Data Protection Lehmann Product World

For Otto Lehmann GmbH ("Otto Lehmann"), the protection of your privacy during the processing of personal data is a significant concern. With the following privacy policy, we comprehensively inform you about the handling of your personal data and data protection at Otto Lehmann.

This privacy policy applies to the handling of your personal data when you visit the Otto Lehmann website at www.ottolehmann.com or our social media profiles on LinkedIn, Instagram, Facebook, or YouTube. This privacy policy also applies if you contact us via email, phone, or mail. Additionally, you can find information for applicants here.

The controller for the data processing described in this privacy policy is:

Otto Lehmann GmbH
Berliner Street 219
3073 Neutraubling
+49 (0)9401 786 0
Email: datenschutz@otto-lehmann-gmbh.de
‍

Data Protection Officer

If you have questions about data protection, you can also contact our data protection officer:

Thomas Wanjura Projekt 29 GmbH & Co. KG Ostengasse 14, 93047 Regensburg Phone: 0941 2986930 Fax: 0941 29869316 Email: anfragen@projekt29.de Website: www.projekt29.de

Should our data protection officer not be able to answer your request to your satisfaction, you always retain the right to lodge a complaint with the supervisory authority responsible for your federal state.

Otto Lehmann collects and processes various personal data from you depending on the specific processing situation.

We process your personal data exclusively in accordance with the provisions of the General Data Protection Regulation ("GDPR") and the Federal Data Protection Act ("BDSG").

Below you will find a list of which personal data we process depending on the processing situation, what purposes these data processing operations serve, and on what legal basis we process the data.

A user account is required to use the Product World. You can request one from Otto Lehmann by email (email address: …). You will receive the access data for the Product World by email from Otto Lehmann after registration. A user account allows you to order products. To provide a user account, we process your master data and access data. The Lehmann Product World is a closed B2B platform. Consumers do not have access.

Categories of personal data

In connection with the registration and management of your user account, we process the following personal data in particular:

• Master data: Name, business email address, company name, customer number, role, other voluntary information
• Access data: Email address, password hash
• Log data such as referrer URL, date and time of access and login, UUIDs, web browser, operating system, IP address, language preference, and information for proof of registration.

For transactional notifications (e.g., account invitations, password resets), we also process the email address you have provided.

Purposes and legal basis:

The data processing serves to provide you with a user account for the Product World and to offer you the associated functions. Additionally, the processing serves to enable your visit to our Product World and to display our site correctly. We also process email addresses for sending transactional notifications (e.g., order confirmations, account invitations, password resets).

Legal basis is Art. 6 para. 1 lit. b GDPR or, if your employer and not you is the contractual partner, Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in processing the data necessary for contract initiation and execution from individuals who are not our direct contractual partners but represent them to us and participate in contract execution.

Storage duration:

Account data is stored until your user account is deleted. After the respective periods expire, the data is routinely deleted. Log data is only temporarily stored in so-called log files for the duration of the session and deleted after visiting the Product World, unless a longer statutory retention period applies.

Recipients:

For the operation of the Lehmann Product World, we use the following processors for web hosting and server infrastructure: Hetzner Online GmbH, Gunzenhausen, Germany. Contracts in accordance with Art. 28 GDPR are in place with all processors.

‍

Categories of personal data

When ordering products via the Lehmann Product World, we process the following personal data in particular:

• Contract data: Orders, delivery addresses, billing addresses, order history
• Contact data: Email address, phone number, address
• Master data: Name, company name, customer number, and internal order reference
• Voluntarily provided information regarding the order
• Information about the products you ordered, including the order status.

Purposes and legal basis:

The personal data collected within the Product World is used exclusively for fulfilling your order, i.e., processing the purchase agreement.

The legal basis is Art. 6 para. 1 lit. b GDPR or, if your employer is the contractual partner and not you personally, Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in processing the data necessary for contract initiation and execution from individuals who, while not being our contractual partner themselves, represent them to us and participate in the contract's execution. Furthermore, Art. 6 para. 1 lit. c GDPR is the legal basis (statutory retention obligations according to § 147 AO, § 257 HGB).

Storage duration:

We store your personal data only for as long as it is necessary for the respective processing purposes or as long as statutory retention obligations exist. Contract data is generally stored for the duration of statutory retention periods (usually 6 or 10 years). After the respective periods expire, the data is routinely deleted.

Recipients:

As part of operating the Lehmann Product World, we use the following processors for web hosting and server infrastructure: Hetzner Online GmbH, Gunzenhausen, Germany. Data processing agreements in accordance with Art. 28 GDPR are in place with all processors. We pass on data regarding your delivery address to logistics companies and shipping partners commissioned by us. To ensure the desired delivery of products, we transmit (if necessary) your email address and, if applicable, your phone number to the logistics company and/or shipping partners commissioned by us. These parties may then contact you prior to delivery.

‍

When you contact us (e.g., via chat, email, phone, or social media), we process the information provided by the inquiring person to the extent necessary to respond to the inquiry and, if applicable, to carry out pre-contractual or contractual measures.

