geobra Brandstätter Stiftung & Co. KG Data Protection Statement
Thank you for visiting our website and taking an interest in our company. We take the protection of your personal data very seriously. We process your data in compliance with the applicable legal specifications regarding the protection of personal data, in particular the EU General Data Protection Regulation (EU GDPR) and the country-specific implementation laws that apply for us. The purpose of this Data Protection Statement is to provide you with comprehensive information about the processing of your personal data by geobra Brandstätter Stiftung & Co. KG and the rights to which you are entitled.
Personal data is information that make it possible to identify a natural person. In particular this includes your name, date of birth, address, phone number and email address, as well as your IP address.
Anonymous data is data that does not enable a user to be identified in any way.
The controller and data protection officer
Address (company address for service):
geobra Brandstätter Stiftung & Co. KG
Brandstätterstraße 2 - 10
D - 90513 Zirndorf
Data protection officer contact:
Your rights as a data subject
Firstly we would like to inform you of your rights as a data subject. These rights are standardised in Articles 15-22 of the European Union General Data Protection Regulation (GDPR). This includes:
1. The right to access (Art. 15 GDPR)
2. The right to erasure (Art. 17 GDPR)
3. The right to rectification (Art. 16 GDPR)
4. The right to data portability (Art. 20 GDPR)
5. The right to restriction of processing (Art. 18 GDPR)
6. The right to object to processing (Art. 21 GDPR)
In order to assert these rights, please contact email@example.com, firstname.lastname@example.org, email@example.com. The same applies if you have questions on how data is processed in our company. You are also entitled to lodge complaints with a supervisory authority for data protection.
Rights to object
In the context of rights to object, please note the following:
If we process your personal data for the purpose of direct advertising, you have the right to object to this data processing at any time without stating reasons. The same also applies for any profiling insofar as it is associated with the direct advertising.
If you object to processing for the purposes of direct advertising, we will no longer process your personal data for these purposes. Making an objection is free of charge and can be done via submission in any form; if possible, please submit any objection to firstname.lastname@example.org, email@example.com, firstname.lastname@example.org.
In the event that we process your data for the purpose of legitimate interests, you may at any time object to this processing on grounds relating to your particular situation; this also applies for any profiling supported by these provisions.
We will then no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if processing services the establishment, exercise or defence of legal claims.
Purposes and legal bases of data processing
When processing your personal data, the provisions of GDPR and all other applicable data protection law are complied with. The legal basis for data processing arises in particular from Art. 6, GDPR.
We use your data for initiating business; fulfilling contractual and legal obligations; implementing the contractual relationship; offering products and services; and strengthening the customer relationship, which may also include analysis for the purpose of marketing and direct advertising.
Your consent also represents a permission instruction under data protection law. We hereby inform you of the purposes of data processing and your right to object. If consent also relates to processing special categories of personal data, we will make explicit reference to this in the consent, Art. 88 Para. 1 GDPR.
Special categories of personal data, as defined by Art. 9 Para 1 GDPR, may only be processed when necessary due to legal specifications and when there is no grounds to suspect that your legitimate interest in the exclusion of processing takes precedence, Art. 88, Para 1 GDPR.
Disclosure to third parties
We will only disclose your data to third parties in the framework of legal provisions or in the event of corresponding consent. Otherwise we will not disclose your data to third parties unless we are required to do so due to compulsory legal stipulations (disclosure to external bodies such as supervisory authorities or law enforcement authorities).
Data recipients / categories of recipients
Within our company, we ensure that only individuals who require your data to fulfil contractual and legal obligations receive access to that data.
In many cases, service providers support our departments in performing their tasks. The necessary data protection contracts have been concluded with all service providers.
In order to process shipping orders with UPS, the recipient’s name, address, phone number and email address are recorded. This data is passed on to UPS so it can process shipping for this order. After the data are transferred, the recipient receives a shipping confirmation email from UPS, with shipping tracking information. By accepting this data privacy statement, you hereby consent to this procedure.
Transfer to third countries/intention to transfer to third countries
Data is transferred to third countries (outside the European Union and/or the European Economic Area) only in as far as this is: necessary for carrying out the contractual relationship; required by law; or you have provided us with your consent for us to do so.
We transfer your personal data to a service provider or group companies outside the European Economic Area: Salesforce (US states and Asia-Pacific).
The Salesforce data privacy policies are available to view here: http://www.salesforce.com/company/privacy/
Period of data storage
We store your data for as long as is needed for the respective purpose of processing. Please note that many retention periods exist requiring that data continues to be stored. This particularly relates to retention obligations under commercial or fiscal law (such as the Commercial Code (Handelsgesetzbuch, HGB), General Fiscal Law (Abgabenordnung, AbgO), etc.). Unless there are further-reaching retention obligations, the data will be routinely erased once the relevant purpose has been fulfilled.
