We are pleased that you are visiting our website and thank you for your interest! The protection of your privacy when using our website is important to us, so please take note of the following information on how we handle your data.
As a company under private law, we are subject to the provisions of the General Data Protection Regulation (GDPR) and the supplementary regulations of the Federal Data Protection Act (BDSG-neu). To ensure that the regulations on data protection are observed both by us and by our external service providers, we have taken suitable technical and organisational measures.
This general data protection declaration applies to all online offers of the STEVIA GROUP. This includes websites, functions and contents as well as external online presences, such as our social media profiles. In addition to the following general information and mandatory information, we have compiled additional individual data protection information for individual online offers for you. There we inform you about offer-specific data processing procedures and in particular about the cooperation with external service providers who, under our strict control, provide services such as web tracking, coverage measurement or advertising services for us.
1. Person responsible
The person responsible pursuant to Art. 4 Para. 7 GDPR and other national data protection laws of the member states of the European Union as well as other data protection regulations is
Phone: ++49 0221-39780292
2. Data protection officer
For questions, suggestions or comments on the subject of data protection and the enforcement of your rights, please contact our data protection officer:
Responsible for content according to §55 Abs. 2 RStV
and authorized company owner: Michael Tietz
(hereinafter “STEVIA GROUP”)
In our data protection declaration, we use terms that are used and defined in the GDPR. So that you know what they mean, we would like to explain the most important terms.
3.1 Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. an IP address or cookies) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means. This basically includes any handling of personal data such as collection, storage, modification, use, transmission, dissemination, deletion or destruction, etc.
3.3 Person responsible
A controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. The data controller shall ensure the permissibility of data processing by implementing technical and organisational measures which are subject to regular review.
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data is not attributed to an identified or identifiable natural person.
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not that person is a third party. However, authorities which may receive personal data in the course of a specific investigation, in accordance with Union or national law, shall not be considered as recipients.
3.7. Third parties
A third party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.
Consent is an expression of self-determination under data protection law. It is the voluntary, informed and unambiguous expression of will in the specific case, in the form of a declaration or any other unambiguous affirmative act by which the data subject indicates his or her consent to the processing of personal data relating to him or her. Consent given may be withdrawn at any time.
4. General information on data processing
4.1 Scope of processing of personal data
As a matter of principle, we process your personal data only to the extent necessary to provide our online offers, contents and services. The collection and use of your personal data is regularly only carried out after your consent or if the processing of the data is permitted by legal regulations.
4.2 Legal basis for the processing of personal data
In data protection, the so-called prohibition subject to permission applies. According to this prohibition, the processing of personal data is generally illegal, unless the consent of the person concerned has been obtained or it is legitimised by a legally regulated reason for permission. We are obliged to inform you about the legal basis of data processing.
If we obtain your consent for the processing of personal data, Art. 6 para. 1 letter a GDPR serves as the legal basis.
In the case of processing operations which are necessary for the fulfilment of a contract concluded between you and us or for the implementation of pre-contractual measures, Art. 6 para. 1 lit. b GDPR serves as the legal basis.
If the processing of personal data is necessary for the fulfilment of a legal obligation to which we are subject, such as statutory storage and retention obligations, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR is the legal basis.
If processing is necessary to safeguard our interests or the legitimate interests of a third party and if your interests, fundamental rights and freedoms do not outweigh the former, the processing of personal data is legitimised by Art. 6 para. 1 lit. f FADP.
4.3 Transfer of personal data to third parties and processors
As a matter of principle, we do not pass on personal data to third parties without your express consent. If, in the course of processing, we nevertheless disclose your data to third parties, transfer it to them or otherwise grant them access to the data, this will also be done exclusively on the basis of one of the legal bases mentioned. For example, we transmit data to payment service providers if this is necessary for the fulfilment of the contract. If we are obliged to do so by law or by court order, we must transmit your data to authorities entitled to receive information.
