Privacy Policy
I. General Information
If you have any questions or uncertainties regarding data protection, you can always contact us as the responsible party or our data protection officer.
1. Name and Address of the Responsible Party
The responsible party in the sense of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) is
Model Car World GmbH
Boettgerstraße 14
65439 Flörsheim
Germany
Phone: +49 (0) 6145 3501-0
Email: [email protected]
as well as its subsidiaries:
BB Services GmbH
Boettgerstraße 14
65439 Flörsheim
Germany
Phone: +49 (0) 6145 3501-100
Email: [email protected]
BREKINA Modellspielwaren GmbH
Zeppelinstr. 8
79331 Teningen
Germany
Phone: +49 (0)7663 93270
Email: [email protected]
Speidel Replicars GmbH
Am Häckselplatz 1
72131 Ofterdingen
Germany
Phone: +49 (0)7473 4099
Email: [email protected]
hereinafter referred to as the Group.
2. Contact Information of the Data Protection Officer
For questions about data protection, inquiries, and/or further information about the data processing of the group, please contact our data protection officer:
Jean-Claude Endert, LL.M., M.A.
TÜV SÜD Akademie GmbH
Business Field Data Protection Consulting Services
Westendstraße 160
80339 Munich
Germany
Email: [email protected], [email protected]
3. Supervisory Authority
If you believe that the processing of your personal data by the group is not lawful, you have the right to contact a supervisory authority in the member state of your residence, workplace, or the location of the alleged violation. According to Art. 55 GDPR, the competent supervisory authority is:
The Hessian Commissioner for Data Protection and Freedom of Information
Prof. Dr. Alexander Roßnagel
Postfach 31 63
65021 Wiesbaden
Germany
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany
Phone: +49 (0)611 140-80
Email: [email protected]
Homepage: https://www.datenschutz.hessen.de
II. General Information on Data Processing
1. General Information on Data Processing and Scope of Application
The group processes your personal data only to display content and services for a functional website. The collection of your personal data occurs when you create an account with us. This privacy policy applies to all pages of our online offering.
2. Definitions
- Definitions according to Art. 4 GDPR:
- Personal data: all information that relates to an identified or identifiable natural person; a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Examples include contact data, communication data, billing data.
- Processing: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Recipient: a natural or legal person, public authority, agency, or other body, to which personal data are disclosed, whether a third party or not.
- Third party: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
- Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.
- “Need-to-Know Principle“:
- Every data-processing employee should only access and execute programs on those data sets that they really need for their task.
3. Legal Basis for Processing Your Data
The legal basis for processing your personal data is derived from Art. 6 para. 1 of the EU General Data Protection Regulation (GDPR).
- If the processing of your personal data requires your consent, this is based on Art. 6 para. 1 lit. a GDPR.
- If the processing of your personal data is necessary for the performance of a contract or pre-contractual measures, Art. 6 para. 1 lit. b GDPR serves as the legal basis.
- Art. 6 para. 1 lit. c GDPR is the legal basis for processing your personal data to fulfill legal obligations on the part of the group.
- To protect vital interests, Art. 6 para. 1 lit. d GDPR is the legal basis,
- for public interests, Art. 6 para. 1 lit. e GDPR applies.
- If the processing of personal data is necessary to safeguard the legitimate interests of the group or third parties, and the interests, fundamental rights, and freedoms of the data subjects do not override these, Art. 6 para. 1 lit. f GDPR is the legal basis.
- The existence of legitimate interests may arise in the context of providing the service; starting with direct marketing measures, direct communication with website users, technical support available if necessary.
- Furthermore, these may also exist for internal processes such as administrative activities or ensuring the proper operation of the websites.
- Finally, they may arise in efforts within the group to achieve synergy effects by centrally providing various services.
- In the case of an application for employment, the legal basis is derived from Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sentence 1 BDSG. If the data involves special categories of personal data (e.g., health data) that you voluntarily provide to us (e.g., information about a disability), the processing is based on Art. 9 para. 2 lit. b GDPR in conjunction with § 26 para. 3 BDSG.
4. Categories of Recipients
- Employees of the group following the "Need to Know" principle
- Service providers supporting the group in all areas (Assurance, Business Development, IT, Operations, HR, and Finance)
- Potentially social networks
5. Description of Data and Purpose of Processing
We process the following personal data:
- Access management data (login information)
e.g., email address, password [in encrypted form, so that no employee has access to your personal password]- Purpose:
- To use and implement the website
- Provision of customer support, regardless of the chosen contact form (email traffic, telephone contact, etc.).
