Privacy Policy

Privacy Policy

Steiff Retail GmbH offers extensive information to its contractual partners, customers and interested parties via the website https://www.steiff.com/. In doing so, we place particular value on handling your personal data and the data of your company in a trusted and secure manner.

The following Privacy Policy is the basis for our actions and a component of our business relationship with customers, prospects and third parties.

We adapt the Privacy Policy as needed based on legal and technical changes. The current version of the Privacy Policy published on the website is valid.

The Privacy Policy includes the following points:

1. Name and address of the controller (person responsible for processing)

The controller as defined by the General Data Protection Regulation, other privacy laws valid in the member states of the European Union and other provisions with a privacy/data protection character is:

Steiff Retail GmbH
Richard-Steiff-Str.4
D-89537 Giengen/Brenz
Tel.: +49 / (0)711 / 725 230 4241
Fax: +49 / (0)711 / 725 230 799
uk.service@steiff.com
Website: https://www.steiff.com/

2. Name and address of the data protection officer

The data protection officer of the processing controller is

Dirk Janthur
Datenschutzberatung Janthur GmbH
Hedelfinger Straße 12
73734 Esslingen
Tel.-Nr.: +49 711 71530104
dirk.janthur@janthur.net

3. Use of cookies

The websites of Steiff Retail GmbH use cookies. Cookies are data that are stored by the web browser on the user's computer system. When the user accesses a page, the cookies can be transmitted to this page and thus make it possible to assign this activity to the user. Cookies help make it easier for the user to view websites.

You can opt out of the setting of cookies by making corresponding changes to the settings in the web browser. Cookies that have been set may be deleted. Please note that if cookies are disabled, not all functions of our website may be able to be used in their entirety. The following cookies are used: 

3.1. Floodlight pixels

Floodlight records various types of information as part of the HTTP request for websites and apps that use Floodlight, including but not limited to the following: IP addresses (and geographical locations derived from IP addresses), cookie IDs, user agent, page referrer URL, time of the advertisement request, advertisement request URL (and DCM IDs contained in the URL), publisher click tracker URL, user-defined values defined by the publisher, user-defined values defined by the advertiser, additional configurations and disabling exceptions, device identification, identification of mobile apps.

3.2. Conversion tracking

For conversion tracking purposes, we can store and read cookies in Google domains and the DoubleClick domain. For app-based conversions, we store the click ID, IDFA (for iOS) and AdId (Android). For imported click conversions, we store the click IDs sent to us by the advertiser. If users interact with an advertisement in a browser (by clicking a text advertisement or showing a video advertisement), AdWords stores a cookie in a Google domain that contains information about the interaction. If someone converts on the advertiser's website, the conversion tracking tag he or she has installed reads this cookie and sends it back to AdWords with the conversion information.
If the advertiser uses the new global website tag from his or her AdWords account or has installed a Google Analytics tag on its target page or uses the conversion linker tag in GTM, in these solutions, a cookie is also stored on its domain about the last advertisement click. If no click information about the same devices is available, but the user is logged in with Google, we read the login information from cookies in Google domains and send it to Google along with the conversion information. If a search click has been made by the same logged-in user on another device or in another browser, we can allocate the conversion as a cross-device conversion.

Remarketing:
For remarketing lists for search advertisements (RLSA) and remarketing in the Display Network, advertisers can use the AdWords remarketing/conversion tag or the Google Analytics tag to link various users with one or more remarketing lists. AdWords collects data that pertain to the device/browser, the IP address and the activities on the site/app, including page and link URLs. The data are collected based on IDFA / ADID, DoubleClick ID, Google non-authenticated cookies and Google authenticated cookies, which are stored and used in different ways.

Display:
If AdWords functions via display, it uses IP addresses and cookie IDs and, depending on a user's specific settings, it can use location data or Google account information. Depending on the product used, other identifiers can be used (e.g. Customer Match).