In addition, we may retain data if you have provided your authorisation for us to do so, or if legal disputes arise within the statutory limitation period and we use pieces of evidence that become subject to legal limitation periods, which may be up to thirty years; the regular limitation period is three years.
Secure transfer of your data
We implement appropriate technical and organisational measures for the best possible protection of the data we store against accidental or deliberate manipulation, loss, destruction, or access by unauthorised individuals. Security levels are reviewed on an ongoing basis in collaboration with security experts, and adapted to new security standards.
Data exchange from and to our web server is encrypted in every case. We offer HTTPS as a transfer protocol for our web presence, in each case subject to the use of current encryption protocols.
We also offer our users content encryption within the contact forms. We are the only party able to decrypt this data. There is also the option of using alternative channels of communication (e.g. post).
Obligation to provide data
Various personal data is required for the establishment, implementation, and termination of the contractual relationship, and the fulfilment of the associated contractual and legal obligations. The same applies for the use of our website and the various functions it offers.
We have summarised the details of this in the point above. In certain cases, data also needs to be collected or made available as a result of legal provisions. Please note that it is not possible to process your enquiry or execute an underlying contractual relationship without the provision of this data.
Categories, sources, and the origin of data
Which data we process is determined by the relative context: It depends, for example, on whether you place an order online or enter an enquiry into our contact form, or whether you are sending us an application or submitting a complaint.
Please note that we may also make information for particular processing situations separately available to an appropriate body, for example when application documents are uploaded or a contact enquiry is sent.
We collect and process the following data when you visit our website:
1. The name of your internet service provider
2. Information about the website from which you reach our site
3. The web browser and operating system you are using
4. The IP address allocated by your internet service provider
5. The files requested, data volume transferred, and downloads/file export
6. Information about the webpages that you access on our site, including the date and time
We collect and process the following data when you submit a contact enquiry:
1. Surname and first name
3. Email address
5. Information on your requests and interests
We process the following data in the course of the order:
2. Surname and first name
3. Company name
4. Date of birth
5. Delivery address
6. Invoice address
7. Email address
8. Phone number
9. Data that may legitimately be processed from other sources
We collect and process the following data for newsletters:
1. Surname and first name
2. Email address
5. Analytical data from the newsletter evaluation
We collect and process the following data for competitions:
1. Surname and first name
2. Postal address and/or address
3. Email address
4. Date of birth
Contact form/making contact by email (Art. 6 Para. 1 lit. a, b GDPR)
Our website contains a contact form that can be used to make contact electronically. If you write to us using the contact form, we process the personal data you provide in the contact form in order to make contact and respond to your questions and requests.
The principle of data economy and data reduction is taken into account here, in that you only need to provide the data that we need in order to make contact with you. This comprises your email address, title, first name, surname, subject, and the message field itself. In addition, your IP address is processed for reasons of technical necessity and legal safeguarding. All other data fields are voluntary, and you have the option of filling them out (for example for a better-tailored response to your questions).
If you contact us by email, we will process the personal data you provide in the email purely for the purpose of processing your enquiry.
Newsletters (Art. 6 Para. 1 lit. a GDPR)
You can subscribe to a free-of-charge newsletter on our website. Your name and the email address provided during newsletter registration will be used for sending the personalised newsletter.
The principle of data economy and data reduction is taken into account here, as only the email address (and where applicable a name for a personalised newsletter) is identified as a mandatory field. When you subscribe to the newsletter, your IP address will also be processed for reasons of technical necessity and legal safeguarding.
You may of course end your subscription at any time using the unsubscribe option provided in the newsletter, thereby revoking your consent. Furthermore, you may at any time also unsubscribe from the newsletter directly via our website.
Competition/consent to advertising (Art. 6 Para. 1 lit. a, b GDPR)
You can take part in our competition on our website. If you fill out the competition form, we will process the data provided there solely to run the competition.
The principle of data economy and data reduction is taken into account in that you only need to provide the data that is necessary for us to run the competition and for prize notification. This comprises, for example, your name, email address, title, postal address, and country.
Mandatory fields are marked with (*). Your IP address will also be processed for reasons of technical necessity and legal safeguarding. The remaining fields are optional and you are very welcome to complete them if you would like to. Unfortunately, we are not able to conduct the competition without the information requested in mandatory fields, so it will not be possible to take part.