In some cases, we use carefully selected external service providers to process your data. Should data be passed on to service providers within the framework of so-called order processing, this is done on the basis of Art. 28 GDPR. Our order processors are carefully selected, are bound by our instructions and are regularly checked by us. We only commission such contract processors who offer sufficient guarantees that suitable technical and organisational measures are taken in such a way that the processing is carried out in accordance with the requirements of GDPR and BDSG-neu and guarantees the protection of your rights.
4.4 Data transfer to third countries
The GDPR guarantees an equally high level of data protection within the European Union. When selecting our service providers and cooperation partners, we therefore rely on European partners whenever possible if your personal data are to be processed. Only in exceptional cases will we have data processed outside the European Union or the European Economic Area within the framework of the use of third-party services.
We will only allow your data to be processed in a third country if the special requirements of Art. 44 ff. GDPR are fulfilled. This means that the processing of your data may then only be carried out on the basis of special guarantees, such as the EU Commission’s officially recognised determination of a level of data protection corresponding to that of the EU or compliance with officially recognised special contractual obligations, the so-called “standard contractual clauses”. We require US service providers to use these standard clauses or to comply with the “privacy shield”, the data protection agreement negotiated between the European Union and the United States (privacyshield.gov).
4.5 Deletion of data and storage period
As soon as the purpose for the storage is no longer applicable, we will delete or block your personal data. Beyond this, however, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which we are subject. This applies, for example, to data that must be stored for commercial or tax law reasons, such as invoice data for subscriptions. Your data will be blocked or deleted when a storage period prescribed by these regulations expires, unless it is necessary to store the data for the purpose of concluding or fulfilling a contract.
4.6 Existence of automated decision making
We do not use automatic decision making or profiling.
5. Rights of the persons concerned
If personal data are processed by you, you are a data subject within the meaning of the GDPR. You have the following rights towards us as the person responsible:
5.1 Right to revoke a declaration of consent under data protection law
If the processing of personal data is based on a granted consent, you have the right to revoke this consent at any time. Revocation does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
5.2 Right to information
You have the right to ask us to confirm whether we are processing personal data concerning you. If this is the case, you can request information about the following information:
- the purposes of the processing;
- the categories of personal data processed;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, and, in connection with the transfer to a third country or international organisation, you also have the right to be informed of the appropriate guarantees in accordance with Art. 46 FADP;
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
- the existence of a right to rectify or erase personal data concerning you or to limit processing by us or to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- if the personal data are not collected from you, all available information on the origin of the data;
- the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) FADP, and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.
We will provide you with a copy of the personal data which are the subject of the processing within one month of receiving your request for information. For any further copies you request, we may charge a reasonable fee based on the administrative costs. If you submit the request electronically, we will provide you with the information in a standard electronic format, unless you indicate otherwise.
5.3 Right of rectification
You have the right to ask us to correct your personal data immediately if they are incorrect. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
5.4 Right of deletion (“right to be forgotten”)
You have the right to request that we delete any personal data relating to you immediately and we are obliged to delete personal data immediately if any of the following reasons apply:
- the personal data is no longer necessary for the purposes for which it was collected or otherwise processed
- You withdraw the consent on which the processing was based and there is no other legal basis for the processing.
- You object to the processing and there are no legitimate overriding reasons for processing, or you object to the processing.
- The personal data have been processed unlawfully.
- The deletion of the personal data is necessary to comply with a legal obligation under Union law or the law of the Member States.
- The personal data was collected in relation to information society services offered in accordance with Art. 8 Paragraph 1 GDPR.
If we have made public the personal data concerning you and we are obliged to delete them, we shall take reasonable measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you have requested them to delete all links to this personal data or copies or replications of this personal data.
The right of cancellation (“right to be forgotten”) does not apply insofar as the processing is necessary:
- to exercise the right to freedom of expression and information;
- for the performance of a legal obligation which requires processing under the law of the Union or of the Member States to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
- for archiving, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Art. 89 para. 1 DPA, insofar as the right of erasure is likely to render impossible or seriously harm the attainment of the objectives of such processing, or
- to assert, exercise or defend legal claims.
