our legitimate interest lies in the dispatching of e-mails on your birthday, customer segmentation with subsequent direct advertising and guaranteeing your creditworthiness in the context of the credit assessment. Should you have given us your telephone number we may use this in order to contact and support you in the ordering and contract processing procedures. The legal basis for this is Art. 6 Para. 1 lit. b) GDPR.
We shall store your data as long as you uphold an active business relationship with us. After the termination of the said business relationship we shall archive the information pertaining to the contractual relationship according to commercial and tax laws for the statutorily determined periods of six and ten years respectively. Personal data that is not subject to these archiving obligations will be deleted immediately on termination of the business relationship.
Your personal data shall be forwarded by us to service providers deployed in the context of carrying out the order. These are: payment services providers, logistics companies, providers of a ticket system for customer services, cloud service providers and newsletter dispatchers. We also send your e-mail address to the logistics company commissioned by us in order to ensure that the goods are dispatched in accordance with your wishes. The logistics company will be contacting you in the run-up to the delivery, in order to inform you of the time of delivery or to agree particulars of the delivery with you. The data shall be transmitted solely for this purpose. The transmission shall follow for this purpose and in our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR in order to guarantee as smooth a delivery as possible. You may object to this transmission with future effect by sending a relevant notification to the contact named in Figure 1.
b) Accessing our website/application
When you access our website, information will automatically be sent to the server of our website by the browser being used on your terminal device and stored temporarily in a so-called log file. The following information will thereby be collected without any activity on your part and stored until they are deleted automatically:
- the IP-address of the inquiring internet-capable device,
- the date and time of access,
- the name and URL of the file accessed,
- the website/application from which the access had been affected (referrer URL),
- the browser used by you and, if need be, the operating system of your internet-capable computer and the name of your access provider.
The legal basis for the processing of the IP-address is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest derives from the purposes of the data collection listed:
- guaranteeing the smooth establishment of a connection,
- guaranteeing comfortable use of our website,
- assessment of system security and stability
- other administrative purposes.
The data will be stored for a period of 30 days and subsequently deleted automatically. Furthermore, we use so-called cookies, tracking tools and targeting processes on our website. Which process exactly the manner in which your data is used for this purpose. This is explained in more detail below.
Inasmuch as you, in your browser, operating system or other settings of your terminal device, should have agreed to so-called geo-localisation, we shall use this function in order to be able to display services relating to your current location (e.g. our nearest store). We shall be using your location data processed in this manner exclusively for this function. Upon ending your usage, the data will be deleted.
c) Other Data Collection on our Site
i. Customer Account
When you place an order, you may also open a customer account at the same time. You may also set up a digital account in our store. The setting up of such an account and thus the conclusion of a usage agreement pertaining to the setting up of the customer account is voluntary and effected on the basis of Art. 6 Para. 1 lit. b) GDPR. The customer account may be cancelled at any time; a notification in text form (e.g. e-mail, fax, letter) shall suffice for this. Subsequent to a cancellation, we shall delete your data completely unless the processing thereof should be legally permitted or accord with the following regulations.
As long as your customer account exists, the data that you have communicated in connection with your orders will be stored there in addition to those orders. You have the right to demand information concerning the data stored in your customer account at any time. Access to your customer account is only possible after the entry of your personal password. You should always treat your access information as confidential and close your browser window after ending your communication with us, particularly if you share usage of the computer with others.
You may also order from us without opening a customer account. If you wish to do so, simply select the option “order as a guest”. Inasmuch as you should order from us without a customer account, we shall process your data as described in the above for the fulfilment of the purchasing contract and for guarantee purposes. We shall furthermore process your data in order to shape our offer specifically in accordance with your needs. You may object to this processing at any time by sending a written message to the contact address specified in Figure 1.
ii. Contact Establishment by You
In order to establish contact with us you may choose from a variety of communication paths. Contact establishment is voluntary and the collection of data effected on the basis of our legitimate interest in being able to contact you on the basis of your inquiry, Art. 6 Para. 1 lit. f) GDPR. In this context we request that you communicate to us certain data such as your name and/or your e-mail address. This serves the exclusive purpose of being able to identify you without any doubt, to process your concern and to thus be able to inform and advise you in accordance with your wishes. The data will be deleted after the statutory storage obligations have expired.
