Data Protection Policy

Data Protection Policy for Ostfriesische Tee Gesellschaft GmbH & Co. KG


The requirements of the EU General Data Protection Regulation (hereinafter: GDPR) apply throughout Europe. We wish to inform you about the processing of personal data carried out by our company in accordance with this regulation (cf. Arts 13 and 14 GDPR). Should you have any questions or comments about this Data Protection Policy, please feel free to send them at any time to the e-mail address given in No. 2 or 3..

Table of Contents::

I. Overview

  1. Scope of application
  2. 2. Data controller
  3. 3. Data Protection Officer
  4. 4. Data security


II. Data processing operations in detail

  1. General information on data processing
  2.   Accessing the website/application
  3.   Contact form
  4.   Prize game
  5.   Facebook Fan Page / Instagram
  6.  Newsletter
  7. Tea orders
  8. Customer account


III. Data subjects’ rights

  1.   Right of objection
  2.   Right to information
  3.   Right of rectification
  4.   Right to erasure (“right to be forgotten”)
  5.   Right to restriction of processing g
  6.   Right to data portability
  7.   Right of revocation of consent
  8.   Right of appeal


IV. Glossary

I. Overview
In this section of the Data Protection Policy, you will find information on the scope of application, the data controller, his or her data protection officer and on data security.

1. Scope of application

On this particular page, we inform you of the type, scope and purpose of the personal data collected by www.messmer.de, which is processed both when you visit this homepage and during other processing under our responsibility, which is not related to this homepage. Data processing by Ostfriesische Tee Gesellschaft GmbH & Co. KG can essentially be divided into two categories:

  • For the purpose of contact processing, all data required for the execution of a contract with Ostfriesische Tee Gesellschaft GmbH & Co. KG will be processed. If any external service providers are also involved in the processing of the contract, e.g., agencies or payment service providers, your data will be passed on to them to the extent necessary in each particular case.
  • When you access the Ostfriesische Tee Gesellschaft GmbH & Co. KG website/application, various pieces of information are exchanged between your terminal device and our server. This may also involve personal data. The information collected in this way is used, inter alia, to optimise our website or to display advertising in the browser of your terminal device.
  • This Data Protection Policy applies to the following offerings:
  • our online offering available at www.messmer.de
  • whenever otherwise referred to in any of our offerings (e.g. websites, subdomains, mobile applications, web services or third-party integrations), regardless of the way you access or use it.

All of these offerings are also collectively referred to as “Services”.


2. Data controller

The data controller – i.e., the person who determines the purposes and means of processing personal data in connection with the Services – is: Ostfriesische Tee Gesellschaft GmbH & Co. KG, Bosteler Feld 6, 21218 Seevetal, GERMANY, Tel.: +49-(0)4105504-0, Fax: +49-(0)4105 624 -0 2212, E-mail: info@messmer.de

3. Data Protection Officer

You can contact our data protection officer as follows: Contact form: https://www.dsextern.en/enquiries


DS EXTERN GmbH

Dipl.-Kfm. Marc Althaus

Frapanweg 22
D-22589 Hamburg

4. Data security

In order to develop the measures required by Art. 32 GDPR and thus achieve a level of protection appropriate to the risk, we have established the information security standard in conformity with VdS 10000 in our company.The guidelines of VdS 10000 - Cyber-Security for Small and Medium-Sized Enterprises (SMEs) of Schadenverhütung GmbH contain applications and assistance for the implementation of an information security management system as well as concrete measures for organisational as well as technical protection of IT infrastructures. They are designed with the objective of ensuring an adequate level of protection.

II. Data processing operations in detail

In this section of the Data Protection Policy, we inform you in detail about the processing of personal data within the scope of our services. For improved transparency, we organise this information according to specific functionalities of our services. During normal use of the services, different functionalities and thus also different instances of processing may come into play one after the other or simultaneously.