5.5 Right to limit processing
You have the right to ask us to limit the processing of your personal data if one of the following conditions is met:
- You contest the accuracy of the personal data concerning you for a period of time which allows us to verify the accuracy of the personal data;
- the processing is unlawful and you request, instead of deletion, the restriction of the use of the personal data;
- we no longer need the personal data for the purposes of the processing, but you need the personal data to assert, exercise or defend legal claims; or
- You have lodged an objection to the processing as long as it is not yet clear whether our justified reasons outweigh your reasons.
If the processing has been restricted in accordance with the above-mentioned conditions, these personal data – apart from their storage – will only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
If the restriction on processing has been restricted in accordance with the above conditions, we will inform you before the restriction is lifted.
5.6 Right to data transferability
You have the right to receive the personal data concerning you that you have provided us with in a structured, common and machine-readable format and you have the right to transfer this data to another person in charge without hindrance from us, provided that the processing is based on consent or on a contract and is carried out with the help of automated procedures.
In exercising the right to transfer data, you may request that the personal data be transferred directly from us to another controller, as far as this is technically feasible. Exercising the right to data transferability does not affect the right to deletion (“right to be forgotten”). This right does not apply to processing which is necessary for the performance of a task entrusted to us, which is in the public interest or is carried out in the exercise of official authority.
5.7 Right of objection
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out pursuant to Art. 6, paragraph 1, letters e or f of the DPA. This also applies to profiling based on these provisions. We will then no longer process the personal data unless we can prove compelling reasons for processing worthy of protection that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Where personal data are processed for the purpose of direct marketing, you have the right to object, at any time, to the processing of personal data concerning you for the purpose of such marketing, including profiling, where it is linked to such direct marketing. If you object to processing for the purposes of direct marketing, your personal data will no longer be processed for those purposes.
In the context of the use of information society services, you can exercise your right of objection, notwithstanding the ePrivacy Directive, by using automated procedures involving technical specifications.
5.8 Automated decisions in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effect on you or significantly affects you in a similar manner. This shall not apply if the decision:
- is necessary for the conclusion or performance of a contract between you and us
- is authorised by law of the Union or of the Member States to which we are subject and that law provides for appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
- with your express consent.
We shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person responsible, to present your point of view and to challenge the decision.
5.9 Right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place where the alleged infringement occurred, if you consider that the processing of personal data relating to you is in breach of the GDPR.
6. Use of our online services
You can use our online offer without disclosing your identity. In this section we explain when and in what context we process data when using our online offers, which offers of service providers and cooperation partners we have implemented, how they work and what happens with your data.
6.1 Data collection when visiting our websites
If you use our websites for information purposes only, i.e. you do not register, conclude a contract with us or otherwise disclose information to us, we only collect the personal data that your browser transmits to our servers. When you call up our websites, we collect the following data, which is technically necessary for us to be able to show you our websites and to guarantee stability and security.
- IP address of the user
- Date and time of the request
- Content of the request (concrete page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Website from which the request comes
- Operating system of the user
- Language and version of the browser software.
This data is temporarily stored in the log files of our system for a maximum of seven days. Storage beyond this period is possible, but in this case the IP addresses will be partially deleted or alienated so that it is no longer possible to assign the calling client. A storage of the log files together with other personal data concerning you does not take place in this context. The legal basis for these processing operations is Art. 6 para. 1 lit. f GDPR.
Since the collection of data for the display of the websites and the storage of the data in log files is absolutely necessary for the operation of our websites and the maintenance of IT security, you have no possibility of objection in this respect.
In addition to the aforementioned data, cookies are stored on your end device when you use our websites during or after your visit to our online offers. These are small text packages that can be sent from a website to the browser, which then saves them and sends them back again. Cookies can store different information that is read by the site that sets the cookie. They usually contain a characteristic character string (ID) that enables the browser to be uniquely identified when the website is called up again or a page is changed. Their primary purpose is to make our online services more user-friendly and effective overall. The user data collected in cookies is pseudonymised by technical precautions, which generally makes it impossible to assign the data to the calling user. Insofar as identifiability is possible, such as with a login cookie, whose session ID is necessarily linked to the user’s account, we point this out at the appropriate point.
