Broadway

PRIVACY POLICY

The following privacy policies apply to usage of our online services www.broadway-fashion.com (hereinafter referred to as “website”).

We take data protection very seriously. Collecting and processing your personal information complies with the currently valid data protection regulations, in particular with the General Data Protection Regulation (GDPR).

1 Responsibility

The entity responsible for collecting, processing and using your personal information according to article 4, no. 7, GDPR is:

Broadway Fashion GmbH, Modering 5, 22457 Hamburg datenschutz@broadway-fashion.com

Should you, generally or in exceptions, disagree with us collecting, processing or using your personal information according to these regulations, please send your objections to the above mentioned address.

It is possible to save or print the following privacy policies whenever you wish to do so.

2 General purpose of processing

Your personal data is used to operate our website.

3 Which information we use and why

3.1 Hosting

The hosting company we use supplies many services including infrastructure and platform services, computer capacity, memory and data bank, safety and technical maintenance services. All of these services are used to operate our website.

By doing so, we, i.e. the hosting company, process all kinds of data from customers, potential customers and visitors including inventory data, contact data, content data, contract data, user data, meta and communication data within the framework of our legitimate interest in establishing efficient and secure access to our website following article 6, paragraph 1, section 1 f), GDPR, in conjunction with article 28, GDPR.

3.2 Access data

We gather information about you when you use this website. We automatically collect data about your behaviour as a user and how you interact with us and with registered data on your computer or on any of your mobile devices. We collect, process and exploit data, collecting information whenever our website is accessed (so-called server log files). This type of access data includes:

    Name and URL of the accessed files
    Date and time of access
    Amount of data transferred
    HTTP response code
    Browser type and browser version
    Operating system
    Referrer URL
    Websites that are accessed through our website by the user’s system
    Internet service providers of our users
    IP addresses and corresponding providers

This log data is applied without any reference to our users and establishes profiles for statistics to support sales, security and optimisation of our website. It also allows us to anonymously collect the number of visitors accessing our website (traffic) and evaluate the extent and manner our website and the services provided there are used. Further, it serves accounting and counts the clicks our cooperation partners have received. Based on this data, we can provide personalised and location-based services, analyse data traffic, debug and improve our services.

Herein lies our legitimate interest according to article 6, paragraph 1, section 1 f), GDPR.

e reserve the right to screen log data at a later time if there are concrete reasons to believe our website is being used unlawfully. IP addresses are saved in logfiles for a limited time period if required for safety reasons or for providing services or accounting services, e.g. if you decide to use one of our special offers. After aborting an order in process or after receiving payment, the IP address is deleted, if it is no longer required for security reasons. We will also save IP addresses if we suspect an ongoing criminal offence connected to the use of our website. Furthermore, we will save the date of your most recent visit as part of your account (e.g. when you register, log in, click on a link etc.).

3.2.1 Information about the data processing

Your data processed when using our website will be deleted or blocked as soon as the purpose for its storage ceases to apply, provided the deletion of the same is not in breach of any statutory storage obligations or unless otherwise stipulated below.

Google reCAPTCHA

Our website uses Google reCAPTCHA to check and prevent automated servers ("bots") from accessing and interacting with our website. This is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 (hereinafter: Google).
Through certification according to the EU-US Privacy Shield
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
Google guarantees that it will follow the EU's data protection regulations when processing data in the United States.
This service allows Google to determine from which website your request has been sent and from which IP address the reCAPTCHA input box has been used. In addition to your IP address, Google may collect other information necessary to provide and guarantee this service.   
The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the security of our website and in the prevention of unwanted, automated access in the form of spam or similar.
Google offers detailed information at
https://policies.google.com/privacy
concerning the general handling of your user data.

3.3 Cookies

We use so-called session cookies to optimise our website. A session cookie is a small text file that is sent by the corresponding server and temporarily stored on your hard drive when you visit a section on the Internet. This file contains a so-called session ID that helps to allocate the browser requests of joint sessions. This is how we identify your computer when you return to our website. These cookies are deleted when you close your browser. For example, cookies are used to keep a shopping cart feature active over various sections.

Occasionally, we apply persistent cookies (also small text files that are stored on your device) that remain on your device and allow us to recognise your browser when you access our website again. These cookies are stored on your hard drive and automatically deleted after a given time period. Their life span is between 1 month and 10 years. They help us to present our offer in a user-friendly, efficient and safer way, and display information specifically tailored to your interests and demands on your website.

We have a legitimate interest in using cookies according to article 6, paragraph 1, section 1 f), GDPR based on our wish to offer a website that is user-friendly, efficient and safer.

