We are pleased about your interest in our company. Data protection has a very high priority for the CWF GmbH and we take our position as controller within the meaning of the GDPR very seriously.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This includes in particular name, address(es), bank details, e-mail address, telephone or fax number or client IP address.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Supervisory authority means an independent public authority which is established by a Member State pursuant to Article 51.
2. Handling of personal data and data storage
We use personal data in particular for the processing of orders, the delivery of goods and the provision of services as well as the processing of payment. We also use personal data fort he communication with the data subject, to update our data records and to maintain the data subject's customer account. We also use personal data to improve our platform, to prevent or detect misuse, in particular fraud, or to enable third parties to perform technical, logistical or other services on our behalf. The collection, storage and processing of personal data is particularly necessary because this is the only way we can provide the service requested by the data subject. The personal data is stored for the duration of the processing of the order and execution of the contract or to the extent required by legal regulations (e.g. tax regulations).
Personal data are used for the justification of the contract, the content design and implementation or settlement of the contract(Art. 6 para. 1 lit. b) GDPR). In addition, personal data will only be processed if we have received the consent of the data subject (Art. 6 para. 1 lit. a) GDPR). This consent will be recorded.
Furthermore, personal data will only be processed and collected by default to the extent necessary for the intended purpose. If the processing of the personal data of the data subject is based on a consent, he has the right to revoke this consent at any time. Art. 7 para. 3 GDPR is expressly referred to.
3. Use of the website
The use of the (publicy accessible) website of the (publicly accessible) website is generally possible without providing personal data. If parts of the website (e.g. the order process) are dependent on the provision of personal data in order to ensure the function or to be able to fulfil the data subject will be requested to enter the personal data at the appropriate place and can decide on the entry.
Insofar as personal data is collected via forms on our pages (e. g. name, address or e-mail address), this is always done on a voluntary basis and with the express consent of the data subject, which will be recorded.
You can contact us by e-mail, fax or telephone. We store the data transmitted to us and provided by you for processing the request.
Every time a data subject accesses a page of our website and every time a file stored on the website is called up, access data about this process is stored in a log file. Each data record consists of:
(1) the page from which the file was requested,
(2) the name of the file,
(3) the date and time of the request,
(4) the amount of data transferred,
(5) the access status (file transferred, file not found etc. )/http status code,
(6) a description of the type of operating system and web browser used,
(7) the client IP address.
(8) Time zone difference to Greenwich Mean Time (GMT)
The data is stored each time a data subject accesses a page of our offer and each time our website is accessed and is deleted as soon as it is no longer required for the purpose of collection or processing.
The temporary storage of the personal data is carried out on the legal basis of Art. 6 para. 1 lit. f) GDPR. The legitimate interest lies in the provision of our website. The data subject may object to the processing at any time.
4. Priciple of data avoidance, legality of personal data processing
In addition, as far as we can possibly do, personal data will not be collected. In doing so, we adhere to the principle of data avoidance, which we take very seriously. We treat personal data confidentially and in accordance with legal data protection regulations.
The scope of the personal data communicated to us is appropriate to the purpose and limited to what is necessary for the purpose of the processing. The processing of personal data is carried out for the performance of the contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
The same applies if the data subject voluntarily contacts us at their own request and initiative.
5. Persons under the age of 16
Persons under the age of 16 should not transmit any personal data to us or consent to such data without the consent of their legal representative(s).
6. Illegal acts by third parties
In the case of concrete indications of an illegal action or if we are requested to do so by legal authorities, we will hand over the data available to the competent legal authorities for prosecution.
7. Data transfer
The stored data will not be transferred to third parties. The following exceptions apply:
For the performance of the contract the data will be transferred to third parties, as far as this is necessary for the purpose of the execution of the contract. This applies in particular to the exchange of data between CWF GmbH and SPM GmbH (Crispenhofener Straße 1, 74679 Weissbach) and in the following cases:
For the performance of the contract the data will be transferred on to the shipping company commissioned with the delivery, as far as this is necessary for the delivery of the ordered goods. For the processing of payments, the payment data required for this – insofar as this is necessary with regard to the type of payment and the extent of the transfer – shall be passed on to the credit institution commissioned with the payment and, if applicable, to the commissioned and selected payment service provider. Your personal data will only be processed within the EU.