iii. Digital Spectacles Fitting
We offer you the possibility of comfortably trying on your spectacles at home online by way of 2D-or 3D fitting. To this end you may either upload your photograph or use your webcam. The digital spectacles fitting is voluntary and the data are collected on the basis of our legitimate interest in being able to offer you the corresponding service, Art. 6 Para. 1 lit. f) GDPR. In the case of the 3D fitting, we make use of an external provider in order to implement the service, Ditto Technologies Inc. We use the photographic/video material you supply solely in order to be able to offer you our service. Video material is deleted immediately, an uploaded photograph automatically after 14 days.
iv. Particularly Sensitive Data
In order to protect particularly sensitive data including your payment data, we use the so-called SSL-protocol (Secure Sockets Layer), by way of which your personal data are submitted in encrypted form.
If the payment method credit card is selected, you add a link to your customer account to your credit card information in order not to have to enter said credit card information again when placing further orders. The storage of this link is carried out in accordance with our legitimate interest and for the purpose of offering you this comfort function and is based upon Art. 6 Para. 1 lit. f) GDPR. We do not additionally store your credit card data as a basic principle. The storage and processing of the credit card information is undertaken by our PCI-DSS-certified payment services provider PAYONE GmbH, Fraunhoferstraße 2-4, D-24118 Kiel, Germany. In order to pre-empt misuse in cases of unauthorised access, the complete credit card number is never visible in your customer account. Should you wish to delete a credit card from your customer account you may do so on the site “Payment”. Please note that if you choose this payment option we may contact you and for verification purposes request that you send us a form of identification. This serves our legitimate interests pursuant to Art. 6 Para. 1 lit. f) GDPR for the protection of ourselves and you against credit card fraud. We will only use the proof of identity that you send to verify your identity and will delete it after the legal retention period has expired.
v. Voucher offers of Sovendus GmbH
In order to select a currently interesting voucher offer for you, we will transmit your pseudonymised hash value of your e-mail address and your IP-address in encrypted form to Sovendus GmbH, Moltkestrasse 11, D 76133 Karlsruhe (Sovendus) (Art. 6 par. 1 f GDPR). The pseudonymised hash value of your e-mail address is used to consider a possibly existing objection to receive offers from Sovendus (Art. 21 par.3, Art. 6 par. 1 c GDPR). The IP-address will be exclusively used for data security purposes and as a rule the same will be anonymised after seven days (Art. 6 par. 1 f GDPR). Furthermore, we will transmit order number, session ID, coupon code, and time stamp in pseudonymised form to Sovendus for billing purposes (Art. 6 par. 1 f GDPR).
You will find further information about the processing of your data by Sovendus in their Online Data Protection Notice at www.sovendus.co.uk/privacy_policy.
vi. Integration of the Trusted Shops Trust Badge
The Trusted Shops Trust Badge is integrated on this website to display our Trusted Shops seal of approval and the possibly collected evaluations, as well as to offer Trusted Shops products to buyers after an order is placed. This serves to safeguard our legitimate interest in accordance with Art. 6 para. 1 lit. f) within GDPR for optimal marketing of our offer within the scope of a balancing of interests. The trust badge and the services advertised with it are an offer of the Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany. When the trust badge is activated, the server automatically stores a so-called server log-file, which contains, for example, your IP address, date and time of retrieval, amount of data transmitted and the requesting provider (access data) that contains and documents the call. This access data will not be evaluated and automatically overwritten within seven days after the end of your page visit. Other personal data (order number, hashed e-mail address, sum, currency, payment method) will only be transferred to Trusted Shops if you decided to use Trusted Shops products after completing an order or if you have already registered. In this case, the contractual agreement between you and Trusted Shops applies.
vii. Mention me
viii. Trustpilot rating service
We use the rating service of Trustpilot A/S, Pilestræde 58, 3rd floor, 1112 Copenhagen K, Denmark ("Trustpilot"). By clicking on the corresponding link, you will be redirected to Trustpilot's platform, where you can leave a rating for our shop. Only when you actually click the link will we forward your hashed email address, name, and customer number for verification purposes, based on our legitimate interest, as per Art. 6 paras. 1 lit. f) DSGVO. The submission of a rating is voluntary. Details regarding data collection by Trustpilot on their platform can be found here: https://uk.legal.trustpilot.com/end-user-privacy-terms
We have also integrated the Trustpilot widget to display the reviews collected. This serves to protect our legitimate interests within the context of a weighing of interests as per. Art. 6 paras. 1 lit. f) DSGVO on the optimal marketing of our offers. The running of the widget automatically sends the IP address to the server, but then deleted immediately.
