- General notes and mandatory information
- Data collection on our websites
- Data processing in our online store
Our data protection declaration is based on the terms used by the European legislator in the General Data Protection Regulation (DSGVO). In order to ensure good readability and comprehensibility, we would like to explain the terminology used in advance.
Following the example of Art. 4 DSGVO, we use the following definitions in our data protection declaration:
“Personal data” (Art. 4 No. 1 DSGVO) means any information relating to an identified or identifiable natural person (“data subject”). An individual is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or sound recordings may also contain personal data).
“Processing” (Art. 4 No. 2 GDPR) means any operation which involves the handling of personal data, whether or not by automated (i.e. technology-based) means. This includes, in particular, the collection (i.e., acquisition), recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as the change of a purpose or intended purpose on which a data processing was originally based.
“Controller” (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
“Third party” (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorized to process the personal data; this also includes other group-affiliated legal entities.
“Processor” (Art. 4 No. 8 GDPR) means a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
“Consent” (Art. 4 No. 11 GDPR) of the data subject means any freely given, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.
“Profiling” (Art. 4 No. 4 GDPR) means any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.
2. General notes and obligatory information
a) Data collection
Who is responsible for data collection on this website?
Data processing on our websites, www.biogrund.com and www.shop.biogrund.com , is carried out by the website operator. You can find detailed information about Biogrund as the website operator in the imprint or below under c).
How do we collect your data?
On the one hand, your data is collected by you providing it to us. This can be, for example, data that you enter in a contact form. Other data is collected automatically by our IT systems when you visit the website. This is mainly technical data (e.g. Internet browser, operating system or time of page view, IP address, browser language). This data is collected automatically as soon as you enter our websites.
What do we use your data for?
We use your data first of all to ensure error-free, secure and user-friendly provision of our websites and to enable you to contact us conveniently. In addition, we may use analysis tools to provide a web offer tailored to your interests. You will find detailed information on all processing procedures below.
What rights do you have regarding your data?
You have the right at any time to receive information free of charge about the origin, recipient and purpose of your stored personal data. You also have the right, under certain conditions, to demand the correction, blocking or deletion of this data. For this purpose, as well as for further questions on the subject of data protection, you can contact us at any time at the address given in the imprint. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
The above information served you as a brief overview, we now come to the detailed information:
b) Rights of the data subjects
Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right of objection in case of processing based on legitimate interest
Any person affected by the processing of personal data has the right granted by the European legislator to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) (legitimate interest) DSGVO.
Right of appeal to the competent supervisory authority
In the event of violations of data protection law, the data subject has a right of appeal to the competent supervisory authority. The competent supervisory authority in matters of data protection law is, for example, the Hessian Commissioner for Data Protection and Freedom of Information, P.O. Box 3163, 65021 Wiesbaden, where our company is located. A list of data protection officers and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another responsible party, this will only be done insofar as it is technically feasible.
Information, blocking, deletion
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if necessary, a right to correction, blocking or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time at the address given in the imprint.
Objection to advertising e-mails
We hereby object to the use of contact data published within the framework of the imprint obligation to send advertising and information material that has not been expressly requested. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.
c) The responsible person or your contact person
If you have any questions regarding the collection, processing or use of your personal data, or if you wish to request information, correction, blocking or deletion of data, as well as revocation of consent given or objection to a particular use of data, please contact the responsible party or their data protection officer directly at
Neukirchner Str. 5
Telefon: +49 6126 95263-0
Fax: +49 6126 95263-33
The data protection officer of BIOGRUND GmbH is currently Dr. Christian Velten, email@example.com.
3. Data collection on our website
Which cookies do we use?
We use so-called cookies for our website. Cookies are small text files that are sent from the web server to your browser when you visit our website and are stored by the browser on your end device for later retrieval.
We use the following cookies on our websites:
You can determine yourself whether cookies can be set and retrieved by means of the settings in your browser. You can, for example, completely deactivate the storage of cookies in your browser, restrict it to certain websites or configure your browser so that it automatically notifies you as soon as a cookie is to be set and asks you to confirm this. You can block or delete individual cookies. However, for technical reasons, this may result in some functions of your website being impaired and no longer functioning fully.
b) Server log data
Our website collects a series of general data and information with each call by a data subject or an automated system. This general data and information is stored in the server log files. The following data may be collected
- browser types and versions used,
- the operating system used by the accessing system,
- the website from which an accessing system arrives at our website (so-called referrer),
- the subpages that are accessed via an accessing system on our website,
- the date and time of access to the website
- the Internet protocol address (IP address),
- the Internet service provider of the accessing system and
- other similar data and information that serve to avert danger in the event of attacks on our information technology systems.
When using these general data and information, we do not draw any conclusions about the data subject. This information is much more needed to
- to deliver the contents of our website correctly,
- optimize the content of our website and the advertising for it,
- to ensure the long-term functionality of our information technology systems and the technology of our website, and
- to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.
This anonymously collected data and information is therefore evaluated by us on the one hand statistically and on the other hand with the aim of increasing data protection and data security in our company. Our aim is to ensure an optimal level of protection for the personal data we process.