- Legal basis: Art. 6 para. 1 lit. b GDPR
- Purpose:
- User data
such as your display name, email address- Purpose:
- To use and implement the website.
- Provision of customer support, regardless of the chosen contact form (email traffic, telephone contact, etc.).
- To comply with legal requirements, regulatory obligations, or responses to government inquiries, mainly financial inquiries.
- To protect the group and its rights, as well as the rights of related parties. Furthermore, data recording and sharing may be necessary to: (a) protect your and the public's safety and privacy; (b) protect our legal rights, security, or property; or (c) minimize our risk or that of related parties.
- For your and our security, to improve the services and functionality of the website. This includes surveys, your voluntary feedback, the transmission of possible malfunctions, or from service providers and partners.
- For the purpose of conducting marketing communications of the group, based on voluntary consent or agreement to transmit registration or login data. Marketing communication includes communication via email and phone or even by mail.
- Legal basis: Art. 6 para. 1 lit. b, c, f GDPR
- Purpose:
- Settings data
such as whether you have registered your phone number for SMS communication- Purpose:
- Fulfillment of the terms and conditions for this platform.
- To comply with legal requirements, regulatory obligations, or responses to government inquiries, mainly financial inquiries.
- To protect the group and its rights, as well as the rights of related parties. Furthermore, data recording and sharing may be necessary to: (a) protect your and the public's safety and privacy; (b) protect our legal rights, security, or property; or (c) minimize our risk or that of related parties.
- For your and our security, to improve the services and functionality of the website. This includes surveys, your voluntary feedback, the transmission of possible malfunctions, training of our employees or from service providers and partners.
- For the purpose of transferring assets if we sell and/or merge the company or assets in whole or in part.
- Legal basis: Art. 6 para. 1 lit. b, c, f GDPR
- Purpose:
- Device data
such as device ID, operating system- Purpose:
- Provision of customer support, regardless of the chosen contact form (email traffic, telephone contact, etc.).
- For your and our security, to improve the services and functionality of the website. This includes surveys, your voluntary feedback, the transmission of possible malfunctions, training of our employees or from service providers and partners.
- Legal basis: Art. 6 para. 1 lit. b, f GDPR
- Purpose:
- Network data
such as IP address, referrer (website from which the user came to the current website or file)- Purpose:
- To use and implement the website
- To comply with legal requirements, regulatory obligations, or responses to government inquiries, mainly financial inquiries.
- For your and our security, to improve the services and functionality of the website. This includes surveys, your voluntary feedback, the transmission of possible malfunctions, training of our employees or from service providers and partners.
- For the purpose of conducting marketing communications of the group, based on voluntary consent or agreement to transmit registration or login data. This can be done in general or personalized based on user behavior and activity data. Marketing communication includes communication via email, SMS, and phone or chat messages, possibly also through third-party messengers or by mail.
- Legal basis: Art. 6 para. 1 lit. b, c, f GDPR
- Purpose:
- Location data
such as country of origin, language- Purpose:
- To use and implement the website
- Provision of customer support, regardless of the chosen contact form (email traffic, telephone contact, etc.).
- For your and our security, to improve the services and functionality of the website. This includes surveys, your voluntary feedback, the transmission of possible malfunctions, training of our employees or from service providers and partners.
- Legal basis: Art. 6 para. 1 lit. b, c, f GDPR
- Purpose:
- Personally identifiable data
such as address, date of birth- Purpose:
- To enable order processing
- To create a customer number
- To use and implement the website
- For the purpose of age verification, fraud, and money laundering prevention.
- Fulfillment of the terms and conditions for this platform.
- Provision of customer support, regardless of the chosen contact form (email traffic, telephone contact, etc.).
- To comply with legal requirements, regulatory obligations, or responses to government inquiries, mainly financial inquiries.
- To protect the group and its rights, as well as the rights of related parties. Furthermore, data recording and sharing may be necessary to: (a) protect your and the public's safety and privacy; (b) protect our legal rights, security, or property; or (c) minimize our risk or that of related parties.
- For your and our security, to improve the services and functionality of the website. This includes surveys, your voluntary feedback, the transmission of possible malfunctions, training of our employees or from service providers and partners.
- For the purpose of conducting marketing communications of the group, based on voluntary consent or agreement to transmit registration or login data. Marketing communication includes communication via email, SMS, and phone or chat messages, possibly also through third-party messengers or by mail.
- To conduct the application process and establish an employment relationship.
- Legal basis: Art. 6 para. 1 lit. b, c, f GDPR; in the case of an application Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sentence 1 BDSG
- Purpose:
- Partner information
such as advertising banners you clicked to reach us- Purpose:
- For your and our security, to improve the services and functionality of the website. This includes surveys, your voluntary feedback, the transmission of possible malfunctions, training of our employees or from service providers and partners.