1. General information on data processing
The following applies to all processing operations described below, except as otherwise stated:
a. No obligation to make personal data available
There is neither a contractual nor a statutory obligation to make any personal data available. You are not obliged by law to provide any data..
b. Consequences of failure to provide such data
In the case of necessary data (data marked as mandatory when entered), failure to provide such data will mean that the service in question cannot be rendered. Other than that, failure to provide us with data may mean that our services cannot be provided in the same form and quality.
c. Consent
In various cases, you also have the option of giving us your consent (if necessary for part of the data) to further processing in connection with the processing instances described below. In this case, we will notify you separately in connection with the submission of the respective declaration of consent about all modalities and the scope of consent and about the purposes we pursue with these processing operations.
d. Transfer of personal data to third countries
If we transfer data to third countries, i.e., countries outside the European Union, then such transfer takes place exclusively in compliance with the permissibility requirements regulated by legislation. The permissibility requirements are governed by Arts. 44 - -49 GDPR.
e. Hosting with external service providers
Our data processing is carried out to a large extent using what are known as hosting service providers, who provide us with storage space and processing capacity in their data centres and also process personal data on our behalf according to our instructions. These service providers either process data exclusively in the EU or we have guaranteed an adequate level of data protection with the aid of the EU standard data protection clauses.
f. Transfer to government authorities
We transfer personal data to government authorities (including law enforcement authorities) if this is necessary for the fulfilment of a legal obligation to which we are subject (legal basis: Art. 6 (1) c) GDPR) or it is necessary for the assertion, exercise or defence of legal claims (legal basis: Art. 6 (1) f) GDPR).
g .Storage period
We do not store your data longer than we need it for the respective processing purposes. If the data is no longer required for compliance with contractual or statutory obligations, such data will generally be erased unless their further storage subject to time limits remains necessary for the following reasons, e.g.:

  • fulfilment of retention obligations under commercial and tax law
  • obtaining evidence for legal disputes within the scope of the statutory limitation provisions


It is likewise possible for us to continue storing your data with us subject to your express consent to such storage.

h. Categories of recipients
In addition to the categories of recipients explicitly listed below, personal data will also be transferred to the following categories of recipients: shipping service providers, telephone service and fax providers.
i. Data categories

  • Account data: Login/user ID and password
  • Personal master data: Title, salutation/gender, first name, surname
  • Address data: Street, building number, addenda to addresses, if any, postal code, location, country
  • Contact data: telephone no., e-mail address(es)
  • Login data: Information about the service through which you have registered; timing and technical information about registration, confirmation and deregistration; data provided by you when registering
  • Ordering data: Products ordered, prices, payment and delivery information
  • Payment data: Date on other payment services such as Paypal, Concardis, bookingkit
  • Access data: Date and time of visiting our service; the page from which the accessing system arrived at our site; pages accessed during use; data for session identification (session ID); in addition, the following information of the accessing computer system: Internet Protocol (IP) address, browser type and version, device type, operating system and similar technical information.
  • Free text: all entries are possible

2. Accessing the website/application

This describes how we process your personal data when you access our services. In particular, we point out that the transmission of access data to external content providers (see under b.) is unavoidable due to the technical functioning of information transmission on the Internet.

Cookies/services used

Information on the cookies/services we use can be found under „ Cookie settings

a. Information on processing

Data category

Purpose(s)

Legal foundations

Legitimate interest, if applicable

Duration of storage

Access data

Establishing connections, displaying the contents of the service, detecting attacks on our site based on unusual activities, diagnosing errors (‘trouble-shooting’)

Art. 6 (1) lit f) GDPR

proper functioning of services, security of data and business processes, prevention of misuse, prevention of damage due to interference with or interventions within information systems

Max. 1 day

b. Recipient(s) of personal data

Category of recipients

Data concerned

Legal basis of the transfer

Legitimate interest, if applicable

Hosting service provider(s)

Access data

Processing on behalf of a controller (Art. 28 GDPR)


IT security service provider(s)

Zugriffsdaten

Processing on behalf of a controller (Art. 28 GDPR)


Agencies

Access data

Processing on behalf of a controller (Art. 28 GDPR)


3. Contact form

We describe here what happens to your personal data in connection with the use of our contact forms:

a. Information on processing

Data category

Purpose(s)

Legal foundations

Legitimate interest, if applicable

Duration of storage

Contact details (mandatory)

Enquiries from customers and interested parties

Art. 6 (1) lit f) GDPR

Processing of the enquiries submitted

1 year

Personal master data

Personalisation of enquiry processing

Art. 6 (1) lit f) GDPR

Personalisation of enquiry processing; possible delivery in the case of e.g.: Replacement delivery, information material...

1 year

Address data (mandatory in case of complaints)

Postal dispatch

Art. 6 (1) lit f) GDPR

Delivery option in the case of e.g.: Replacement delivery, information material...