Apps:
If you use a Google SDK or an SDK from third-party suppliers in your mobile app to send mobile IDs to Google, in most cases, you have to obtain the consent of your users in the European Economic Area to comply with Google's EC user consent guidelines. Our guidelines require consent for the use of mobile identifiers where legally prescribed and consent for the collection, forwarding and use of personal data (including Mobile Identifier) for the personalisation of advertisements or other services. For example, if you use an app attribution partner to send Google IDFAs or ADIDs for advertisements for repeated interaction or remarketing, you have to obtain the consent of the users to collect and forward these data with the app attribution partner and Google.

3.3. Duration of storage

We anonymise IP addresses in logs by removing a part of the address after 9 months. After 18 months, we further anonymise the log data by removing cookies or advertiser ID information, both in the logs and the ad serving databases. User profile information about advertising cookies and advertising IDs is also stored in databases that can be accessed for advertisements served in real time. The data stored in these databases are either stored or anonymised after 18 months.

4. Creation of log files

Each time the website is accessed, Steiff Retail GmbH uses an automated system to collect data and information. These are stored in the log files of the server.

The following data can be gathered during this process:

(1) Information about the browser type and the version used
(2) The user's operating system
(3) The user's Internet Service Provider
(4) The user's IP address
(5) Date and time of the access
(6) Websites from which the user's system reaches our website (referrer)
(7) Websites called up via our website by the user's system

The data are processed for the purpose of delivering the content of our website, guaranteeing the function of our information technology systems and optimizing our website. The data of the log files are always stored separately from other personal data of users.

5. Analytics tools

Steiff Retail GmbH uses Google Analytics, a web analytics service from Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how you use the site. The information generated by the cookie about your use of this website (including your IP address) is sent to a server in the United States operated by Google and stored there. Google will use this information to evaluate your use of the website, compile reports about the website activity for the website operators and render other services associated with website use and Internet use. Google may also transmit this information to third parties if required by law or if third parties process this data on Google's behalf. Google will never associate your IP address with other Google data. You may refuse the installation of cookies by selecting the appropriate settings on your browser, however please note that you may not be able to use the full functionality of this website if you do so. By using this website, you declare your consent to Google's processing of the data collected about you in the above-mentioned manner and for the above-mentioned purpose. Furthermore, you can prevent Google's collection of data generated by the cookie and related to your use of the website (including your IP address) as well as the processing of these data by opting out at the following deactivation link from Google.

6. Links and content to third-party websites

The website contains links to third-party content. Steiff Retail GmbH assumes no liability for these pages and the respective handling of personal data. Liability notice:In its decision of May 12, 1998, the district court of Hamburg stated that providing a link may entail shared responsibility for the content of the linked site. According to the regional court of Hamburg, this can only be prevented if the operator expressly distances itself from this content. Steiff Retail GmbH has placed links to other Internet sites on its pages. The following applies for all these links: Steiff Retail GmbH expressly states that Steiff Retail GmbH has no influence whatsoever on the design and content of the linked pages. Therefore, Steiff Retail GmbH hereby distances itself from all content of all pages linked on the main website and does not make this content its own. This statement applies to all links displayed on the main website and for all content of the sites to which the banners, buttons and links visible at Steiff Retail GmbH direct visitors.

7. SSL encryption

For security reasons and to protect the transmission of confidential content, like the requests you send us as the page operator, this site uses SSL encryption. You can identify an encrypted connection by the fact that the browser's address bar switches from "http://" to "https://" and the lock icon near the address bar. If SSL encryption is enabled, the data you transmit to us cannot be intercepted by third parties.

8. Registration for our website

If the involved person makes use of the option to register on the website of the controller of the processing and specifies personal data, the data are transmitted to the controller of processing in the respective input mask. The data are stored exclusively for the purpose of internal use by the controller of the processing.

During registration, the user's IP address and the date and time of registration are stored. This serves to prevent misuse of the services. The data are not forwarded to third parties. An exception is made if a legal obligation for such forwarding exists.

The registration of the data is required in order to provide content or services. Registered persons have the ability to have the stored data deleted or modified at any time. The involved person can receive information about the personal data stored about him or her at any time.