Categories of personal data:

When you contact us, we process the following personal data in particular:

• First name and last name,
• Email address,
• Time of inquiry,
• Possibly phone number (when contacting via phone)
• Information you provide when contacting us.  

‍Purposes and Legal Basis:

The data processing serves exclusively to handle your request. The legal basis is Art. 6 (1) lit. b GDPR (contract/pre-contractual measures).

Storage Duration:

The data will be deleted after your request has been satisfactorily answered, unless a longer statutory retention period applies.

‍

General Information on Cookies:

We use cookies on our product world. Cookies are small text files that are assigned to the browser you are using on your hard drive by a characteristic string of characters and stored, and through which certain information flows to the entity that sets the cookie. Cookies cannot execute programs or transmit viruses to your computer and therefore cannot cause any damage. They serve to make the overall internet offering more user-friendly and effective, and thus more pleasant for you.

Cookies can contain data that allows the recognition of the device used. However, some cookies only contain information about certain settings that are not personally identifiable. But cookies cannot directly identify a user. A cookie primarily serves to store information about a user during or after their visit to an online offering. Stored information may include, for example, language settings on a website, login status, a shopping cart, or the point at which a video was watched.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and persistent cookies, which are stored beyond the individual session. Furthermore, a distinction is made between first-party cookies (these are set by us) and third-party cookies (these are mainly used by advertisers, i.e., third parties) to process user information.

In terms of their function, cookies are further distinguished between:

• Strictly Necessary Cookies: These cookies are essential for our websites to function and allow you to navigate our websites and use their features. Without these cookies, certain services required for the full functionality of our websites cannot be provided.
• Functional Cookies: These cookies allow us to store certain selections you have made and adapt our site to provide you with enhanced features and content. For example, these cookies can be used to store your language or country selection.

Any use of cookies that is not strictly technically necessary constitutes data processing, which is only permitted with your explicit and active consent in accordance with Section 25 (1) TDDDG, Art. 6 (1) sentence 1 lit. a GDPR. Consent is always voluntary. Refusing consent or withdrawing it has no negative impact on you. Furthermore, we only share your personal data processed by cookies with third parties if you have given explicit consent to do so in accordance with Art. 6 (1) sentence 1 lit. a GDPR.

Granting consent is not required if the use of cookies is necessary for the product world's offering. The legal basis for this is then § 25 para. 2 no. 2 TDDDG. Such necessity exists, for example, with regard to ensuring certain functionalities, such as:

• Enabling and maintaining a login,
• Ensuring system security.

How long are cookies stored on my devices?

The storage duration largely depends on whether it is a "persistent" or "session-based" cookie. Session-based cookies are deleted after you leave the product world. Persistent cookies remain on your device until they are deleted or expire.

General Information on Revocation and Objection

Depending on whether the processing is based on consent or legal permission, you have the option at any time to revoke granted consent or to object to the processing of your data by cookie technologies (collectively referred to as "Opt-Out"). You can initially declare your objection via your browser settings, for example, by deactivating the use of cookies (although this may also restrict the functionality of our online offering).

An objection to the use of cookies for online marketing purposes can also be declared through a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com. In addition, you can find further objection information within the details provided about the service providers and cookies used.

Cookies on the Product World

The Lehmann Product World exclusively uses technically necessary cookies and local storage mechanisms (§ 25 para. 2 no. 2 TDDDG). The following cookies are used on the Lehmann Product World:

Cookie, Purpose, and Duration

Session Cookie

Authentication and Session Management
120 minutes

XSRF-TOKEN

Protection against Cross-Site Request Forgery
Session

In addition, the local browser storage (localStorage) is used to temporarily save form entries. This data remains exclusively in your browser and is deleted after the process is completed.

Since we only use technically necessary cookies, a cookie consent banner is not required.

Personal data is collected exclusively directly from you, for example, when you visit our product world.

‍

Personal data is collected exclusively directly from you, for example, when you visit our website.

Otto Lehmann only shares your personal data if this is permissible under European data protection law, e.g., because the data transfer is necessary for the fulfillment of a contract or because you have given us your consent to share the data. We work with some service providers, such as technical service providers (e.g., hosting services, maintenance of the product world).

Sharing Due to Legal Obligations or for the Protection of Legitimate Interests

Insofar as we are legally obliged, by court order or due to an enforceable official order, we must transmit your personal data to authorized bodies (e.g., supervisory or financial authorities). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. c GDPR.

Processing by Processors and Other Recipients

It may happen that we use commissioned service providers ("processors") for individual offers. These act only on our instructions and are contractually obliged, in accordance with Art. 28 GDPR, to comply with data protection regulations. This does not apply if these service providers act as controllers themselves (e.g., legal and tax advisors). Processors are also contractually obliged, for example, to either delete or return personal data after the completion of the order.