- For the purpose of conducting marketing communications of the group, based on voluntary consent or agreement to transmit registration or login data. This can be done in general or personalized based on user behavior and activity data. Marketing communication includes communication via email and phone or even by mail.
- Legal basis: Art. 6 para. 1 lit. f GDPR
- Purpose:
6. Duration of Data Storage and Data Deletion
The group generally deletes your personal data when the purpose of storage no longer applies. The aforementioned data are mandatory for the use and implementation of the website as well as the fulfillment of the terms and conditions. However, it is conceivable that further storage may result from European or national laws, regulations, or other provisions to which the group is subject. Such data are only deleted when the corresponding retention periods from the aforementioned legal sources expire. An exception exists only if the stored data are required for the fulfillment of a contract or the conclusion of a contract. For example, retention periods of up to ten years are legally required for certain data due to tax regulations.
7. Where are the Data Processed?
Your data is processed in data centers within the European Union for Model Car World.
For BB Services, the server is located in the USA (Silicon Valley, California) until the end of September 2024. After that, these data will also be migrated to a server within the European Union.
III. Information on Required Data Processing and Transmission
1. Group
All collected and personal data are also made available to the partner company within the group according to the "Need to Know" principle.
a) Description and Scope of Data Processing
All data processed during a website visit and mentioned at the relevant point in this privacy policy are available to both companies in the group for the purposes described below:
b) Legal Basis for Data Processing
Art. 6 para. 1 lit. f GDPR and thus our legitimate interest in being able to offer you our services comprehensively, continuously, and incorporating the latest trends, constitute the legal basis for data processing.
c) Purpose of Data Processing
The website itself and the products offered are provided through the cooperation within the group. For this purpose, it is necessary that all personal data and, for example, data collected from cookies are always available to all companies. Only this way can necessary work, such as programming adjustments on the website, be performed and coordinated to function smoothly for all customers. For example, the information about the number of customers logged in and active at certain times is relevant for the group to make adjustments to current server capacities if necessary. Additionally, information about the preferred browser type used by customers and interested parties to access our offers is essential for making programming adjustments for upcoming browser updates by the respective employees.
d) Duration of Storage
As soon as certain stored data need to be deleted at one company within the group, they are also irrevocably removed at the other company.
e) Revocation, Objection, and Removal Option
For personal data processed based on Art. 6 para. 1 lit. a GDPR and thus a customer's consent, a revocation is sufficient to prohibit further processing. For data processed based on Art. 6 para. 1 lit. b GDPR and thus a contract, the termination of the usage contract with the group company is required to end the data processing. To stop processing data processed based on Art. 6 para. 1 lit. f GDPR, a future objection from the customer is necessary.
2. Hosting Our Website
When visiting the website, certain information is automatically created and stored, also on the pages of the Group.
When you visit our website, our web server (the computer where this website is stored) automatically saves data such as:
- the address (URL) of the accessed website
- browser and browser version
- the operating system used
- the address (URL) of the previously visited page (referrer URL)
- the hostname and IP address of the device used to access it
- date and time
in files (web server log files).
We usually delete the data in web server log files at regular intervals - the exact time depends on the respective configuration rules. These can be time- or size-based.
We do not share this data, but we cannot exclude the possibility that this data may be viewed if there is illegal behavior.
3. Contact Form and Email Contact
a) Description and Scope of Data Processing
There are contact forms on the websites of the group. If a customer uses this contact option, the data entered in the input mask is transmitted and stored not only with the contacted company but also with the partner company. Initially, this includes contact data (email, first and last name, phone number) and the concern (subject and message). Additionally, the IP address is also collected. Alternatively, contact via email is offered. In this case, the personal data of the customer transmitted with the email is stored.
In both cases, there is no transfer of data to third parties. The group uses the data exclusively for communication with the customer.
b) Legal Basis for Data Processing
The data sent via the contact form or email are stored and used to process customer inquiries and the associated technical administration. The legal basis for processing this data is the legitimate interest of the group in responding to customer inquiries according to Art. 6 para. 1 lit. f GDPR.
If the customer's contact aims to conclude a contract, an additional legal basis for processing is Art. 6 para. 1 lit. b GDPR.
c) Purpose of Data Processing
The purpose of both the contact form and the use of the email address is to offer visitors, interested parties, or customers a simple and convenient way to contact the group directly. Initially, questions should be answered, or pre-contractual measures initiated.
d) Duration of Storage
Once the dialogue with the customer is concluded, i.e., when it is clear for both parties that no further clarification is needed and thus the purpose of the collection is achieved, the data will be deleted. Deletion will only be waived if there are statutory retention periods.
e) Revocation, Objection, and Removal Option
The customer can revoke their consent to the processing of their data at any time. They can also use the contact form or email address for this purpose. The dialogue will then be terminated immediately.