9. Newsletter

If the user subscribes to our company's newsletter, the data are transmitted to the controller of the processing in the respective input mask.

During registration for the newsletter, the user's IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the involved person. The data are not forwarded to third parties. The newsletter is sent via a service provider that acts on behalf of Steiff Retail GmbH. A contractual obligation in accordance with Article 28 of the General Data Protection Regulation ( GDPR) is agreed. An exception is made if a legal obligation for such forwarding exists.

The data are used exclusively to send the newsletter. The newsletter subscription can be cancelled at any time by the involved person. Likewise, the consent to storage of personal data can be revoked at any time. A corresponding link is provided for this purpose in each newsletter.

10. Purchasing in the online shop

Each user of the website has the ability to make purchases in the online store. You have the ability to make these purchases as a guest, with or without registering.

In every case, we collect the data necessary for the ordering process according to the entry form. Specifically, this includes the following information: Last name, first name, mailing address, e-mail address and date of birth of the person placing the order.

If you do not register, you receive a confirmation e-mail with all information and data we process about you for the purpose of the business transaction. This also includes our storing your data corresponding to legal mandates.

If you shop as a registered user, you can see which of your data we process in your account at any time.

11. Payment in the online shop

Payment transaction

To ensure that the payment transaction is as simple and—most importantly—as secure as possible, we have integrated Stripe as the payment provider.

Stripe carries out the payment transaction. The order is not completed until after a successful payment transaction.

12. Contacting options

There is a contact form on the Steiff Retail GmbH website that can be used to make contact electronically. As an alternative, we can be contacted using the provided e-mail address. If the involved person makes contact with the controller of the processing using one of these channels, the personal data transmitted by the involved person is stored automatically. Storage only serves the purposes of processing or of making contact with the involved person. The data are not forwarded to third parties.

This refers to voluntarily given personal data. Steiff Retail GmbH has taken all technical and organisational measures to make sure that these data are secure.

However, be very careful when entering information and do not transmit any sensitive data, such as your bank details, using the contact form.

13. Routine erasure and locking of personal data

The processing controller processes and stores personal data of the involved person only as long as it is necessary for fulfilling the purpose of the storage. Furthermore, storage can only take place insofar as it has been permitted by European or national legislation in legal regulations, laws or other provisions to which the controller of the processing is subject.

As soon as the purpose for storage no longer exists or the storage period prescribed by the mentioned regulations has expired, the personal data are routinely locked or erased.

14. Use of social plugins

Facebook plugin

Plugins from the social network Facebook—provider: Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA—have been integrated into our pages. Facebook plugins can be identified by the Facebook logo or the "Like" button on our page. You can find an overview of Facebook plugins here: https://developers.facebook.com/docs/plugins/. Whenever you visit our pages, the plugin creates a direct connection between your browser and the Facebook server. This allows Facebook to receive the information that you have visited our page with your IP address. If you click the Facebook "Like" button while you are logged in to your Facebook account, you can link the content of our pages on your Facebook profile. Facebook can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by Facebook. You can find further information on this in the Privacy Policy of Facebook at. If you do not want Facebook to attribute your visit to our pages to your Facebook user account, log out of your Facebook user account.

YouTube plugin

We have added a YouTube plugin—YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA—to our page. Whenever you visit our pages, the plugin creates a direct connection between your browser and the YouTube server. This allows YouTube to receive the information that you have visited our page with your IP address. If you click the YouTube button while you are logged in to your YouTube account, you can link the content of our pages on your YouTube profile. YouTube can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by YouTube. You can find further information on this in the Privacy Policy of YouTube at. WIf you do not want YouTube to attribute your visit to our pages to your YouTube user account, log out of your YouTube user account.

Instagram plugin

We have added an Instagram plugin—Instagram LLC, represented by Kevin Systrom and Mike Krieger, 1601 Willow Rd, Menlo Park, CA 94025, USA—to our page. Whenever you visit our pages, the plugin creates a direct connection between your browser and the Instagram server. This allows Instagram to receive the information that you have visited our page with your IP address. If you click the Instagram button while you are logged in to your Instagram account, you can link the content of our pages on your Instagram profile. Instagram can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by Instagram. You can find further information on this in the Privacy Policy of Instagram at. If you do not want Instagram to attribute your visit to our pages to your Instagram user account, log out of your Instagram user account.