The personal data is also exchanged exclusively for the performance of the contract. The exchange of personal data serves for the performance of the the contract between CWF GmbH and the data subject. This includes in particular the company contact data and the data of the contact person of the contract partner.
8. Data security
All personal data on our website is protected by technical and organisational measures against loss, destruction, external access, modification and distribution. We would like to point out that data transmission over the Internet (e g. communication by e-mail or infiltration of the visitor's computer (e.g. the computer of the data subject) by third parties) may have security gaps. A complete protection of data against access by third parties is not possible for us.
We are not responsible for personal data collected and processed by third parties.
9. Communication of personal data
We collect personal data if the data subject voluntarily provides it in connection with his order, when contacting us (e.g. via contact form or e-mail) and when opening a customer account and the necessary registration.
We collect and store all information that the data subject enters on our website or transmits to us in any other way. In addition, personal data will only be processed and collected by default to the extent necessary for the intended purpose.
10. Necessity of data collection, cookies and use of Google (Universal) Analytics for web analysis
The data subject has the right to object at any time to the processing of his personal data in accordance with Art. 6 para. 1 lit. 1 f) GDPR. Art. 21 DSGVO is expressly referred to.
This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on the users’ computers, to help the website analyze how users use the site. The information generated by the cookie about the use of the website by users will be transmitted to and stored by Google on servers in the United States. The IP-anonymisation is activated on this website and the users’ IP address will be truncated within the area of Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. The IP-address that your browser conveys within the scope of Google Analytics will not be associated with any other data held by Google.
The users can also prevent the collection of data generated by the cookie and data related to their use of the website (including their IP address) as well as the use of such data by Google by downloading and installing the browser plug-in that is available under:
An opt-out cookie is stored on your mobile device. In case the users delete the cookies in this browser, they have to click the link again in order to deactivate Google Analytics.
11. The use of Google Maps
We use the “Google Maps” component on our website in combination with the so-called “Share function". “Google Maps” is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter “Google.” Each time this component is called up, Google sets a cookie in order to process the user configuration and data when the page with the integrated “Google Maps” component is displayed. As a general rule, this cookie is not deleted by closing the browser, but rather expires after a certain time, as long as it is not previously manually deleted by you.
If you do not agree with this processing of your data, you may choose to deactivate the “Google Maps” service and thereby prevent the transfer of data to Google. To do this, you must deactivate the Java Script function in your browser. However, we would like to point out that in this case you will not be able to use “Google Maps” or at least only to a limited extent.
as well as the additional Terms and Conditions for "Google Maps"
12. Use of reCAPTCHA
In order to protect input forms on our site, we use the “reCAPTCHA” service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter "Google." By means of this service it can be distinguished whether the corresponding input is of human origin or is created improperly by automated machine processing.
To our knowledge, the referrer URL, the IP address, the behaviour of the website visitors, information about the operating system, browser and length of stay, cookies, display instructions and scripts, user input behaviour and mouse movements in the “reCAPTCHA” checkbox are conveyed to “Google.”
The IP address provided as part of “reCAPTCHA” is not merged with other data from Google unless you are logged into your Google Account at the time the "reCAPTCHA" plug-in is used. If you want to prevent this transmission and storage of data by “Google” about you and your behaviour on our website, you must log out of “Google” before you visit our site or before using the reCAPTCHA plug-in.
13. Use of YouTube components with enhanced data protection mode
On our website we use components (videos) of YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA, a company belonging to Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA.
To this end, we use the “ - enhanced data protection mode - ” option provided by YouTube.
When you display a page that has an embedded video, a connection will be made to the YouTube server and the content will appear on the website via a communication to your browser.