The following categories of recipients, who are generally processors, may receive access to your personal data:

• IT and web service providers or companies commissioned for the maintenance of our platform and internal IT infrastructure (software, hardware).
• Shipping and Distribution Companies: For the delivery of our products, we work with shipping companies.

The legal basis for sharing data with entities that are not processors is Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR. Furthermore, we only share your personal data with third parties if you have given your explicit consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

‍

In the course of our business relationships, your personal data may be transferred or disclosed to third-party companies. These may also be located outside the European Union ("EU") or the European Economic Area ("EEA"), in so-called third countries. Such processing is carried out exclusively for the fulfillment of contractual and business obligations and for maintaining your business relationship with us.

The European Commission certifies that some third countries provide a level of data protection comparable to the EU standard through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html).

However, in other third countries to which personal data may be transferred, there may not be a level of data protection comparable to that of the EU due to a lack of legal provisions. This may mean that your personal data is processed in a jurisdiction that offers a level of protection that, in certain cases, provides less protection for your personal data than the jurisdiction in which you are normally resident. Where this is the case, we ensure that data protection is adequately guaranteed and that appropriate safeguards are in place. This means, for example, that we conclude the standard contractual clauses of the European Commission for the protection of personal data.

Please contact us (see contact details under Section 2) if you would like more information on this.

Unless an explicit storage period is specified under Section 3, we generally store your personal data only for as long as we need the data for the purposes for which we collected it and for the fulfillment of legal requirements and obligations. Your data is generally stored only on our servers in Germany, subject to any transfer that may occur in accordance with the provisions in Section 3.  

However, data may be stored beyond the specified period in the event of an (impending) legal dispute with you or other legal proceedings, or if storage is required by legal provisions to which we, as the controller, are subject (e.g., Section 257 HGB or Section 147 AO). When the retention period prescribed by legal provisions expires, the personal data will be blocked or erased, unless further storage by us is necessary and there is a legal basis for it.

We implement technical and organizational measures to protect your data against loss, destruction, manipulation, and unauthorized access. Employees and service providers are obliged to comply with data protection laws. Wherever we collect and process personal data, the transmission is encrypted (e.g., TLS/HTTPS). Our security measures are continuously improved, and the data protection notices are regularly updated.

Subject to legal requirements, you have the following rights: access, rectification, erasure, restriction of processing, data portability, and objection.

Right of access

You can request information on whether and to what extent we process data concerning you.

Right to rectification

You can request the rectification of inaccurate data and the completion of incomplete data.

Right to erasure

You can request the erasure of your data, provided there are no legal retention obligations preventing it or another legal basis requires the processing.

Right to restriction of processing

You can request the restriction of processing if

• You dispute its accuracy (for the duration of the review),
• the processing is unlawful and you request the restriction of processing instead of erasure,
• we no longer need the data, but you require it for the establishment, exercise or defence of legal claims, or
• you have lodged an objection and it has not yet been determined whether our legitimate grounds override yours.

Right to Information about Recipients

Pursuant to Art. 19 GDPR, you have the right to request information about the recipients of data to whom a rectification, erasure of your personal data or restriction of processing has been communicated.  

Right to Data Portability

You have the right to receive data you have provided to us in a structured, commonly used, machine-readable format and – where technically feasible – to request its transmission to another controller, provided that the processing is based on consent or a contract and is carried out by automated means.

Right of Withdrawal

Should we process personal data based on your consent, you are also entitled to withdraw your consent at any time pursuant to Art. 7 Para. 3 GDPR. Your withdrawal means that we will no longer continue the data processing that was based on this consent for the future. The lawfulness of the processing carried out based on your consent until the withdrawal remains unaffected by your withdrawal.

Right to Complain

If you believe that our processing of your personal data violates data protection regulations, you have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. In Bavaria, this is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Tel. +49 (0) 981 180093-0, Fax: +49 (0) 981 180093-800.

RIGHT TO OBJECT: UNDER THE CONDITIONS OF ART. 21 GDPR, YOU ALSO HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA, INSOFAR AS THE PROCESSING IS BASED ON A LEGITIMATE INTEREST PURSUANT TO ART. 6 PARA. 1 S. 1 LIT. F GDPR OR ON ART. 6 PARA. 1 S. 1 LIT. E GDPR (THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS). WE WILL CEASE THE PROCESSING OF YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.

SUBMISSION OF OBJECTION: THE OBJECTION CAN BE DECLARED INFORMALLY BY POST OR E-MAIL AND MUST BE ADDRESSED TO THE CONTACT DETAILS IN SECTION 2.

‍

We do not make the conclusion of contracts conditional on you providing us with personal data beforehand. As a user, you are generally under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain offers to a limited extent or not at all if you do not provide the necessary data. This applies in particular to the processing and execution of orders via the product world.

We do not intend to use personal data collected from you for automated decision-making (including profiling).

We reserve the right to amend this privacy policy to adapt it to changes in legal requirements or technical developments. The current version is available on the product world. In the event of fundamental changes, we will inform you separately here.