This is roughly the information that is saved in cookies:

    Log-in information
    Language settings
    Search terms used
    Information about the number of times our website has been accessed and how its different features have been used.

When a cookie is activated, it is assigned an identification number, however, the identification number is without any reference to your personal data. Your name, IP address or any other data that would allow identifying you, is not available on the cookie. Cookie technology simply supplies pseudonymised information about the section traffic of our shop or which products were viewed etc.

You can set your browser to alert you whenever cookies are being applied and either decide individually or generally exclude the use of cookies. Please consider that this may limit certain features on the website.

3.4 Data for fulfilling contracts

We process the personal details we need to fulfill contracts, e.g. names, addresses, emails, products ordered, accounting and payment details. These details are necessary to close a contract.

Deletion takes place after expiry of the warranty period and legal retention periods. Information connected to a user account (see below) is kept for managing the account while it exists.

The legal background for processing this kind of data can be found in article 6, paragraph 1, section 1 b), GDPR, as we need this information to be able to fulfill our promises.

3.5 User accounts

You can create a user account on our website. If you wish to do so, we will require the personal information you entered when you first logged in. When you log in again, we will only require your email or user name and the password you chose.

When you first register, we will ask for some master data (such as name and address), communication details (email) and payment details (bank account) as well as access information (user name and password).

To make sure that your registration is safe and to protect your account from unauthorised attempts to access it, you will receive an email with an activation link to approve your account. Once you have successfully registered your account, the information you entered is permanently saved.

You may require deletion of an account at any time without having to cover any other costs than transfer expenses according to our basic rates. A written message to the below mentioned contact details in number 1 (per email, fax or letter) is completely sufficient. We will then delete the personal data we stored, provided we no longer need them for processing orders or because of legal retention requirements.

The legal background for processing this information is found in your consent according to article 6, paragraph 1, section 1 a), GDPR.

3.6 Newsletter

If you would like to receive our newsletter, we require the same data as previously provided in the registration process. Registering for a newsletter is logged. After registering you will receive an email asking you to confirm your registration (“double opt-in”). This is necessary to avoid anyone logging into your account by using your email address.

You have the right to revoke your consent at any time and cancel the newsletter.

We store your data as long as you require us to send the newsletter. The data logged for registering and the delivery address are stored as long as there is an interest in establishing the original consent. Generally, this involves the time limitations for taking civil actions which usually expire after 3 years.  

The legal background for sending a newsletter is found in your consent according to article 6, paragraph 1, section 1 a), in conjunction with article 7, GDPR, in conjunction with paragraph 7, section 2, no. 3 UWG (act against unfair competition). The legal background for logging your registration information is our legitimate interest in proving that you consented to receiving the newsletter.

You may unregister at any time without having to cover any other costs than transfer expenses according to our basic rates. A written message to the below mentioned contact details in item no. 1 (per email, fax or letter) is completely sufficient. You will also find a link allowing you cancel the newsletter at the bottom of every newsletter you receive.

3.7 Product recommendations

Apart from the newsletter, we will email product recommendations regularly. Based on previously made purchases of products or services from our product range, we will keep you updated about further products you could be interested in, always strictly adhering to legal provisions. You have the right to revoke your consent at any time without having to cover any other costs than transfer expenses according to our basic rates. A written message to the below mentioned contact details in item no. 1 (per email, fax or letter) is completely sufficient. You will also find a link allowing you cancel product recommendations at the bottom of each email you receive.

The legal background is found in the legitimate authorization according to article 6, paragraph 1, section 1 f), in conjunction with article 7, paragraph 3, UWG (act against unfair competition).

3.8 E-mail contact

When you get in touch with us (by filling in a contact form or by email), we use the information you give us to process your inquiry and for possible further queries.

The legal background for processing your data to fulfill pre-contract agreements that result from your inquiry or if you already are a customer, is based on article 6, paragraph 1, section 1b), GDPR.

We need your explicit consent to process any further personal information (article 6, paragraph 1 section 1a) GDPR) or if we have a legitimate interest to process your data (article 6, paragraph 1 section 1f) GDPR). Answering your email is, for example, a legitimate interest.

4 Matomo

This website uses Matomo, which is an open-source, self-hosting software designed to collect anonymous information about how this website is used.

This kind of information is collected to identify possible issues such as pages that are not found, search engine issues or unpopular pages. As soon as the data is processed (number of visitors that see defective pages, just one page, etc.), Matomo creates a report and thus enables the website operator to react accordingly (layout adjustments, new content, etc.).