3. Processing of your Data for Advertising Purposes
In addition to processing your data for the purpose of implementing the contracts concluded with us, we also use your data in order to exchange information with you concerning your orders, to communicate with you concerning certain products or marketing actions and to be able to recommend products or services that might be of interest to you. The duration of the storage of data for advertising purposes is oriented towards the question of whether the data is necessary for advertising. This is to be assumed in the case of registration for the newsletter until such time as consent is revoked as well as for the duration of an active business relationship.
a) Advertisement by mail
In case you concluded a contract with us and are therefore a regular customer, we process your postal contact data without your explicit consent in order to inform you about new products and offers. The legal basis for this usage is to be found in Art. 6 Para. 1 lit. f) GDPR. We engage a service provider to send out advertisement by mail.
b) Dispatching of the Newsletter
We offer you the possibility of registering for our newsletter. In order to be able to be certain that no errors have been made in entering your e-mail address we use the so-called double opt-in procedure: after you have entered your e-mail address in the registration field we will send you a confirmation link. Your e-mail address will not be included on our circulation list until you have clicked on this confirmation link. The processing of your electronic contact data for this purpose is thus affected solely on the basis of your consent (Art. 6 Para. 1 lit. a) GDPR); these data will be stored until your consent is revoked. You may revoke your declared consent at any time with future effect without giving any reasons. For this purpose, you may either click on the relevant link in every newsletter or send a short notification by e-mail to the e-mail address indicated under Figure 2. You can also access the de-registration form for the dispatch of the newsletter here.
c) Service and Product Information
Should we receive your e-mail address in the context of ordering goods from our online shop, we shall use said e-mail address, until revocation, in order to inform you via service and product information mails of similar products that could be of interest to you (e.g. concerning the content of your shopping basket). We shall only use your e-mail address for such purposes, however, if you have not objected to this usage. You may object at any time by sending a message to the e-mail address indicated under Figure 1 without giving any reasons and without incurring any costs other than the transmission costs according to the basic tariffs. The legal basis for this usage is to be found in Art. 6 Para. 1 lit. f) GDPR.
d) Interest-related Advertising
We endeavour to make our online shop as attractive as possible for you and to optimise the said shop. In order that you only receive such information you may be interested in, we categorise and supplement your customer profile with additional information. For this purpose, both statistical information as well as information relating to your person (e.g. basic data of your customer profile) are used. The aim is to be able to send you only advertising that is oriented towards your actual or supposed requirements and accordingly not to bother you with useless advertising.
The legal basis for the aforementioned types of processing is in each case Art. 6 Para. 1 lit. f) GDPR. The processing of regular customers’ data for our own advertising purposes is to be regarded as a legitimate interest.
You may object to data processing for the aforementioned purposes at any time at no cost, separately for each respective communications channel and with future effect. For this purpose, an e-mail or a letter sent by post to the contact data indicated under Figure 1 shall suffice.
4. Online Presence and Website Optimisation
a) General Tips pertaining to Cookies
We use so-called session cookies in order to be able to tell that you have already visited individual sites on our website or that you have already registered with your customer account. These files are automatically deleted when you leave our site. Additionally, we also use temporary cookies for reasons of user friendliness, which are stored on your terminal device for a certain predefined period of time. Should you visit our site once again in order to avail yourself of our services, it is automatically established that you had already visited us and which entries and settings you had made, so that it is not necessary to enter these again.
If you register with us in order to make a purchase, the information stored in the cookies will be assigned to your account with us.
