According to Art. 4 (1) of the European Economic Area’s General Data Protection Regulation (“GDPR”), ‘personal data’ means any information relating to an identified or identifiable natural person. Examples include name, home address, telephone number, email address, date of birth, account number, credit card number, username, or any other type of information that may be used to identify a person.
1. Visiting Our Website
You don’t have to provide any personal information in order to visit our website. However, each time you go to one of our pages, your browser “requests” the page from the server where it is hosted, automatically sending to the server the following information:
- your IP address,
- date and time of the server request,
- name and URL of the web page you’re visiting,
- status code indicating whether the request was successful,
- the number of bytes transferred,
- your operating system and browser type,
- if applicable, the address of the website (e.g. a search engine) from which you accessed our web page by clicking on a link (“referrer”).
Our hosting provider records these server requests in a log file for both technical and security reasons until automated deletion. We use it in order to identify technical problems, to display our site in a version that is optimized for your device, and to improve stability and functionality of the site. We reserve the right to examine log files in case there are concrete indications of illegal use. The legitimate interest for storage and processing of the log files arises from Art. 6 (1) lit. f GDPR.
You can prevent the transmission of your IP address by accessing our web pages via so-called proxy servers or a virtual private network (VPN). The VPN provider redirects your web traffic via its own servers so that, instead of your IP address, we receive only the VPN provider’s IP address. Please note, however, that your IP address may be visible to the VPN provider.
Depending on the browser you are using, you may also be able to turn off the transmission of the referrer. This requires either changes in the browser’s settings or the installation of additional software (browser extensions/add-ons).
2. Orders and Registration
When you order a product from our store, we must collect the following information for invoicing, delivery and payment processing: name, delivery address, email address and your payment details. The necessary data is forwarded to the service partners that we use to fulfil your order and payment, namely the logistics/transport company and the bank or payment processing provider. Legal basis for the collection and use of this data is Art. 6 (1) sentence 1 lit. b GDPR.
You don’t have to register with us in order to place orders or to just browse the online store. Registration is optional and only serves to improve our customers’ shopping experience. Registered customers need to provide their invoice and delivery information only once and can create lists with goods for future purchases. By registering, you give us your consent, based on Art. 6 (1) lit. a GDPR, to store your data in a customer database, and to use it for your future orders (including those not placed via the online store). Of course, you can update your information or cancel the registration at any time.
Customers without registered account must re-enter the necessary billing, delivery and payment information with every new order.
When you place an order, we store the provided information in accordance with Art. 6 (1) lit. c GDPR for as long as we are legally obliged to by tax and commercial laws, and delete it after these obligations expire. In the meantime, the data is blocked from further use.
We use both session and tracking cookies. The purpose of the session cookie is to identify a user across multiple page visits within a session. This is necessary for the payment and shopping cart functionality in the online shop. Only with the help of the session cookie can shopping cart information be saved, so that customers can successively place items in the shopping cart, change its content (remove items or change quantities) and complete the purchase process with payment. The session cookie is stored in memory (not written to disk) and automatically deleted when you close the browser.
The tracking cookie collects information about how visitors use our site and respond to our products. With the help of the Google Analytics cookie we evaluate the anonymized data in order to measure and analyze interactions on the website (see no. 4 below).
Most browsers allow cookies in the standard settings. You can change this setting, however, and decide for yourself which cookies you want to allow or whether you prefer to block all cookies in general. You can also manually delete cookies from your browser or define when they shall be deleted automatically (e.g. after a certain period of time or each time you quit the browser).
You don’t have to accept cookies in order to visit our website. Please note, however, that if you block the essential session cookie, you won’t be able to place orders or to log in to your Lotus account.
4. Google Analytics
We use Google Analytics with activated IP anonymization on our websites. Google Analytics is a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") that helps us understand how visitors engage with our website.
Google Analytics collects first-party cookies, data related to the site visitor’s device/browser, IP address and on-site activities to measure and report statistics about user interactions on our site. It uses IP addresses to derive the geolocation of a visitor, and to protect the service and provide security to Analytics customers. Analytics retains the collected data for 14 months and automatically deletes it afterwards.
We requested from Google to anonymize the collected IP addresses. The last section of an IP address is the number that identifies a device on the network it is connected to. ‘IP anonymization’ means that Google sets the last section of your IP address (the last octet of IPv4 addresses or the last 80 bits of IPv6 addresses) to zeros, thus making it unidentifiable. This process takes place as soon as technically feasible at the earliest possible stage of collection, that is before any storage or processing takes place, nearly instantaneously after the IP address is sent to the Google Analytics collection servers. All anonymization happens in memory - not on disk. Only after the anonymization process is the data stored on disk for processing. Your full IP address is never written to disk.
Google Analytics uses the collected, anonymized information on our behalf in order to construct reports that help us measure and analyze interactions and purchase activity on the site. For instance, we learn
❏ the number and percentage of new and returning users that visit our website (but not who they are),
❏ how they arrived on our pages,
❏ how long they stayed on our pages,
❏ which product pages are viewed how often, when, from which countries and with which device types,
❏ the average order value during a time period,
❏ sales performance (revenue, purchases and quantities) of a product, a product group or of all products,
❏ conversion rate, but also
❏ whether a web page produces error messages.
The analysis of these reports assists us in improving our product range, marketing and website. This constitutes our legitimate interest on which we base the use of Google Analytics according to Art. 6 para. 1 sentence 1 lit. f GDPR.