Twitter plugin

We have added a Twitter plugin—Twitter International Company, One Cumberland Place Fenian Street, Dublin 2 D02 AX07 Ireland—to our page. Whenever you visit our pages, the plugin creates a direct connection between your browser and the Twitter server. This allows Twitter to receive the information that you have visited our page with your IP address. If you click the Twitter button while you are logged in to your Twitter account, you can link the content of our pages on your Twitter profile. Twitter can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by Twitter. You can find further information on this in the Privacy Policy of Twitter at. If you do not want Twitter to attribute your visit to our pages to your Twitter user account, log out of your Twitter user account.

Pinterest plugin

We have added a Pinterest plugin—Pinterest Europe Ltd., Palmerston House, 2nd Floor Fenian Street Dublin 2, Ireland—to our page. Whenever you visit our pages, the plugin creates a direct connection between your browser and the Pinterest server. This allows Pinterest to receive the information that you have visited our page with your IP address. If you click the Pinterest button while you are logged in to your Pinterest account, you can link the content of our pages on your Pinterest profile. Pinterest can thus attribute the visit to our pages to your user account. Be aware that as the provider of the pages, we have no knowledge of the content of the transmitted data and their use by Pinterest. You can find further information on this in the Privacy Policy of Pinterest at. If you do not want Pinterest to attribute your visit to our pages to your Pinterest user account, please log out of your Pinterest user account.

15. Rights of the data subject

WIf your personal data are processed, you are the data subject within the meaning of the GDPR. You are thus entitled to the following rights with respect to the controller: You may claim all these rights to the company according to the contact data in Item 1 or to our data protection officer according to the contact data in Item 2

15.1. Right of access

You may request confirmation from the controller about whether personal data concerning you are processed by us.

If such processing is taking place, you may request information on the following from the controller:
a. The purposes for which the personal data are processed
b. The categories of personal data that are processed
c. The recipients or the categories of recipients to whom the personal data concerning you have been disclosed or are still being disclosed
d. The planned period of storage of the personal data concerning you or, if actual information on this is not possible, the criteria for the definition of the storage period
e. The existence of a right for rectification or erasure of the personal data concerning you, a right of restriction of processing by the controller or a right to object to this processing
f. The existence of a right of appeal to a supervisory authority
g. All available information on the origin of the data, if the personal data have not been collected from the data subject
h. The existence of automated decision-making including, profiling in accordance with Article 22 Par.1 and 4 GDPR and—at least in these cases—meaningful information on the logic involved and on the scope and the intended effects of such processing for the data subject

You have the right to request information on whether the personal data concerning you are transmitted to a third country or to an international organisation. In this context, you may request to be informed about the suitable guarantees in accordance with Art. 46 GDPR in connection with transmission.

For data processing for the purposes of scientific or historical research or statistical research: This access right can be restricted insofar as it is expected to prevent or seriously impede the implementation of the purposes of research or statistics and the restriction is necessary for the fulfilment of the purposes of research or statistics.

15.2. Right of correction

You have the right to rectification and/or completion with respect to the controller insofar as the processed personal data concerning you are incorrect or incomplete. The controller must implement the correction immediately.

For data processing for the purposes of scientific or historical research or statistical research:

Your right to rectification can be restricted insofar as it is expected to prevent or seriously impede the implementation of the purposes of research or statistics and the restriction is necessary for the fulfilment of the purposes of research or statistics.