Another reason why we deploy cookies is to statistically register the usage made of our website and in order to be able to assess the optimisation of our offer to you and to blend in information specifically tailored to yourself. These cookies enable us to automatically establish that you had already visited us in the past. These cookies are deleted automatically after a predefined time set in the respective case has elapsed. Most browsers accept cookies automatically. You may, however, configure your browser is such a way that no cookies are stored on your computer or that a warning always appears before a new cookie is created. Full deactivation of cookies may, however, result in your not being able to use all the functions of our website. The length of time for which the cookies are stored depends upon the purpose for which they are used and is not the same for all.
b) Tracking and Website Analysing Tools
On the basis of your consent pursuant to Art. 6 para. 1 lit. a) GDPR, cookies are set in order to analyse your usage behaviour and to design the individual surfing experience for you. We are using the following tools. At the same time this also represents the legitimate interest we are pursuing hereby.
i. Google Analytics
The collection and storage of the data may be objected to at any time with future effect by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout. In light of the discussion concerning the deployment of analysing tools with complete IP-addresses, we wish to point out that this website deploys Google Analytics with the extension "_anonymizeIp()" and that, therefore, IP-addresses are only further processed in shortened form in order to exclude direct references to specific persons.
We use the services of Webtrekk GmbH. Webtrekk GmbH is a company resident in Germany, Robert-Koch-Platz 4, D-10115 Berlin that collects, stores and analyses usage data. It is certified for data protection in the field of web controlling in Germany after its data processing was reviewed for data protection conformity and data security. If you use our websites, Webtrekk GmbH sets a cookie. This enables the collection, storage and analysis of usage data by Webtrekk GmbH. The usage data are anonymised by way of shortening the IP-address. It is therefore also not possible for Webtrekk to trace you as a visitor to our websites. The shortened IP-address shall be used solely for the purpose of session recognition and geo-localisation (down to city level). Further information pertaining to data protection at Webtrekk may be found under www.webtrekk.com/uk/legal/opt-out-webtrekk. In order to deactivate Webtrekk and exclude the collection of usage data, a cookie (called “webTrekkOptOut”) must be set by clicking on this link. If this cookie has been set the usage data will not be collected.
iii. Other Tools
We use the services of Dynamic Yield Ltd. By means of the personalisation tool Dynamic Yield, our web offer is optimised in order to turn your visit to the website into a personal experience by way of tailor-made recommendations and content. We thereby use the content of the pages accessed by you in order to recommend other pages with relevant content to you. For this purpose, Dynamic Yield collects pseudonymised information pertaining to your usage of our site. Cookies are thereby used with the aid of exclusively pseudonymised information, which is stored under a randomly generated ID (Pseudonym). A direct personal reference is thus not possible. You can revoke your consent to the collection at any time by clicking on this link and activating the opt-out. An opt-out cookie will be set to prevent the future collection of data from your visit to this website.
Furthermore, we use the web analysis service Hotjar provided by Hotjar Ltd. With the aid of Hotjar, we are able to analyse the click and scroll conduct in our shop after anonymisation in order to offer you an improved user experience based upon the results thereof. The data collected do not contain any personal references. The data collection by Hotjar can be stopped at any time with effect for the future by clicking on this link and activating the opt-out function by revoking your consent.
We also use the monitoring service Pingdom provided by the Swedish company SolarWinds Worldwide, LLC. This tool enables an analysis of the loading conduct and availability of our website. For this purpose, cookies are set. You can prevent this by changing the appropriate settings in your browser. You may find the data protection declaration of Pingdom here.
The targeting measures listed below and used by us are carried out per Art. 6 para. 1 lit. a) GDPR, on the basis of your consent. By way of the targeting measures deployed, we wish to ensure that only advertising oriented towards your actual or supposed interests is displayed to you on your terminal devices. That you should not be bothered by irrelevant adverts is in both your interest as well as our own.
i. Google Adwords
We use Microsoft Corporation's Bing Conversion Tracking. When you click on a Bing advertisement, a cookie is set that allows both Bing and us to see that you have reached our homepage via a Bing advertisement. Your encoded IP address is also stored. No personal data is transmitted. To deactivate Bing, please click on this link. You can find Microsoft's privacy statement here: privacy.microsoft.com/de-de/privacystatement.
iv. Emarsys Web Extend
We use the Web Extend Feature from Emarsys eMarketing Systems AG. This tool collects information about your visit to our website, for example concerning your search history, the types of products you have looked at, or the date and time of your visit. Cookies are set for this purpose. The information is stored only in pseudonymous form and is intended only to enable advertisements tailored to your interests to be sent to you. If you don't want this, please click here. An opt-out cookie will be set that prevents the future collection of your data.