1 year

Free text (mandatory field)

Information on request made

Art. 6 (1) lit f) GDPR

Processing of the enquiries submitted

1 year

Categorisation of enquiry (mandatory field)

Assignment of the enquiry

Art. 6 (1) lit f) GDPR

enables accelerated processing

1 year

LOT number (mandatory for complaints)

Assignment of the enquiry

Art. 6 (1) lit f) GDPR

enables accelerated processing

1 year

Use-by date / best-before date (mandatory in case of complaints)

Assignment of the enquiry

Art. 6 (1) lit f) GDPR

enables accelerated processing

1 year

Product selection (in case of complaints)

Assignment of the enquiry

Art. 6 (1) lit f) GDPR

enables accelerated processing

1 year

4. Prize game

How we process your personal data when you participate in our prize draws can be found here:

a. Information on processing

Data category

Purpose(s)

Legal foundations

Legitimate interest, if applicable

Duration of storage

Personal master data (mandatory field)

Execution of a prize draw

Art. 6 (1) lit f) GDPR

Reducing misuse

No later than 6 months after the end of the prize draw

Contact details (e-mail mandatory field)

Execution of a prize draw

Art. 6 (1) lit f) GDPR

Notification of successful participation and winner(s)

No later than 6 months after the end of the prize draw

Address data (mandatory field for giveaway campaigns, for the rest of the prize draws, winners need to be asked for their address data)

Execution of a prize draw

Art. 6 (1) lit f) GDPR

Sending the prize drawn

No later than 6 months after the end of the prize draw

Promotion code and/or proof of purchase (mandatory)

Execution of a prize draw

Art. 6 (1) lit f) GDPR

Successful participation in prize draw, verification of eligibility to take part

No later than 6 months after the end of the prize draw

Selection of prize drawn (mandatory field)

Execution of a prize draw

Art. 6 (1) lit f) GDPR

Personalisation of prizes

No later than 6 months after the end of the prize draw

Free text field

Execution of a prize draw

Art. 6 (1) lit f) GDPR

Processing of the enquiries submitted

No later than 6 months after the end of the prize draw


b. Recipient(s) of personal data

Category of recipients

Data concerned

Legal basis of the transfer

Legitimate interest, if applicable

Cooperation partner for prizes

All under a)

Processing on behalf of a controller (Art. 28 GDPR)


Agencies

All under a)

Processing on behalf of a controller (Art. 28 GDPR)


5. Facebook Fanpage / Intsagram

Instagram presence

At https://www.instagram.com/messmer_tee/, we operate a presence on the platform “Instagram.com”, in turn operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook”). The Instagram privacy policy is available here: https://help.instagram.com/519522125107875/

Access to and each interaction on our Instagram website leads to personal data being processed, and it makes no difference whether you have an account with Instagram or Facebook or not.

If you are logged in with your Facebook account while accessing our Instagram website, Facebook - as operator of Instagram and/or its affiliated companies - may combine the information about access to our Instagram website with your account information and may use this to create profiles. If you do not wish to be profiled in this way, please log out before accessing our Instagram website.

Facebook provides us with statistical data on the use of our Instagram website via the “Instagram Insights” function. This is data such as gender, age range, page views, interactions, paid activity information, reach accounts accessed, impressions and impressions per day. The following is important to know: From such data, we cannot conclude that individual visitors have accessed our Instagram website. Our use of the data generated by “Instagram Insights” is based on Article 6 (1) f) GDPR, with our legitimate interests being to make our Instagram presence more attractive and to provide it with content that is relevant to various interests.

As we and Facebook are jointly responsible for the processing of your data on our Instagram website, we have entered into an agreement with Facebook, the content of which you can view here: https://www.facebook.com/legal/terms/page_controller_addendum.

As a data subject, you are entitled to the rights set out in section III of this data protection policy. You can choose to assert these against us (see section 1.2 above), or directly against Facebook at https://help.instagram.com/contact/186020218683230. If you assert your rights against us, we will forward your enquiries in accordance with our agreement with Facebook.

Facebook Fanpage

At https://www.facebook.com/messmer.tee we operate a presence on the platform “Instagram.com”, in turn operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook”). Facebook's privacy policy can be found at: https://www.facebook.com/about/privacy

Access to and each interaction on our Facebook Fanpage leads to personal data being processed, and it makes no difference whether you have an account with Facebook or not.

If you are logged in with your Facebook account while accessing our Instagram website, Facebook - as operator of Instagram and/or its affiliated companies - may combine the information about access to our Instagram website with your account information and may use this to create profiles. If you do not wish to be profiled in this way, please log out from your Facebook account before accessing our Facebook Fanpage.