As part of the competition form, you also have the option of providing us with your consent to receive advertising. It is of course also possible to take part in the competition without giving your consent to receive advertising.
If you give your consent by marking the relevant checkbox, we will also process your personal data to send you information and offers relating to products/services (products and (exclusive) offers from the PLAYMOBIL brand operated by geobra Brandstätter Stiftung & Co. KG) by post.
You may withdraw your consent at any time without stating reasons, by calling +49 911 9666-0, emailing email@example.com, or writing by post to geobra Brandstätter Stiftung & Co.KG, Brandstätter Str. 2-10, D – 90513 Zirndorf.
The webshop (Art. 6 Para. 1 lit. b GDPR)
We process the data you provide in the context of the order form only for the purposes of implementing and/or transacting the contractual relationship, unless you agree to its further use.
The principle of data economy and data reduction is taken into account in that you only need to provide us with data that we require in order to implement the contract and/or to fulfil our contractual obligations (i.e. your name, address, email address, and the payment details required for the selected payment type) or which we are legally required to collect.
In addition, your IP address is processed for reasons of technical necessity and legal safeguarding. Without this data being provided, we must unfortunately refuse to enter into a contract as we will not then be able to implement it, or we may need to terminate an existing contract. You are of course also free to provide more data if you would like to.
Registration/customer account (Art. 6 Para. 1 lit. a, b GDPR)
On our website, we offer users the opportunity to register by providing their personal data. The advantage of this is that you are able to view your order history, and the data you provide is stored for the order form, meaning that you will not need to enter the information again the next time you place an order.
Registration is therefore either necessary in order to fulfil a contract (via our online shop) with you or to implement pre-contractual measures, or possible if guest access is also made available.
The principle of data economy and data reduction is taken into account here as only the data required for registration is marked with an asterisk (*). These are, for example, an email address and password including a password confirmation.
If you wish to place an order in our shop, we also need information about the invoice address (title, first name, surname, postal address, phone number) for delivery. If the delivery address differs from the invoice address, the above information must also be provided for the delivery address.
Registering on our website also causes the user’s IP address, the date, and the time of registration to be stored (technical background data). By pressing the “Register now” button, you provide your consent for the processing of your data.
Please note: The password you allocate will be stored within our organisation in encrypted format. Employees of our company are not able to read this password. They are therefore unable to provide you with information if you forget your password.
Should this happen, use the “Forgotten password” function, which sends you a new, automatically generated password by email. No employee is entitled to ask you for your password during a phone call or in writing. So please never disclose your password if you receive any requests of this type.
Completing the registration process causes your data to be stored within our organisation in order for you to use the protected customer area. As soon as you register on our website, with your email address as the username and with a password, this data will be made available for actions that you perform on our website (e.g. for placing orders in our online shop). Orders placed can be viewed in the order history. You can make changes to the invoice or delivery address here.
Registered individuals are free to independently change/rectify the invoice or delivery address in the order history. Our customer service team is also happy to change or rectify this information if you get in touch with them. You can of course also terminate or delete your registration and your customer account (under “My customer account”, “Delete customer account”).
Payment systems (Art. 6 Para. 1 lit. a, b GDPR) and credit checks (Art. 6 Para. 1 lit. f GDPR)
You can pay on account, with your credit card, by PayPal, by cash on delivery, or by direct debit (SEPA direct debit) in our online shop. The respective payment-relevant data is collected for this purpose, so that your order and payment can be processed. In addition, your IP address is processed for reasons of technical necessity and legal safeguarding.
The principle of data economy and data reduction is taken into account in that you only need to provide us with the data that we need for the processing of payment and therefore the processing of the contract, or which we are legally required to record.
Without this data, we must unfortunately refuse to enter into a contract as we will not then be able to implement it.
The payment system we use utilises SSL encryption for the protected transfer of your data.
Note on the payment of invoices:
If you select the invoice payment type in our online shop, we will perform a credit check. To do so, credit history information is transferred to Arvato to determine risks relating to credit standing and default.
Data protection note for Arvato:
We transfer your data (name, address, and if applicable date of birth) to infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany in order to perform a credit check, procure information to assess the risk of default on payment using mathematical and statistical procedures based on address data, and verify your address (check for deliverability).
The legal bases for these transfers are Art. 6 Para 1 lit. b and Art. 6 Para. 1 lit. f of the GDPR. Transfers on the basis of these provisions may only take place insofar as this is required for the purpose of the legitimate interests of our company or third parties, provided that the interests or the fundamental rights and freedoms of the data subjects requiring the protection of personal data are not overriding. Detailed information on ICD as defined by Art. 14 GDPR, i.e. information regarding the business purpose, purposes of data storage, data recipients, right to self-declaration, entitlement to erasure or rectification, etc. is available in the annex and at the following link: (https://finance.arvato.com/icdinfoblatt) (in German only).