We use All Response Media Ltd. for our analysis and optimisation and they utilise your non-personal data to plan and optimise media campaigns to most effectively deliver our marketing strategies and ensure the ads that you receive from us are relevant to you. They do this through analysis and targeting cookies.
We cooperate with AWIN AG in order to make the online offer on our site more interesting for you. To this end, cookies from AWIN (so-called Third-Party Cookies) are also set when our site is visited. In these cookies information pertaining to your user conduct and your interests while visiting our site is stored using pseudonyms. In part, information is also collected here that has previously been generated during visits to other sites prior to the visiting of our site. On the basis of this information, interest-related adverts from our advertising partners are displayed to you. No personal data are stored and neither are any user profiles combined with personal data relating to yourself. You can disable interest-based advertising by clicking on this link and using the opt-out function.
The following applies to all tools: in addition to the deactivation methods described you may also generally suppress the targeting technologies explained by a corresponding cookie setting in your browser (cf. general tips on cookies). Please note that this setting will only apply to the respective browser on the respective terminal device. If you delete your cookies the opt-out cookie will also be removed.
5. Recipients outside the EU
The following recipients have their head offices outside the European Union: Zendesk Inc. (ticket system for our customer service), Ditto Technologies Inc. (Digital Spectacles Fitting) as well as providers of tracking or targeting technologies. The transmission of data is effected in accordance with the principles of the so-called privacy shield.
6. Storing the Contract Text
We store the contract text and send you the order data by e-mail after conclusion of the order process.
7. Minimum Age
The protection of minors is a particular concern of ours. We only process orders from persons who, at the time of placing the order, have attained the age of 18. For this reason, we also collect information concerning your date of birth for verification purposes when an order is placed.
8. Rights of the Users
a) Revocation of Consents
Inasmuch as you, in the context of using the website or acquiring products, have granted consent to the collection, storage and usage of personal data, you may revoke said consent at any time. The revocation shall not affect the legality of any data processing that has already take place. The revocation may be sent by e-mail or in writing to the contacts specified under Figure 1. The effects of the revocation are restricted to the storage and usage of personal data that may not already be stored and used without your consent on the basis of statutory permissions.
You can revoke your consent at any time with effect for the future by clicking on this link.
b) Information, Correction, Deletion, Restriction, Data Portability
On the basis of a written request or one communicated in text form we provide you at any time in accordance with Art. 15 GDPR with information as to which personal data relating to yourself are stored with us. You also have at any time the possibility of having your personal data corrected by us in accordance with Art. 16 GDPR. Should the prerequisites of Art. 17 GDPR be given, you have a right to deletion. Under the prerequisites of Art. 18 GDPR you may request that the processing of the data stored with us in accordance with Art. 18 GDPR is restricted. Furthermore, under the prerequisites of Art. 20 GDPR, you have a right to data portability. Should the processing of your data be based upon Art. 6 Para. 1 lit. e) or f) GDPR, you have the right to object to processing in accordance with Art. 21 GDPR. Please address yourself to the body referred to in Figure 1. You also have the right, in accordance with Art. 22 GDPR, not to be subjected to any decisions based exclusively upon automated processing – including profiling - that unfold legal effect against you or considerably impair you in any similar manner. You also have the possibility of complaining to the supervisory authority responsible for you.
9. Your Obligation to provide Data
As a fundamental rule, you are not subject to any contractual or statutory obligation to provide us with personal data. However, should you not provide the personal data we ask for in either the registration or sales process that are marked as compulsory fields, we may not be in a position to conclude a contract with you.
10. Existence of an automated Decision-making Process
We do not make use of any decisions based exclusively upon automated processing – including profiling - that unfold legal effect against you or considerably impair you in any similar manner.
As of: January 2020