4. Service Providers
Description and Scope of Data Processing
The group collaborates with a number of external service providers who perform services or process data on their behalf (order processing). They carry out processing activities in all specialist departments (Assurance, Business Development, IT, Operations, HR, and Finance). These service providers or processors are listed in a regularly updated list that can be viewed upon justified request.
- Legal Basis for Data Processing
Art. 6 para. 1 lit. b GDPR and thus the fulfillment of the contracts between the customers, the group, and the listed service providers or processors constitute the legal basis for data processing. - Purpose of Data Processing
Only by transmitting personal data is it possible to provide individual services to customers. - Duration of Storage
The listed service providers, as well as the group, delete your personal data after the successful provision of the agreed service unless legal obligations require a longer retention period.
5. Google Fonts
a) Description and Scope of Data Processing
Google Fonts is integrated into some websites of the group. When loading these, a connection to Google's servers can be established, causing the browser of the user visiting the site to transmit various data to Google. This includes browser and device data, but also the IP address of the user, which constitutes personal data. Therefore, the integration of Google Fonts can result in the transmission of personal data to Google's servers in the USA.
b) Legal Basis for Data Processing
Art. 6 para. 1 lit. f GDPR and thus our legitimate interest in search engine optimization, improved loading times, reduced administrative effort, and a uniform presentation across devices.
c) Purpose of Data Processing
The processing serves the simple and uniform integration of a large number of fonts on the website. Additionally, we strive to achieve an appealing presentation for you.
III. Information on Protecting Your Data and Your Rights
1. Your Rights as a Data Subject
- Right to Access (Art. 15 GDPR)
You have the right to be informed about whether and which personal data we process about you. According to the GDPR, we will provide you with a summary of the personal data on request. We have a 30-day period according to the GDPR to respond to your access request. - Right to Rectification (Art. 16 GDPR)
If you inform us that the data we process about you is incorrect or incomplete, we will correct it immediately upon positive verification. - Right to Erasure (Art. 17 GDPR)
We will delete personal data upon request immediately, provided none of the reasons stated in Art. 17 GDPR oppose it. Deletion can always only be done for the future. - Right to Restriction of Processing (Art. 18 GDPR)
If you wish, we will restrict the processing of your data, provided one of the conditions mentioned in this provision is met. - Right to Notification (Art. 19 GDPR)
We will notify recipients (e.g., order data processors) of requests received for correction, restriction, or deletion of your personal data if we have received such a request. - Right to Data Portability (Art. 20 GDPR)
Upon request, we will provide your data in a commonly used, machine-readable format and transfer your personal data to another controller upon request. - Right to Object (Art. 21 GDPR)
You can object to the processing of your personal data if it is based on certain legal grounds (e.g., Art. 6 para. 1 lit. e or f GDPR), provided a justification within the meaning of this provision exists. - Right to Withdraw Consent (Art. 7 GDPR)
You have the right to withdraw your consent(s) given according to Art. 6 para. 1 lit. a GDPR at any time with effect for the future. - Right Regarding Automated Decision-Making (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling. - Right to Complain to Supervisory Authorities (Art. 77 GDPR)
If you believe that the processing of your data violates the provisions of the GDPR or your data protection rights have otherwise been infringed, you can contact your competent data protection authority (see point I 3 above) or another supervisory authority at any time. - An overview of supervisory authorities in the Federal Republic of Germany can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
2. International Data Transfer
In principle, recipients of personal data must be located within the European Union (EU) or the European Economic Area (EEA). The non-EU and non-EEA member United Kingdom is treated as an EU member state due to an adequacy decision until at least June 2025. Data transfer to third countries is otherwise only permitted if there is an adequacy decision by the EU Commission, standard contractual clauses approved by the EU Commission are used, or approved conduct or corporate rules apply.
As described above (point II 7), data is transferred both within the EU and to the USA.
From the end of September 2024, data transfers will take place exclusively within the EU.
IV. Information on Cookies and Social Media Plugins
Detailed information on the cookies and plugins used on the websites of the Group, their use and storage, and/or how you can object to them can be found in our Cookie Policy.
V. Amendment of this Privacy Policy
This privacy policy may be amended due to new legal requirements. Therefore, the group recommends that users regularly review this privacy policy for changes and/or additions.