15.3. Right of restriction of processing

Under the following conditions, you may request that the processing of personal data concerning you is restricted:

a. If you dispute the correctness of the personal data concerning you for a period of time long enough to allow the controller to check the correctness of the personal data
b. If processing is unlawful and you reject the deletion of the personal data, requesting a restriction of the use of the personal data instead
c. If the controller no longer needs the personal data for the purpose of the processing, but you require the data for asserting, enforcing or defending legal claims, or
d. If you have filed an objection to processing in accordance with Art. 21 Par.1 GDPR and it has not yet been established whether the justified grounds of the controller supersede your grounds for restriction

If the processing of personal data concerning you has been restricted, these data—apart from their storage—may be processed only with your consent or for asserting, enforcing or defending legal claims or for the protection of the rights of another natural or legal entity or for causes of an important public interest of the European Union or one of its member states.

If the restriction has taken effect in accordance with the above conditions,you will be notified by the controller before the restriction is lifted.

For data processing for the purposes of scientific or historical research or statistical research:

Your right of restriction of processing can be restricted insofar as it is expected to prevent or seriously impede the implementation of the purposes of research or statistics and the restriction is necessary for the fulfilment of the purposes of research or statistics.

15.4. Right of erasure

15.4.1. You may request that the controller erases the personal data concerning you immediately, and the controller is obliged to erase these data immediately if one of the following grounds for erasure applies:

a. The personal data concerning you are no longer needed for the purposes for which they have been collected or otherwise processed
b. You revoke your consent on which processing was based in accordance with Art. 6 Par.1 subparagraph a or Art. 9 Par.2 subparagraph a GDPR, and there is no other legal basis for processing
c. You file an objection to processing in accordance with Art. 21 Par.1 GDPR and there are no justified grounds of higher priority, or you file an objection to processing in accordance with Art.21 Par.2 GDPR
d. The personal data concerning you have been processed unlawfully
e. The erasure of the personal data concerning you is required for compliance with a legal obligation in accordance with European Union law or the law of the member states to which the controller is subject
f. The personal data concerning you have been collected with regard to solicited services of information society in accordance with Art. 8 Par.1 GDPR

15.4.2. If the controller has published the personal data concerning you and is obliged to erase the data in accordance with Art. 17 Par.1 GDPR, the controller shall initiate measures, including those of a technical nature, that are appropriate under consideration of the available technology and costs of implementation in order to notify all other data processing controllers who process these personal data of the fact that you as the involved person have requested the erasure of all links to these personal data or of copies or replications of these data.

15.4.3. The right of erasure does not exist insofar as processing is required for the following reasons: a. For executing the right to free speech and information
b. For complying with a legal obligation requiring the processing in accordance with the law of the European Union or the member states to which the controller is subject, or for exercising a duty that is in the public interest or occurs in execution of public authority that has been transferred to the controller
c. For causes of public interest in the area of public health in accordance with Art. 9 Par.2 subparagraph h and i as well as Art. 9 Par.3 GDPR
d. For archival purposes in the public interest, for the purposes of scientific or historical research or statistical purposes in accordance with Art. 89 Par. 1 GDPR, insofar as the right specified in Par.1 is expected to prevent or seriously impede the implementation of the goals of this processing e. For asserting, enforcing or defending legal claims

15.5. Right of information

If you have asserted your right of correction, erasure or restriction of processing to the controller, the controller is obliged to communicate this correction or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this is shown to be impossible or to involve a disproportionate effort.

With respect to the controller, you have the right to be notified of these recipients.

15.6. Right of data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to transfer these data to another controller without obstruction by the controller to whom the personal data have been provided insofar as:

a. The processing is based on consent in accordance with Art. 6 Par.1 subparagraph a GDPR or Art. 9 Par.2 subparagraph a GDPR or a contract in accordance with Art. 6 Par.1 subparagraph b GDPR, andd
b. Processing is done using automated procedures

In exerting this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, if as this is technically possible. In doing so, the freedoms and rights of other persons shall not be impeded.

The right of data portability shall not apply to the personal data processing that is required for exercising a duty in the public interest or occurs in execution of public authority that has been transferred to the controller.

15.7. Right of objection

At any time, you have to right to file an objection to the processing of personal data concerning you that is carried out on the basis of Art. 6 Par.1 subparagraph e or f GDPR for grounds relating to your specific situation; this shall also apply to any profiling based on these clauses.