The data processing is therefore based on a legitimate interest pursuant to Art. 6 (1) lit. f DS-GVO. The anonymous data of the server log files are stored separately from any personal data provided by a data subject, e.g. information in a form. The duration of storage is determined by whether storage is still necessary for one of the aforementioned purposes. If this is not the case and there is no other legal basis for storage, the log files and the information contained therein are deleted after 3 days.
c) Contact option via the website
Based on statutory provisions, our website contains data that enable a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts us by e-mail, the personal data transmitted by the data subject will be stored automatically. Such personal data transmitted to us on a voluntary basis by a data subject will be stored for the purpose of processing or contacting the data subject. This personal data is not passed on to third parties. We delete the data accruing in this context after storage is no longer necessary, or processing is restricted if there are legal retention obligations.
The legal basis for the processing is Art. 6 (1) lit. b DSGVO if a contractual relationship exists between us and the data subject or is to be established at the request of the data subject, e.g. cooperation requests. In all other cases, the legal basis is Art. 6 (1) lit. f DSGVO. Our legitimate interest is to comply with the legal requirements to provide an electronic means of contact, which necessarily involves the following data processing.
We store the data collected by us via e-mail and the communication to answer your inquiry only as long as this is necessary for the purpose underlying the processing. The concrete storage period can vary greatly here. If no contractual relationship is established in response to your inquiry, your data will be deleted after one year at the latest, unless there is another legal basis for further processing.
If there is a contractual relationship between you and us or if this comes about as a result of your request, the data will be deleted at the latest 10 years after the end of the contractual relationship, provided that there is no other legal basis for storage.
If the data processing is based on a legitimate interest, the data will be deleted if you exercise your right to object pursuant to Art. 21 (1) DSGVO and there are no longer compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
For security reasons, we strongly recommend that you only transmit e-mails in encrypted form. There are considerable risks associated with the transmission of unencrypted messages. Therefore, please do not send us any sensitive data by unencrypted e-mail.
d) SSL or TLS encryption
For security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
e) Newsletter subscription
On our website, we offer users the possibility to subscribe to our enterprise’s newsletter. The personal data transmitted to the controller when the newsletter is ordered is specified in the input mask used for this purpose.
We inform the subscribers via this newsletter at regular intervals about new products, company events, trade fair participations, sales promotions, service times or other professional topics related to our products. In principle, the newsletter of our company can only be received by the data subject if.
- (1) the data subject has a valid e-mail address and
- (2) the data subject registers to receive the newsletter.
For legal reasons, a confirmation email is sent to the email address entered by a data subject for the first time for the newsletter dispatch using the double opt-in procedure. This confirmation e-mail serves to verify whether the owner of the e-mail address as the data subject has authorized the receipt of the newsletter.
When registering for the newsletter, we also store the IP address of the computer system used by the data subject at the time of registration, as assigned by the Internet service provider (ISP), as well as the date and time of registration. The collection of this data is necessary in order to be able to trace the (possible) misuse of a data subject’s e-mail address at a later point in time and therefore serves as a legal safeguard for the controller.
The personal data collected in the context of a registration for the newsletter are used exclusively for sending our newsletter. Furthermore, subscribers to the newsletter could be informed by e-mail if this is necessary for the operation of the newsletter service or a related registration, as could be the case in the event of changes to the newsletter offer or changes in the technical circumstances. For the dispatch of the newsletter, we use a service provider, the company The Rocket Science Group LLC d/b/a Mailchimp, with whom we have concluded an order processing agreement. The service provider is based in the USA and therefore a third country under data protection law. There is a transfer of personal data to the provider based in the USA. An adequate level of data protection in accordance with the General Data Protection Regulation is not ensured there. The basis for the transfer to a third country is your consent pursuant to Art. 49 (1) sentence 1 lit. a DSGVO.
Otherwise, no personal data collected as part of the newsletter service will be passed on to third parties. The subscription to our newsletter can be cancelled by the data subject at any time. The consent to the storage of personal data that the data subject has given us for the newsletter dispatch can be revoked at any time. For the purpose of revoking consent, a corresponding link can be found in each newsletter. Furthermore, it is also possible to unsubscribe from the newsletter mailing at any time by sending an e-mail to firstname.lastname@example.org or to inform the controller of this in another way.
f) Newsletter tracking
Our newsletters receive so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in such emails that are sent in HTML format to enable log file recording and log file analysis.
This enables a statistical evaluation of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, we can see if and when an e-mail was opened by you and which links located in the e-mail were called by you. Such personal data collected via the tracking pixel contained in the newsletters is stored and evaluated by us in order to optimize the newsletter dispatch and to better adapt the content of future newsletters to your interests. The data processed by the tracking pixel will be stored for a period of 365 days.
The legal basis for the data processing is Art. 6 para. 1 lit. a DSGVO in conjunction with the consent you have given.
