Data protection for website visitors
Data protection declaration and information for data subjects in accordance with Articles 13 and 14 EU GDPR
Ludwig Schokolade GmbH & Co. KG takes the protection of your personal data extremely seriously. Our company collects and processes your personal data exclusively within the scope of data protection regulations. On this web page we provide you with information about how we collect and process your personal data in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (EU GDPR).
The party responsible for data processing is:
Ludwig Schokolade GmbH & Co. KG
51469 Bergisch Gladbach
T +49 2202 105-500
F +49 2202 105-501
Our data protection officer is:
PricewaterhouseCoopers Legal AG Rechtsanwaltsgesellschaft
Moskauer Straße 19
When you visit this website and use its various services, we process your personal data in the ways described in detail below.
We work with an external service provider to operate this website in order to fulfill our obligations to comply with data protection law. Our provider was chosen following a careful selection process.
Table of contents
- Google WebFonts
- Google Analytics
- Matomo (ehemals Piwik)
- Facebook Fanpage
- Kontaktaufnahme und Kundenreklamationen: Formular und E-Mail-Funktion
2. Server log files
During each website visit, your browser also transmits access data, called server log files, which we process to ensure system security and to produce usage statistics. In particular, these transmit the time of your visit request, the web page from which you visited us (referrer URL), the subpages visited, your IP address, the data volume and the browser you are using. These data are required to ensure system security, such as to identify and block hacker attacks. This is in our overriding, legitimate interest (Art. 6(1)(f) EU GDPR).
We use hCaptcha on our websites. The provider is Intuition Machines, Inc., 2211 Selig Drive, Los Angeles, CA 90026, USA (“Intuition Machines”).
hCaptcha checks whether the data entered on our websites (e.g. on a contact form) was input by a person or an automated program. hCaptcha analyzes the behavior of the website user for this purpose, using various features. This analysis starts automatically, as soon as the website visitor accesses the website. For the analysis, hCaptcha evaluates various types of information (e.g. IP address, duration of website user’s stay on the website or the mouse movements made by the user). The data recorded during the analysis is forwarded to Intuition Machines.
The hCaptcha analyses run completely in the background. Website users are not informed that an analysis is taking place.
The data is processed on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in protecting their website from abusive automated spying and spam.
4. Google WebFonts
This page uses Web Fonts provided by Google for the uniform display of fonts. Google Fonts are installed locally. No connection to Google servers takes place.
5. Google Analytics
a) Processing purposes, recipients
We use Google Analytics, a web analytics service of Google LLC, to create user statistics and profiles for the needs-based design of our website. As our processor, Google processes the data collected using Google Analytics to analyze your use of the website, to compile reports about the corresponding activities, and to provide other services related to the use of our website. We can improve our services using the statistics acquired in this process and make the services more appealing to you as a user. If you have granted your consent, Google Analytics saves cookies on your device. The information generated by these cookies about your use of this website are generally transmitted to a Google server in the USA and saved there.
In general, no personal data is processed in the use of Google Analytics. Google shortens your IP address beforehand within Member States of the European Union or in other states which are parties to the agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there (for these cases, Google LLC is subject to the EU–US Privacy Shield, which can be accessed at https://www.privacyshield.gov/EU-US-Framework); we advise you that on our websites Google Analytics has been expanded with the AnonymizeIP plugin, to ensure the anonymized recording of your IP address, including in these exceptional cases, so that your data cannot be traced back to you. The IP address transmitted by your browser within the scope of Google Analytics is not collated with other Google data. There is no adequacy decision decided upon by the European Commission that guarantees an appropriate level of data protection in the USA. For the exceptional cases, in which personal data is transmitted to the USA, an appropriate level of data protection is ensured by Google being subjected to the EU–US Privacy Shield (list accessible at https://www.privacyshield.gov/list).
b) Legal basis, duration of storage, no obligation to provide data
The legal basis for the use of Google Analytics is Art. 6(1)(a) EU GDPR. Sessions are routinely ended after 30 minutes of inactivity and campaigns ended after 12 months; campaign data can be stored for a maximum duration of 2 years. You are not legally or contractually obliged to provide your data, nor is this necessary to conclude a contract.
c) Revocation options
You can find information on how to do this at the following links for each browser:
Internet Explorer™: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
Opera™ : http://help.opera.com/Windows/10.20/de/cookies.html
If necessary, you can also install a browser plugin that prevents tracking; for this purpose please visit http://tools.google.com/dlpage/gaoptout?hl=de and install the browser plugin available there (if available for your browser; please note that this will cause you to leave our website). Finally, you can withdraw your consent by making an applicable declaration to us (for this also refer to Section 11 below).
d) Information about the service provider
Order data processing
We have concluded a contract with Google and have implemented the strict requirements of the German Federal Data Protection Authorities in the use of Google Analytics.