Note on credit card payment:
As is standard for credit card payments, the information regarding the credit card is reviewed and a credit check is performed.
Note on PayPal:
PayPal is a company which is part of PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal, L-2449 Luxembourg. If the data subject selects PayPal as the payment option during the order process in our online shop, data relating to the data subject is automatically transferred to PayPal.
By selecting this payment option, the data subject consents to the transfer of personal data as required to process payment. The personal data transferred to PayPal is generally the data subject’s first name, surname, address, email address, IP address, phone number, mobile phone number, or other data that is necessary to process payment.
Such personal data that relates to the respective order is also necessary to process the purchase agreement. Details on data privacy at PayPal can be accessed at:
https://www.paypal.com/uk/webapps/mpp/ua/privacy-prev (for the legal situation from 25 May 2018).
Note on the direct debit procedure:
As is standard with direct debits, your account details (IBAN and account holder) are recorded in order to debit the corresponding amount from your account.
Advertising purposes for existing customers (Art. 6 Para. 1 lit. f GDPR)
geobra Brandstätter Stiftung & Co.KG is interested in maintaining its customer relationship with you, and sending you information and offers relating to our products/services (catalogues and newsletters). We process your data for these reasons, in order to send you appropriate information and offers by email and post.
If you do not wish us to do so, you can object to the use of your personal data for the purposes of direct advertising at any time; this also applies for profiling in as far as it is associated with direct advertising. If you submit an objection, we will no longer process your data for this purpose.
The objection can be provided free-of-charge, in any form, and without stating reasons; you can submit your objection by calling +49 0911 9666-0, emailing firstname.lastname@example.org or by post to geobra Brandstätter Stiftung & Co. KG, Brandstätterstraße 2-10, D - 90513 Zirndorf.
Automated decision-making in individual cases
We do not use any purely automated processing procedures for making decisions.
Cookies (Art. 6 Para. 1 lit. f GDPR / Art. 6 Para. 1 lit a GDPR in the event of consent)
These cookies enables us to analyse how users use our websites. This means that we can design the content of the website to meet the needs of its visitors. Cookies also enable us to measure how effective a particular advertisement is, and for example to place it depending on thematic user interests.
Most of the cookies we use are session cookies which are automatically deleted after your visit. Permanent cookies are automatically deleted from your computer when their term of validity (generally six months) is reached, or if you delete them yourself before the term of validity expires.
Most web browsers accept cookies automatically. However, you can generally also change your browser settings if you would prefer not to send information. You can still continue to use our website without restrictions in this case (with the exception of configurators).
Please note: If you deactivate the saving of cookies, you may no longer be able to use all of our website’s functions to the full extent.
User profiles/web tracking procedures
Data protection note for econda:
Solutions and technologies from econda GmbH are used to record and save anonymised data and to create usage profiles based on this data using pseudonyms, in order to support needs-appropriate design and optimisation of this website. Cookies that enable a web browser to be recognised on repeat visits may be used for this purpose. However, usage profiles are not brought together with data relating to the holder of the pseudonym without explicit approval from the visitor. In particular, IP addresses are made unrecognisable immediately after receipt, meaning it is not possible to allocate usage profiles to IP addresses. Pseudonymised data is used on the basis of the regulations of Article 15, Para. 3 of the German Teleservices Act (Telemediengesetz, TMG). Visitors to this website may at any time object to the recording and storage of data with immediate effect here. The objection applies only for the device and web browser on which it was set; if required, please repeat the process on all of your devices. If you delete the opt-out cookie, your enquiries will once again be transferred to econda.
Online offers for children
Individuals under the age of 16 may not transfer personal data to us or issue a declaration of consent without the approval of their parent or legal guardian. We would like to invite parents and legal guardians to actively participate in their children’s online activities and interests.
Links to other providers
Our website also – clearly and identifiably – includes links to websites operated by other companies. Where links to other providers’ websites are provided, we have no influence over their content. For this reason, no guarantee can be provided and no liability can be accepted for this content. The respective provider or operator of the relevant pages is responsible for the content of these pages.
At the time that the link was placed, the linked pages were checked for possible legal violations and identifiable infringements of the law. No legal content was identifiable at the time that the link was placed. However, constant monitoring of the content of the linked pages is unreasonable without specific indication of an infringement of the law. In the event of infringements of the law becoming known, links of this type will be removed without delay.