This personal data will not be passed on to third parties. You are entitled at any time to revoke the separate declaration of consent given in this regard via the double opt-in procedure. After revocation, this personal data will be deleted by us. We automatically interpret an unsubscription from the receipt of the newsletter as a revocation.
g) Use of the WordPress plugin WP Statistics
We use the WordPress plugin “WP Statistics” (https://wp-statistics.com) of the provider “Verona Labs” 5460 West Main Street, Verona, NY 13478, USA, (https://veronalabs.com) in our website. The plugin is used by us to analyze user behavior on our website. The processing is based on a legitimate interest within the meaning of Art. 6 para. 1 lit. f. DS-GVO as the legal basis. Our legitimate interest is to be able to provide the user with content that is as tailored as possible and interesting to the user through the analysis of user behavior, and thus to be able to optimize our Internet offering.
Your IP address is completely replaced by a hash value to protect your online identity, so subsequent identification is no longer possible. Neither is a cookie used to track your Internet activities, nor is geolocation performed. All data is also stored and processed exclusively on our local web server within Germany.
h) Use of Google Fonts
This site uses so-called web fonts provided by Google for the uniform display of fonts. The Google Fonts are installed locally. A connection to Google servers does not take place.
i) Social networks and external links
In addition to this website, we also maintain presences in various social media, which you can access via corresponding buttons on our website. Insofar as you visit such a presence, personal data may be transmitted to the provider of the social network. It is possible that, in addition to the storage of the data specifically entered by you in this social medium, further information will also be processed by the provider of the social network. Furthermore, the provider of the social network may process the most important data of the computer system from which you visit it – for example, your IP address, the processor type and browser version used, including plug-ins. If you are logged in with your personal user account of the respective network while visiting such a website, this network can assign the visit to this account.
The purpose and scope of the data collection by the respective medium as well as the further processing of your data there as well as your rights in this regard can be found in the respective provisions of the respective responsible party, e.g. under:
We would also like to point out that our website contains further links to external third-party websites, whereby we have no influence on the processing of data on these third-party websites.
j) Google Analytics
This website uses functions of the web analysis service Google Analytics. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.
Google Analytics cookies are stored on the basis of Art. 6 (1) lit. a DSGVO, i.e. the consent given by you when calling up the website via our Consent banner. The declaration of consent also explicitly refers to the transfer of personal data to the provider based in the USA. An adequate level of data protection in accordance with the General Data Protection Regulation is not ensured there.
We have activated the IP anonymization function on this website. This means that your IP address will be shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.
Click here to disable Google Analytics.
Objection to data collection
You can prevent Google Analytics from collecting your data by clicking on the following link. An opt-out cookie will be set that will prevent the collection of your data during future visits to this website: Google Analytics opt-out.
Order data processing
We have concluded an order data processing agreement with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Demographic characteristics with Google Analytics
This website uses the “demographic characteristics” function of Google Analytics. This allows reports to be generated that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google as well as visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as shown in the item “Objection to data collection”.
k) Embedded videos and images from external websites
Some of our pages contain embedded content from YouTube. When merely calling up a page from our website with embedded videos from our YouTube channel, the IP address is transmitted to the provider. In the case of YouTube, the IP address is transmitted to Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (“Google”). The data transfer only takes place if you have given your consent in the cookie banner.
The legal basis for the data processing is Art. 6 para. 1 lit. a DSGVO in conjunction with the consent you have given. Your consent also refers to the transfer of personal data to a third country (USA) in accordance with the notice in the cookie banner (Art. 49 para. 1 lit. a DSGVO). It is pointed out once again that, according to the current status, there are no suitable data protection guarantees and no adequate level of data protection there. In particular, there is a possibility of access to the personal data by US authorities.
4. Online store
In the following we inform you in addition about special processing of personal data, if you use our online store www.shop.biorgund.com.
a) Customer account
When opening a customer account, we collect your personal data to the extent indicated there. The data processing serves the purpose of improving your shopping experience and simplifying the order processing. The processing is carried out on the basis of Art. 6 para. 1 lit a DSGVO with your consent and, insofar as necessary for the implementation or establishment of a contractual relationship with you, on the basis of Art. 6 para. 1 lit b DSGVO. You can revoke your consent at any time by notifying us, without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation. Your customer account will then be deleted.
b) Collection, processing and use of personal data when ordering.
Legal or contractual requirements for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subjects to provide the personal data; possible consequences of failure to provide the data
We would like to point out that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner). Under certain circumstances, it may be necessary for the conclusion of a contract that you provide us with personal data, which must subsequently be processed by us, for example for the implementation of a contractual relationship. Failure to provide the personal data would mean that the contract with you could not be concluded. You can contact our data protection officer, who can inform you on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be in your individual case.
c) Use of PayPal
i. Payment via PayPal
If you decide to use the PayPal payment method, your personal data will be transmitted to PayPal. The prerequisite for the use of PayPal is the opening of a PayPal account. With the use or opening of a PayPal account, among other things, name, address, telephone number and e-mail address must be transmitted to PayPal. The legal basis for the transmission of the data is Article 6 (1) a DSGVO (consent) or Article 6 (1) b DSGVO (processing for the performance of a contract).
The operator of the payment service PayPal is:
PayPal (Europe) S.à r.l. et Cie, S.C.A..
22-24 Boulevard Royal