Please note that it is not mandatory to accept the Google Analytics cookie in order to browse our site or to purchase products in our online store. If you prefer to not make your site activity available to Google Analytics, you can opt-out by installing the Google Analytics opt-out browser add-on: https://tools.google.com/dlpage/gaoptout?hl=en (not available for mobile browsers). The add-on does not prevent data to be sent to our site, but it prevents making your site activity available to Google Analytics (only). Alternatively, you can use ad blocker software and set it to block tracking by Google Analytics. Adblocker software is also available for mobile browsers.
Google complies with the EU-US Privacy Shield Framework. The framework was designed by the European Commission and the US Department of Commerce. It protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. It allows the free transfer of data to companies that are certified in the US under the Privacy Shield. The framework includes:
❏ strong data protection obligations on companies receiving personal data from the EU,
❏ safeguards on US government access to data,
❏ effective protection and redress for individuals, and
❏ an annual joint review by EU and US to monitor the correct application of the arrangement.
Google’s certificate can be viewed here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
For a comprehensive overview of Google Analytics’ data practices and commitment to protecting the confidentiality and security of data, as well as end user controls, go to:
❏ https://support.google.com/analytics/answer/6004245?hl=en and
5. Trusted Shops
The Trusted Shops Trustbadge and related services are offered by Trusted Shops GmbH, Subbelrather Str. 15c, 50823 Cologne, Germany (“Trusted Shops”).
Trusted Shops uses a content delivery network ("CDN") for some of its services. A CDN refers to a geographically distributed group of servers which work together to provide fast website performance. CDNs do not host content. The Trustbadge is delivered through web servers of a CDN provider who is commissioned by Trusted Shops for data processing and may be located in the US. Outside of the EU, Trusted Shops only commissions US-located service providers who are certified under the EU-US Privacy Shield so that an adequate level of data protection is ensured.
When your browser sends a request to the Trustbadge, the web server automatically saves a server log file which contains your IP address, the date and time of the request, the transferred data volume and the requesting provider (access data), and documents the request. The access data is stored for safety purposes in a security database. It is analyzed in order to identify security vulnerabilities. The log files are automatically deleted within 90 days.
Personal data is also transferred to Trusted Shops if, additionally, you use one of the Trusted Shops services displayed subsequent to your order on our site, or if you already have registered with Trusted Shops. (In these cases, the contractual agreement between you and Trusted Shops applies.) The necessary personal data is then either retrieved from your order details or from a prior registration with Trusted Shops. Trusted Shops will automatically check whether you are a registered customer via a neutral parameter: your email address hashed by a cryptological one-way function. This means that, before your email address is sent to Trusted Shops, it will be converted to a hash value that cannot be decrypted by Trusted Shops. The parameter is automatically deleted after it is checked for a match.
The Trustbadge integration on our site is necessary for the fulfillment of our and of Trusted Shops' predominantly legitimate interests in the provision of both the buyer protection relating to the respective order and the transactional rating services in accordance with Art. 6 (1) sentence 1 lit. f GDPR.
Our newsletter informs you about news from our company, about our products, special offers, technical know-how, trade fairs, and workshops. We send the newsletter on an irregular basis, usually every one or two months.
You can subscribe to the newsletter on our website. Simply enter your email address in the signup form and click on the ‘subscribe’ button. Optionally, if you prefer a personalized newsletter, you can also enter your name. To verify your email address we use a double opt-in process. This means that we will send an email with a confirmation link to the submitted address. Your registration for the newsletter is complete if you click on the link to confirm the validity of the email address.
We use rapidmail for our newsletter service. Your newsletter data will, therefore, be transmitted to rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg i.Br. ("rapidmail"). On our behalf, rapidmail uses this data to send the newsletter and to provide us with statistical overviews (performance measurement),
❏ of how many (but not which) recipients opened the newsletter, in which time periods, with which device types and from which countries (opening rate),
❏ which individual links contained in the newsletter have been clicked most often, in which periods, with which device types and from which countries (click rate),
❏ how many recipients unsubscribed after receiving the respective newsletter, with which device types.
We evaluate these statistics to optimize the newsletter. The opening and click rates, for instance, allow us to form a better understanding of which products and topics our subscribers are interested in most. Also, being informed about whether subscribers use mobile devices or desktop computers to read the newsletter enables us to make better decisions for optimizing its readability.
It is strictly prohibited for rapidmail to use your data for purposes other than those mentioned above and to pass them on or sell them to third parties.
By clicking on the link contained in the confirmation email, you give us your consent according to Art. 6 (1) lit. a GDPR, to store and use your email address (as well as your name, if applicable) for sending you the newsletter and conducting the associated performance measurement. You can revoke this consent at any time. To unsubscribe from the newsletter, use the unsubscribe link on our website or at the end of the newsletter, or simply contact us.
7. Your Rights
As the party concerned (the data subject), you have the following rights in accordance with the GDPR:
❏ right to information (Art. 15 GDPR),
❏ right to correction or completion of incorrect personal data (Art. 16 GDPR),
❏ right to erasure (Art. 17 GDPR),
❏ right to restriction of processing (Art. 18 GDPR),
❏ right to data portability (Art. 20 GDPR),
❏ objection to the processing of personal data concerning you on the basis of Art. 6 para. 1 letters e or f DSGVO, in particular within the framework of processing for the purposes of direct marketing (Art. 21 DSGVO),
❏ revocation of consents granted with effect for the future (Art. 7 para. 3 DSGVO).
For this, please contact us in text form and with a unique identification of your person at:
Lotus Transfer Press Solutions GmbH & Co. KG
Anklamer Str. 38
Finally, you have the right to file a complaint with the competent supervisory authority (Art. 77 GDPR).
Berlin, September 2019