6. Matomo (formerly Piwik)
This website uses the open source web analytics service called Matomo. Matomo uses technologies that enable the recognition of the user across the website in order to analyze user behavior (e.g. cookies or device fingerprinting). The information collected by Matomo in relation to use of this website is stored on our server. The IP address is anonymized before it is saved.
With Matomo’s help, we are able to collect and analyze data about how website visitors use our website. We can use this to find out, for example, which page impressions came from which region. In addition, we collect various log files (e.g. IP address, referrer, browser, and operating systems used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).
The use of these analytics tools is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the anonymized analysis of user behavior in order to optimize their web services as well as their marketing. In so far as the corresponding consent was requested (e.g. consent to the saving of cookies), the processing is performed exclusively on the basis of Art. 6(1)(a) GDPR; consent can be revoked at any time.
We implement IP anonymization for analytics with Matomo. This shortens your IP address before analysis so that it can no longer be uniquely assigned to you.
We host Matomo exclusively on our own servers so that all analytics data remain in our possession and are not forwarded on to other parties.
7. Facebook Fanpage
We use the Page Insights function to analyze the use of our fan page. If you visit our fan page, we process your data collected using the Page Insights function together with Meta Platforms Ireland Ltd. as the jointly responsible party. These data include information about your visit and/or your interactions on our fan page which relate to you and which can therefore include personal data.
8. Getting in touch and customer complaints: Form and email function
You have the option of contacting us directly via a contact form on our website. If you do so, you must enter your name, email address, title, and your address. You can also contact us with your query via our Facebook fan page (also refer to Section 7). In this case, your name, email address, and address are only required in the case of a complaint. We also offer you the option of contacting us directly via email. If you click on the Email button on our website, your email program will open and you can send us a message to the pre-entered email address. If you contact us by email or web form, we also record your IP address and the time that you transmitted your message to us. We have no influence on the data processing done by the email program of your provider; we only provide a link to the email program. You are not legally or contractually obliged to provide your aforementioned data, nor is this necessary to conclude a contract. However, without this data it is not possible to process your request. We only use the data transmitted by you via the contact form, Facebook fan page, or email to process your query. The legal basis for this processing is Art. 6(1)(b) EU GDPR. We process your IP address and the time of your request in order to be able to identity and protect ourselves from automated access and hacker attacks. The legal basis for this processing is Art. 6(1)(f) EU GDPR. In general, we delete these data one week after answering or otherwise completing your request; however, in individual cases we store this data longer to the extent we are legally entitled or obligated to do this in each instance (e.g. according to retention periods under commercial and tax law).
9. Data protection
In order to protect your data in the best way possible, we use technical and organizational security measures with SSL encryption (https standard), which are also adapted to the current state of technology in a risk-appropriate manner in each case.
10. Rights of data subjects
If personal data that relates to you as a natural person is used, you are entitled to various claims against us under data protection law. In accordance with § 34 BDSG (German Federal Data Protection Act), and Art. 15 EU GDPR, you have the right to information about your saved personal data and the origin of this data, the recipients or categories of recipients to whom the data was forwarded and the purpose of this storage.
You are also entitled in accordance with § 35 BDSG and Art. 16–18 EU GDPR to the deletion or restriction (of processing) of your personal data. Moreover, you can request the transmission of the data to another responsible party in accordance with Art. 20 EU GDPR.
Furthermore, you can revoke the further processing of any of your data processed on the basis of a legitimate interest (Art. 6(1)(f) EU GDPR). If we do not process your data for marketing purposes, you will be required to provide a reason for revocation arising from your individual circumstances. In the event of an objection, we will no longer process your personal data from the time of the receipt of the objection and during the subsequent examination, and the data will be deleted after the completion of the examination, if the objection was found to be justified (§ 36 BDSG and Art. 21 EU GDPR).
You can revoke consent to data processing transmitted to us at any time (Art. 6(1)(a) EU GDPR); we will then cease to process your personal data any further, unless there is a legal authorization to do so.
An objection or revocation does not affect the permissibility of data processing performed in the past.
We will fulfill your rights immediately and without charge. Please contact us or our data protection officer about this; you can find our contact information at the start of this data protection declaration.
Finally, you have the right in accordance with Art. 77 EU GDPR to make a complaint to the responsible data protection authority.