The controller will no longer process personal data concerning you, unless the existence of compelling grounds for the processing that are worthy of protection and supersede your interests, rights and freedoms can be proved, or the processing is for asserting, enforcing or defending legal claims.

If the personal data concerning you are processed in order to practice direct marketing, you have the right to file an objection to processing personal data concerning you for the purpose of such marketing at any time; this shall also apply to profiling insofar as it is connected to such direct marketing.

If you object to processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for these purposes.

In connection with the use of services of information society, you have the option of asserting your right of objection, irrespective of the 2202/58/EC directive, using automated means, which involve the use of technical specifications.

For data processing for the purposes of scientific or historical research or statistical research:

You also have the right to object to the processing of personal data concerning you that is carried out for the purposes of scientific or historical research or statistical purposes, for reasons based on your specific situation, in accordance with Art. 89 Par. 1 GDPR.

Your right to objection can be restricted insofar as it is expected to prevent or seriously impede the implementation of the purposes of research or statistics and the restriction is necessary for the fulfilment of the purposes of research or statistics.

15.8. Right of withdrawal of your declaration of consent under data protection legislation

You have the right to withdraw your declaration of consent under data protection legislation at any time. The withdrawal does not affect the legality of processing that was based on consent and completed before the withdrawal.

15.9. Automated decision on a case-by-case basis including profiling

You have the right of not being subjected to a decision based exclusively on automatic processing—including profiling—that takes legal effect with respect to you or has a substantial adverse effect on you. This does not apply in the following cases:

a. If the decision is necessary for the conclusion or fulfilment of a contract between you and the controller.
b. If the decision is permissible due to legal regulations of the Union or the member states to whom the controller is subject and these legal regulations include appropriate measures for protecting your rights and freedoms and your legitimate interests.
c. If the decision is made with your express consent.

However, these decisions shall not be based on special categories of personal data in accordance with Art. 9 Par.1 GDPR unless Art. 9 Par.2 subparagraph a or g applies and appropriate measures for the protection of the rights and freedoms and your legitimate interests have been provided.

Regarding the cases mentioned in a. and c., the controller shall implement appropriate measures in order to protect the rights and freedoms and your legitimate interests, which include at the least the rights of obtaining an intervention of a person on the part of the controller, of explaining your own stance and of disputing the decision.

15.10. Right of complaint to a supervisory authority

Irrespective of any other remedies of administrative law or judicial remedies, you are entitled to the right of complaint to a supervisory authority, particularly in the member state of your whereabouts, your place of employment or the place of the presumed infringement if you are of the opinion that the processing of the personal data concerning you violates the GDPR.

The supervisory authority to which the complaint has been submitted shall notify the plaintiff about the status and the results of the complaint including the option of a judicial remedy in accordance with Art. 78 GDPR.

16. Transfer of data to third parties

Data are generally not transferred. Any exceptions are regulated in the items above. In particular, there is no transfer for commercial purposes (address trading).

17. Legal basis of processing

Insofar as we obtain the consent of the involved person for processing personal data, Article 6 Section 1 subparagraph a of the EU General Data Protection Regulation (GDPR) is the legal basis.

When processing personal data that are required for fulfilment of a contract whose party is the involved person, Article 6 Section 1 subparagraph b GDPR is the legal basis. This shall also apply for processing procedures necessary for carrying out pre-contract measures.

Insofar as processing personal data is required for fulfilment of a legal obligation to which our company is subject, Article 6 Section 1 subparagraph c GDPR is the legal basis.

In case vital interests of the involved person or another natural person require processing personal data, Article 6 Section 1 subparagraph d GDPR is the legal basis.

If the processing is required for the protection of a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the involved person do not take precedence over the former interest, Article 6 Section 1 subparagraph f GDPR is the legal basis for processing. The legitimate interest of our company is the execution of our business activities.

18. Duration of storage of personal data

Personal data are stored for the duration of the respective statutory storage term. After expiry of the term, data are deleted routinely unless there is a requirement for concluding or fulfilling a contract.

If you have questions and suggestions, please send an e-mail message to bromley@steiff.com