We use different types of cookies:
- Transient cookies, also known as temporary or “session cookies”, are cookies that are deleted after you leave our website and close your browser. Such cookies are used, for example, to store language settings or the contents of a shopping cart.
- Persistent or permanent cookies, remain stored even after closing the browser. For example, the login status or entered search terms can be saved. We use such cookies, among other things, for range measurement or marketing purposes. Persistent cookies are automatically deleted after a specified period of time, which may vary depending on the cookie. However, you can delete these cookies at any time in the security settings of your browser.
In addition to so-called “first-party cookies”, which are set by us as the party responsible for data processing, “third-party cookies” are also used, which are offered by other providers. We will inform you about the use of “third party cookies” as well as about the cooperation with external service providers who provide services for us such as web tracking or range measurement within the individual data protection information of the respective online offers.
Access to your content settings
STEVIA GROUP online offers you within the scope of a Consent Management (“Cookie Banner”) the possibility to decide about the setting of cookies in the area of our offer according to your specifications. You have the possibility to change the decision made there at any time and to grant or revoke your consent afterwards. To do so, you can call up the setting options here.
The legal basis for the processing of personal data using “first-party cookies” is Art. 6 para. 1 lit. f GDPR. The legal basis for the processing of personal data using “third party cookies” is Art. 6 para. 1 lit. a GDPR.
6.3 Registration function / customer account
You can optionally create user accounts for our online offers in order to use certain contents and services of our online offers.
Which personal data is transmitted to us and stored in the process is determined by the respective input mask and the information provided during registration. The data entered during registration is used for the purpose of using our offers. Information relevant to the offer or registration, such as changes to the scope of the offer or technical circumstances, will be sent to you by e-mail. You have the possibility to cancel your user account at any time. In this case, your data will be deleted, unless we are obliged to keep it for reasons of commercial or tax law.
The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR, if you have given your consent. If the registration serves the fulfilment of a contract to which you are party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR.
Within the framework of the use of our registration and login functions and the use of the user account, we may store the IP address and the time of the respective user action. The storage is based on our legitimate interests and serves to protect against misuse and other unauthorised use. As a matter of principle, this data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so. The legal basis for this collection and storage is Art. 6 para. 1 lit. c GDPR. The IP addresses are anonymised or deleted after 7 days at the latest.
6.4 Contact forms and e-mail contact
On our online offers you will find contact forms and e-mail links (mailto), which can be used for electronic contact. In this way, we comply with the legal requirement, among other things, to enable rapid electronic contact with us. If you use this possibility, your data will be processed and automatically stored for the purpose of answering your enquiry in accordance with Art. 6 Para. 1 lit. c GDPR. We will delete the enquiries if they are no longer required and no legal archiving obligations apply.
6.5 User comments and contributions
As a registered user you have the possibility to leave comments on individual contents of our online offers and contributions in our forum. We will then use your IP address and the time of publication on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f. GDPR for seven days. This is done for security reasons, in case comments and contributions violate the rights of third parties or leave unlawful content (insults, slander, seditionary content, etc.). In this case we can be prosecuted ourselves for the comment or contribution and are therefore interested in the identity of the author. This data will not be passed on to third parties, unless such a transfer is required by law or serves our legal defence.
Please remember that comments and contributions are accessible to everyone. You should carefully check your contributions before publication to see if they contain information that is not intended for the public. You must expect that your contributions will be registered in search engines and will be accessible worldwide even without a targeted call of our offer.
In some areas of our online services we offer you the possibility to subscribe to one of our free e-mail newsletters. We send these newsletters only with your consent or based on a legal permission. When you subscribe to a newsletter, the data from the input mask (name and e-mail address) is transmitted to us and stored for as long as the subscription to the newsletter is active.
Your consent will be obtained for the processing of this data for the purpose of sending the newsletter and reference will be made to this data protection declaration. For the registration process, we use the so-called double opt-in procedure. After successful registration you will receive an e-mail in which you have to click on a link to confirm your registration. In this way we prevent unauthorised third parties from registering using your e-mail address. We log the registration process in order to be able to prove the process in accordance with legal requirements. The IP address of the calling terminal device, date and time of registration are stored. The data provided by you will be stored as long as the subscription to the newsletter is active. You can cancel the subscription at any time. For this purpose there is a corresponding unsubscribe link in every newsletter. This also enables you to revoke your consent. The legal basis for the processing of your data in case of given consent to receive newsletters is Art. 6 para. 1 lit. a GDPR.