Matomo processes the following data:

    Cookies
    Anonymised IP addresses by removing the last two bytes (198.51.0.0 instead of 198.51.100.54)
    Pseudo-anonymised location (based on the anonymised IP addresses)
    Date and time
    Title of the accessed page
    URL of the accessed page
    URL of the previous page (if possible)
    Screen resolution
    Local time
    Files that are accessed and downloaded
    External links
    Page loading speed
    Country, region, city (with low accuracy due to IP addresses)
    Main browser language
    User agent of the browser
    Interactions with forms (without disclosing their content)

Indirect data collection

Server logs

When using this website, the webhost call is logged. This log contains your IP address identifying you indirectly through your Internet provider. Logging this information is legally required and necessary for safety reasons. There is no possibility to opt out, however, this information is never used for any other purposes.

Basics of legitimate interest

Data processing is based on legitimate interest.

Processing data helps us to find out what works on our website, and what doesn’t. For example, it helps us to find out whether consumers appreciate the contents of our website or how to improve its structure. Our team benefits and can react accordingly. Thanks to data processing, our users also benefit from a website that is constantly being improved.

Without this kind of information, we wouldn’t be able to provide such services. Your data is exclusively employed to improve website usage.

Transferring data to third countries

The information on this website and Matomo are hosted in France. The corresponding data never leaves the EU.

Rights of the individuals affected

As Matomo collects information based on legitimate interests, you may exercise the following rights:

The right of disclosure and data transfer: you have the right to demand all your data at any time.

The right of deletion and correction: you have the right to request us to delete all your data at any time.

The right of appeal and limitation of processing: you have the right to object to data collection at any time by activating DoNotTrack3 on your browser.

The right to file a complaint with the data protection authorities:

If you think that the way we process your data with Matomo is unlawful, you have the right to file a complaint with the data protection authorities.

5 Storage time

So long as it is not specifically determined, we store personal data only for the time we need to fulfil previously established purposes.

In some cases, the law provides storing personal data, e.g. for legal tax or commercial issues. This data is stored for legal reasons only and is not processed otherwise. After the legal storage period is concluded, it is deleted.  

6 Your rights as an individual affected by data processing

According to the current law, you have several rights regarding your personal data. If you would like to assert your rights, please email or send a letter to the address named in item 1. Please do not forget to carefully identify yourself.

In the following, you will find an overview of your rights.

6.1 Right of confirmation and transparency

You have the right to transparency of data processing.

In particular:

You may ask us to inform you about whether any of your personal data is being processed at any time. Should this be the case, you have the right to demand free information on the personal data we have stored and a copy of such. Further you have a right to the following information:

    The purpose of processing;
    The categories of personal data that is being processed;
    The recipients or categories of recipients that have received or will receive your personal data, especially if the recipients are based in third countries or belong to international organisations;
    If possible, the timeframe assigned for storing personal data, or the criteria for determining such a time period should this not be possible.
    The existence of the right of correction or deletion of the personal data affecting you, or limitation of data processing by the person responsible, or the right to appeal against processing this information.
    The existence of the right to file a complaint with the authorities;
    In case you didn’t collate your personal data yourself, all available information about where this information was sourced;
    The existence of an automated decision including profiling, according to article 22, paragraph 1 and 4, GDPR, and – at least in these cases – significant information about the involved logic and scope and the targeted impact of this kind of data processing for yourself.

Should your personal data be transferred to third countries or international organisations, you have the right to be informed about appropriate warranties according to article 46, GDPR, regarding the transfer.

6.2 Right of correction

You have the right to demand correction or completion regarding your own personal data.

In particular:

You have the right to demand immediate correction of wrong personal data. Under consideration of processing purposes, you have the right to demand completion of insufficient personal data, possibly including an explanation if regarded necessary.

6.3 Right of deletion (" right to be forgotten")

In certain cases, we are obliged to delete your personal data.

In particular:

According to article 17, paragraph 1, GDPR, you have the right to demand that your personal data is immediately deleted, and we are obliged to immediately delete personal data if one of the following reasons is applicable:

    The personal data made available is no longer necessary for its previously designated purposes.
    You revoke your consent for processing, legally based on article 6, paragraph 1, section 1, GDPR or article 9, paragraph 2a, as there is no other legal background for processing.
    According to article 21, paragraph 1, GDPR, you file an appeal against processing and there are no urgent or justified reasons for processing, or you file an appeal against processing according to article 21, paragraph 2, GDPR.
    Your personal data has been unlawfully processed.
    The deletion of personal data is required to fulfil a legal obligation according to Union rights or the right of member states we are subject to.
    The personal data was collected in connection with the services offered by the information organisation according to article 8, paragraph 1, GDPR.