According to the information provided by YouTube, in “ - enhanced data protection mode -”, data is only transferred to the YouTube server, in particular which of our websites you have visited, if you watch the video. If you are logged onto YouTube at the same time, this information will be matched to your YouTube member account. You can prevent this from happening by logging out of your member account before visiting our website.
Further information about data protection by YouTube is provided by Google under the following link:
The principles concerning the collection and processing of personal data also apply in particular to registration for our newsletter.
If the data subject registers for our newsletter, the data stored there by the data subject during registration within the input mask will be transmitted to us. These are your e-mail address, last name, first name, IP address, time and date of registration
Reference is expressly made to Art. 6 para. 1 lit. a) and Art. 7 para. 4 GDPR, in particular lit. a)-c).
The data will be deleted as soon as they are no longer necessary to achieve the purpose and the data subject has unsubscribed from the newsletter. According to this, the data is stored for ten years from the last dispatch of information by e-mail for the purpose of proof in the event of queries regarding existing consents, taking into account the statute of limitations
The use of the data to receive the information by e-mail can be revoked at any time with effect for the future by unsubscribing from the newsletter.
15. Right to lodge a complaint with a supervisory authority, Art. 77 GDPR
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
16. Right to information, Art. 15 DSGVO
The data subject has the right tot he following informations:
- the purposes of the processing
- the categories of personal data concerned
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority
- where the personal data are not collected from the data subject, any available information as to their source
- the existence of automated decision-making, including profiling, referred to in Art. 22 Abs. 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Art. 46 relating to the transfer.
We provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, we may charge a reasonable fee based on administrative costs.
17. Right to rectification, Art. 16 GDPR
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
18. Right to erasure (‘right to be forgotten’), Art. 17 GDPR
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- the data subject withdraws consent on which the processing is based according to Art. 6 Abs. 1 lit. a), or Art. 9 Abs. 2 lit. a), and where there is no other legal ground for the processing
- the data subject objects to the processing pursuant to Art. 21 Abs. 1 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 Abs. 2.
- the personal data have been unlawfully processed
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
- the personal data have been collected in relation to the offer of information society services referred to in Art. 8 Abs. 1 GDPR.
After complete justification of the contract, the personal data will be blocked for further use and deleted after expiry of the storage periods under tax and commercial law, unless the data subject has expressly consented to further use of his data or we reserve the right to use data beyond this which is permitted by law. Please note that these are legally standardized retention periods. Because of the storage and processon oft he data for the execution of the contract, an objection or premature deletion is not possible
19. Right to restriction of processing, Art. 18 GDPR
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
Der Betroffene hat das Recht, von uns die Einschränkung der Verarbeitung zu verlangen, wenn eine der folgenden Voraussetzungen gegeben ist:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
- the data subject has objected to processing pursuant to Art. 21 Abs. 1 pending the verification whether the legitimate grounds of the controller override those of the data subject.
20. Notification obligation regarding rectification or erasure of personal data or restriction of processing, Art. 19 GDPR
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with At. 16. Art. 17 Abs. 1 and Art. 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
21. Right to data portability, Art. 20 GDPR
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to Art. 6 Abs. 1 lit. a) or Art 9 Abs. 2 lit. a) or on a contract pursuant to Art. 6 Abs. 1 lit. b) and
- the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Art. 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
22. Right to object, Art. 21 GDPR
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 Abs. 1 lit. e) or f) GDPR, including profiling based on those provisions.
We will no longer process the personal data unless we demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
23. Automated individual decision-making, including profiling, Art. 22 DSGVO
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is based on the data subject's explicit consent.
Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Art. 9 Abs. 1 GDPR, unless Art. 9 Abs. 2 lit. a) or g) GDPR applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
24. Right to an effective judicial remedy against a controller or processor, Art. 79 GDPR
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
25. Contact and controller
CWF GmbH, represtented by the CEO Carsten Franz, Sandra Wolpert, Jürgen Wolpert
Dat of state: 25.05.2018