If you purchase goods or services on our online offers and provide your e-mail address, we reserve the right to use this to send newsletters with direct advertising for our own similar goods or services. This serves to protect our legitimate interests in advertising to our users, which outweigh any other interests. You can object to this use of your data at any time by sending a message to the above-mentioned contact options or via the unsubscribe link in the advertising mail, without incurring any costs other than the transmission costs according to the basic rates. As far as the newsletter is sent due to the sale of goods or services, we refer to § 7 paragraph 3 UWG.
The data will not be passed on to third parties in connection with data processing for the dispatch of newsletters.
6.7 Social media buttons
We offer so-called social media buttons for sharing the content of our online offers via social networks. For this purpose, we use the “c’t Shariff” solution developed by us, which provides social media buttons that comply with data protection regulations.
The buttons offered directly by the operators of social networks unlawfully transmit personal data such as the IP address or entire cookies as soon as you load a website on which they are integrated and thus provide the social services with precise information about your surfing behaviour without being asked. You do not need to be logged in or a member of the respective network to do this. A Shariff button, on the other hand, only establishes direct contact between the social network and the visitor when the latter actively clicks on the Share button. In this way, Shariff prevents you from leaving a digital trail on every page you visit and improves data protection. By using Shariff, we can protect your personal data and still integrate Butttons for social sharing. You can find further information about c’t Shariff at https://www.STEVIA-GROUP.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html.
6.8 External links
Our online offer contains links to other websites. We have no influence on whether their operators comply with the data protection regulations.
7. Online offers on social media platforms
We offer online services on various social media platforms in order to provide information there and to be able to contact you.
We have no influence on the processing of personal data by the respective platform operator. As a rule, when you visit our social media offers, the platform operator stores cookies in your browser, in which your usage behaviour or interests are stored for market research and advertising purposes. The user profiles obtained in this way – usually across different devices – are used by the platform operators to display personalised advertising. Persons who are not registered as users on the respective social media platform may also be affected by the data processing. Under certain circumstances, your data may be processed outside the area of the European Union, which can make it difficult to enforce your rights. When selecting such social media platforms, however, we make sure that the operators are committed to comply with the EU data protection standards.
The processing of your personal data when you visit one of our social media offerings is based on our legitimate interest in a diverse external presentation of our company and the use of an effective information opportunity and communication with you. The legal basis for this is Art. 6 para. 1 lit. f GDPR. Under certain circumstances, you may also have given your consent to a platform operator for data processing, in which case the legal basis is Art. 6 para. 1 lit. a GDPR.
Detailed information on data processing in connection with the use of our social media offers, opt-out options and the assertion of information rights can be obtained from the data protection declaration of the respective platform operator.
Provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
The data processing is based on an agreement on the joint processing of personal data in accordance with Art. 26 GDPR.
7.2 Google+/ YouTube
Provider: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland
Provider: Vimeo Inc, Legal Department, 555 West 18th Street New York, New York 10011, USA
Our offer is basically aimed at adults. Persons under 16 years of age may not transmit personal data to us without the consent of their parents or legal guardians.
9. Data security
All data that you personally transmit is encrypted using the common and secure TLS (Transport Layer Security) standard. TLS is a secure and proven standard that is also used, for example, in online banking. You can recognise a secure TLS connection by the attached s at http (i.e. https://..) in the address bar of your browser or by the lock symbol at the bottom of your browser.
We also use suitable technical and organisational security measures to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
10. Topicality and amendment of this data protection information
This data protection information is currently valid and has the status August 2020.
Due to the further development of our website and offers above or due to changed legal or official requirements it may become necessary to change this data protection information. The current data protection information can be viewed at any time on the website at https://stevia-group.de/datenschutzerklaerung/
can be called up and printed out by you.
Cologne, August 3. 2020