As soon as we have published personal data and therefore have the responsibility for its deletion according to article 17, paragraph 1, GDPR, we take the appropriate and possibly technical measures considering al available technologies and implementation costs. Then we inform the parties responsible for data processing as they are required to delete all links connected to the personal information affected, including copies or replications of such.

6.4 Right of limiting data processing

In several cases you have the right to demand limitation of processing your personal data.

In particular:

You have the right to demand limitation of data processing in the following cases:

    You have queried the accuracy of your personal data and provide us with the sufficient time to check.
    Processing your personal data is unlawful and you have rejected deletion of your personal data but demanded limiting the use of your personal data instead;
    We no longer need your personal data for processing, however, you still need the information for asserting, practising or defending legal claims or
    You file an appeal against processing your personal data according to article 21, paragraph 1, GDPR, and it is not yet clear whether the legitimate reasons of our company outweigh your reasons.

6.5 Right of data transfer

You have the right to receive and transfer machine-readable personal data or to require us to transfer it as such.

In particular:

You have the right to receive the personal data you provided in a structured, common and machine-readable format, and you have the right to transfer this data to another responsible entity through us without confronting any obstacles as long as

    Data processing is based on consent according to article 6, paragraph 1, section 1, GDPR or article 9, paragraph 2a, GDPR, or on a contract according to article 6, paragraph 1, GDPR and
    Data processing is based on automatic procedures.

By exercising your right of data transfer according to paragraph 1, you have the right to demand that we transfer your personal data directly to a further responsible entity as long as it is feasible

6.6 Right of objection

You have the right to object to us legally processing your personal data if it is justified by your particular situation and if our interest in processing your data does not outweigh your situation.

In particular:

You have the right to object to your personal data being processed according to article 6, paragraph 1, section 1e or f, GDPR, at any time for reasons resulting from your particular situation. This right also extends to profiling based on these regulations. We will no longer process your personal information unless we can prove that there are compelling reasons worth being protected that outweigh your interests, rights and liberty, or processing serves asserting, practising or defending legal claims.

If we process your personal data to support direct marketing, you have the right to object to processing your personal data for such purposes. This is also true for profiling associated with direct marketing.

For reasons resulting from your particular situation, you have the right to object to your personal data being processed for scientific or historical research purposes, or for statistics according to article 89, paragraph 1, GDPR, unless processing is required to fulfil tasks essential to public interest.

6.7 Automated decisions including profiling

You have the right not to be subjected to a decision based exclusively on automated processing – including profiling – that may develop a legal impact or affect you considerably in a similar way.

Automated decisions based on collated personal data are generally not practised.

6.8 Right of objection to a declaration of consent

You have the right to object to your previously made declaration of consent concerning data processing your personal information.

6.9 Right to file complaints with the authorities

You have the right to file complaints with the authorities, in particular in the member state where you live, where you work in or where the alleged offence took place if you believe that processing your personal data has been unlawful.

7 Date security

We take data security very seriously and do everything we can to keep your personal data safe and secure within the framework of the current data protection laws and the technical possibilities we have.

Your personal data is encrypted before transfer. This also applies to orders and login details. We use d okay all all helloas coding system SSL (Secure Socket Layer), however, we would like to point out that data transfer (e.g. emailing) on the Internet can be a security risk. Unfortunately, 100 percent data protection from unauthorised access is impossible.

In order to protect your data, we use technical and organisational security measures according to article 32, GDPR, and we are constantly updating technologies to state-of-the-art standards.

We do not guarantee that our services are available at all times. We cannot exclude technical faults, interruptions or downtimes. The services we use are carefully maintained and secured.

8 Transferring personal data to third parties, no data transfer to non-EU countries

Generally, we only use your personal data within our company.

Should we contract third parties within the framework of contract fulfilment (e.g. for logistics), they will only receive the information necessary for them to render their services.

In case we outsource certain parts of data processing (e.g. “order processing”), we contractually bind our servicers to adhere to current data protection laws and to guarantee protection of the rights of our customers.

Data transfer to individuals or organisations outside the EU and beyond the scope of item no. 4 in this agreement will not take place and is not intended.  

9 Data protection officer

Should you have further questions or queries regarding data protection please contact our data protection officer: datenschutz@broadway-fashion.com datenschutz@broadway-fashion.com

Issued on 25 May 2018