Facebook provides us with statistical data on the use of our Facebook Fanpage via the “Facebook Insights” function. This is data such as gender, age range, page views, interactions, paid activity information, reach accounts accessed, impressions and impressions per day. The following is important to know: From such data, we cannot conclude that individual visitors have accessed our Facebook website. Our use of the data generated by “Facebook Insights” is based on Article 6 (1) f) GDPR, with our legitimate interests being to make our Facebook presence more attractive and to provide it with content that is relevant to various interests.

As we and Facebook are jointly responsible for the processing of your data on our Facebook presence, we have entered into an agreement with Facebook, the content of which you can view here: https://www.facebook.com/legal/terms/page_controller_addendum.

As a data subject, you are entitled to the rights set out in section III of this data protection policy. You can choose to assert these against us (see section 1.2 above), or directly against Facebook at https://help.instagram.com/contact/186020218683230. If you assert your rights against us, we will forward your enquiries in accordance with our agreement with Facebook.

6. Newsletter

We describe here what happens to your personal data in connection with a subscription to our newsletter:

a. Information on processing

E-mail address (mandatory)

Data category

Purpose(s)

Legal foundations

Legitimate interest, if applicable

Duration of storage

Verification of login (double opt-in procedure), newsletter delivery


Duration of newsletter subscription (in case of unsubscription or unconfirmed recipients, data is erased after 1 month)


Personal master data (name)

personal address of the recipients

Art. 6 (1) lit a) GDPR


Duration of newsletter subscription (in case of unsubscription or unconfirmed recipients, data is erased after 1 month)

Access data (IP address only), contact data (mail address only)

Interest-oriented design of the newsletter, evaluations of newsletter openings, unsubscribe rate, bounce rate

Art. 6 (1) lit a) GDPR


Duration of newsletter subscription (in case of unsubscription or unconfirmed recipients, data is erased after 1 month); data is anonymised for evaluation purposes.

Unsubscribing from the newsletter is possible at any time and can be done via a link provided to this end in the newsletter.

b. Recipient(s) of personal data

Category of recipients

Data concerned

Legal basis of the transfer

Legitimate interest, if applicable

Service provider(s) for newsletter creation and dispatch

all data mentioned under a

Processing on behalf of a controller (Art. 28 GDPR)


7.    Tea orders

The following information describes how your personal data is processed when you order tea via our shop..

7.1    Information on processing

Data category

Purpose(s)

Legal foundations

legitimate interest, if applicable

Duration of storage

Personal master data

Tea order and return, if applicable

Contract (Art. 6 (1b) GDPR)

-

Processing of the order or 10 years for invoices

Contact details

Tea order and return, if applicable

Contract (Art. 6 (1b) GDPR)

-

Processing of the order or 10 years for invoices

Address data

Tea order and return, if applicable

Contract (Art. 6 (1b) GDPR)

-

Processing of the order or 10 years for invoices

Ordering data

Tea order and return, if applicable

Contract (Art. 6 (1b) GDPR)

-

Processing of the order or 10 years for invoices

Payment details

Tea order and return, if applicable

Contract (Art. 6 (1b) GDPR)

-

Processing of the order or 10 years for invoices

7.2    Recipient(s) of personal data

Category of recipients

Data concerned

Legal basis of the transfer

legitimate interest, if applicable

Payment service provider(s)

All of the above mentioned under 2.5.1

Contract (Art. 6 (1b) GDPR)


8.    Customer account

The following information describes how your personal data is processed when you register for a customer account

8.1    Information on processing

Data category

Purpose(s)

Legal foundations

legitimate interest, if applicable

Duration of storage

Account data

Secure access to the customer account

Consent (Art. 6 lit 1a GDPR)

-

Until revocation or deregistration of the customer account

Personal master data

Operating a customer account

Consent (Art. 6 lit 1a GDPR)

-

Until revocation or deregistration of the customer account

Contact details

Operating a customer account

Consent (Art. 6 lit 1a GDPR)

-

Until revocation or deregistration of the customer account

Address data

Billing and delivery address management

Consent (Art. 6 lit 1a GDPR)

-

Until revocation or deregistration of the customer account

Ordering data

Order history, order status

Consent (Art. 6 lit 1a GDPR)

-

Until revocation or deregistration of the customer account

Payment details

Management of payment options

Consent (Art. 6 lit 1a GDPR)

-

Until revocation or deregistration of the customer account

Login/logoff data

Traceability of the account registration/confirmation/deregistration

Safeguarding legitimate interests (Art. 6 (1) letter f GDPR)

Proof of successful account registration/confirmation/deregistration

Until revocation or deregistration of the customer account (deregistration data, unlimited to meet accountability requirements)

III Data subjects’ rights
1. Right of objection
If we process your personal data for the purpose of direct marketing, you have the right to object at any time with future effect to the processing of personal data concerning you for the purpose of such marketing, insofar as it is related to such direct marketing.

You also have the right to object, on grounds relating to your particular situation, at any time with effect for the future, to the processing of personal data concerning you which is carried out pursuant to Art. 6 (1)letter e) or f) GDPR.

You can exercise the right of objection free of charge.

You can reach us via the contact details mentioned under I.2


etracker

The provider of this website uses services of etracker GmbH from Hamburg, Germany (www.etracker.com
The data generated with etracker is processed and stored by etracker on behalf of the provider of this website exclusively in Germany and is therefore subject to the strict German and European data protection legislation and standards. etracker has been independently audited in this respect, certified and awarded the data protection seal of quality ePrivacyseal

The data processing is carried out on the basis of the legal provisions of Art. 6 para. 1 lit. f (legitimate interest) of the General Data Protection Regulation (GDPR). Our concern within the meaning of the GDPR (legitimate interest) is the optimisation of our online offer and our web presence. As the privacy of our visitors is important to us, data that may allow a reference to an individual person, such as the IP address, login or device identifiers, are anonymised or pseudonymised as soon as possible. No other use, combination with other data or disclosure to third parties will take place.

You can object to the aforementioned data processing at any time. Such objection has no adverse consequences.



You can find more information on data protection at etracker here.


2. Right to information
You have the right to know whether personal data concerning you is processed by us, which personal data this is, if any, as well as further information according to Art. 15 GDPR.

3. Right of rectification
You have the right to request that we rectify any inaccurate personal data relating to you without undue delay (Art. 16 GDPR). Taking account of the purpose of processing, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.

4. Right to erasure (“right to be forgotten”)
You have the right to request that we erase personal data relating to you without undue delay, provided one of the reasons set out in Art. 17 (1) GDPR applies and processing is necessary for one of the purposes stipulated in Art. 17 (3) GDPR.

5. Right to restriction of processing
You are entitled to request a restriction in the processing of your personal data if one of the conditions stipulated in Art. 18 (1) letters a) to d) GDPR is met.

6. Right to data portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. Moreover, you have the right to transmit such data to another Controller without hindrance by us or to arrange for direct transmission by us to take place, provided that this is technically feasible. This should always apply if the basis of the data processing is consent or a contract and the data is processed automatically. Accordingly, this does not apply to data available in paper form only.

7. Right to revocation of consent
Insofar as the processing is based on your consent, you have the right to withdraw such consent at any time. The lawfulness of data processed on the basis of my consent until the time of revocation shall not be affected.

8. Right of appeal
You have a right of appeal to a supervisory authority.

IV Glossary
Processor: A natural or legal person , public authority, agency or other body that processes personal data on behalf of the Controller.

Browser: Computer program for displaying web pages (e.g., Chrome, Firefox, Safari) Cookies: The term “cookie” actually had its origins in the English vocabulary and its original meaning can be translated be translated in to German as “Keks”. In the context of the World Wide Web, however, a cookie describes a small text file that is stored locally on users’ computers when they visit a website. This file stores data about the users’ behaviour If the browser is accessed and the corresponding website is visited repeatedly, the cookie is used and, with the aid of the data stored, provides the web server with information about the users’ surfing behaviour.

Cookies in this context are not ‘real’ cookies, but information that a website stores locally on the visitor’s computer in a small text file. This can include settings already made by the user on a page, but also information that the website has collected completely independently from the user. These locally stored text files can later be read from the same web server from which they were created. Most browsers accept cookies automatically. You can manage cookies using the browser functions (mostly under “Options” or “Settings”). This may disable the storage of cookies, make it dependent on your consent in individual cases or otherwise restrict it. You can also delete cookies at any time.

Third countries: A country which is not bound by the legal requirements of the EU General Data Protection Regulation (country outside the EEA).

Personal data: All information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Services: Our offers to which this data protection policy applies (see scope of application).

Processing: Any operation or set of operations performed in connection with personal data, whether or not by automatic means, such as collection, recording, organisation, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination restriction, erasure or destruction.

Seevetal,  01.09.2021