INTRODUCTION AND TERMS

1.      Introduction

We process personal data when operating our website www.gokishop.eu (hereinafter referred to as "website"). This data will be treated confidentially and processed in accordance with the applicable laws - in particular the General Data Protection Regulation(GDPR) and the Federal Data Protection Act (BDSG). With our data protection regulations we want to inform you which personal data we collect from you, for which purposes and on which legal basis we use it and, where applicable, with whom we share it. Furthermore, we will explain to you which rights you are entitled to in order to protect and enforce your data protection.

2.      Terms

Our data protection regulations contain technical terms that are new in the GDPR and the BDSG. For your better understanding we would like to explain these terms in simple words in advance:

2.1       Personal data

"Personal data" “Personal data” is all information relating to an identified or identifiable person (Art. 4 Par. 1 of the GDPR). Details of an identified person could be their name or e-mail address.However, data can also be described as personal if, despite the fact that a person’s identity cannot be deduced directly from the data, their identity can nonetheless be deduced by combining the data with other information. A person could, for example, be identified via their address or bank details, date of birth, username, IP address or location details. The key point is that any information that can be used in any way to identify a person can be described as personal data.

2.2       Processing

Under Art. 4 Par. 2 of the GDPR, “processing” describes any process applied to personal data. This especially includes the collection, capture, administration, classification, recording, amendment, printing, making available, use, disclosure, sharing, dissemination, provision, comparison, linking, restriction, erasure or destruction of personal data.

 data controller and data protection officer

3.      Data controller

Responsible for the data processing is:

Company:                                Gollnest & Kiesel GmbH & Co KG ("we")

Legal representative:                Gollnest & Kiesel Verwaltungsgesellschaft mbH these represented by

Gerhard Gollnest and Fritz-Rüdiger Kiesel (Managing Directors)

Address:                                  Main street 13 -16, 21514 Güster

Phone:                                     +49 (0)4158 / 88 22 - 0

Fax:                                         + 49 (0)4158 / 88 22 - 22

E-mail:                                     info@goki.eu

4.      Data protection officer

We have appointed an external data protection officer for our company. You can reach him at:

Name:                                      Reinher Karl

Address:                                 HABEWI GmbH & Co KG, Palmaille 96, 22767 Hamburg

Phone:                                     040/ 18189800

Fax:                                         040/ 181898099

E-mail:                                     datenschutz@habewi.de

Processing parameters

5.      Processing frame: website

Within the framework of the website with the URL www.gokishop.eu, we process the personal data of you listed in detail in sections 6-12 below. We only process data of yours that you actively provide on our website (e.g. by filling out forms) or that you automatically provide when using our services.

Your data will be processed exclusively by us and will not be sold, lent or passed on to third parties. If we use the help of external service providers to process your personal data, this is done within the framework of so-called order processing, in which we as the data cotroller are authorized to give instructions to our contractor. For the operation of our website we use external service providers for hosting, as well as for maintenance, care and further development. Should further external service providers be used for individual processing operations listed in sections 6-12, they will be named there.

We do, in general, not transfer any data to any third countries and this is not planned for the future either. Any exemptions from this principle will be explained in the types of processing activities listed below.

The PROCESSING Activities In detail

6.      Provision of the website and server log files

6.1       Description of the processing

Whenever you access the website, we automatically collect information that your browser sends to our server. This information is also stored in the so-called log files of our system. These are the following data:

·         your IP address

·         the browser software you use, as well as its version and language

·         the operating system you use

·         the website from which you have reached our website (so-called referrer)

·         the date and time of your visit to our website

The temporary storage of your IP address by the system is necessary in order to deliver our website to the end device of a user. For this purpose, the user's IP address must remain stored for the duration of the session. However, your IP address is not recorded in our log files.

6.2       Purpose

Your data are processed in order to enable the website to be accessed and to ensure its stability and security. Furthermore, the processing serves the statistical evaluation and improvement of our online service.

6.3       Legal basis

The processing is necessary in order to safeguard the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in item 6.2.

6.4       Storage duration

The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when your session ends.

7.      Registration and profile

7.1       Description of the processing

Individual functions and offers on our website are only available to you as a registered user. By registering, you conclude a free user contract with us. By registering, you will receive your own user account on our website. The registration takes place by filling out the registration form on http://www.gokishop.eu/html/de/createAccount.html and sending it to us electronically. To register, you must provide your title, first name, surname, distribution channel, street postcode, city, country and e-mail address. Further information on company and contact data is voluntary. By clicking the button "Send registration" you send us the form.

As a registered user, you can shop on our website faster and more conveniently by entering your billing and shipping addresses, as well as your preferred method of payment, in your user profile. This means that you do not have to re-enter your personal data for subsequent (further) purchases.

7.2       Purpose

The processing is done in order to provide you with the functions of our website for registered users.

7.3       Legal basis

The processing is necessary for the conclusion and fulfilment of the contract of use (Art. 6 para. 1 lit. b GDPR). Without providing your personal data within the scope of registration, we cannot provide our contractually owed services.

7.4       Storage duration

The data will be automatically deleted by us upon termination of your contract of use. You can end the user contract yourself by informing us by e-mail to info@goki.eu or by post that you no longer wish to be a registered user of our website. We will then delete your user account immediately.

8.      Purchasing

8.1       Description of the processing

You can buy toys on our website as a registered user. Within the scope of your order we process personal data from you. The mandatory fields marked with an asterisk "*" in our online shop must be filled in by you. Otherwise it is not possible for us to conclude a purchase contract with you and send you the desired goods. All other details are voluntary. When shopping on our website, you can also choose one of the offered payment methods (credit card, purchase on account, direct debit and prepayment) to settle the purchase price. When completing your order, the data required for payment will be passed on to the respective payment service provider. If you shop on our website as a registered user, you can enter your billing and delivery addresses as well as your preferred payment method in your user profile for a faster and more convenient ordering process. In addition, there are numerous overviews and status requests for your purchases available to you.

8.2       Purpose

The processing is carried out for the conclusion and processing of sales contracts.

8.3       Legal basis

The processing is necessary for the conclusion and performance of sales contracts (Art. 6 para. 1 lit. b GDPR).

8.4       Storage duration

We are obliged by commercial and tax law to store your address, payment and order data for a period of ten years. However, after two years we will restrict the processing of your data. This means that your data will then only be stored separately to comply with the statutory retention periods and will be deleted immediately after these periods have expired.

8.5       Recipient

To process your payment, personal data will be forwarded to one of the external payment service providers listed below and selected by you in the course of your purchase:

·         Credit card, direct debit: BS PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, Germany

9.      Contact form and contact by e-mail

9.1       Description of the processing

We have provided a contact form on our website for making contact. In this form you are asked to enter your e-mail address, your name and a message to us. When you click the "Submit" button, the data will be transferred to us using SSL encryption (see section security measures below). The contact form can only be transmitted if you accept our data protection regulations by clicking the corresponding checkbox. You can also contact us using the e-mail addresses provided on the website. In this case, the personal data transmitted with the e-mail will be processed by us.

9.2       Purpose

By providing a contact form on our website, we want to offer you a convenient way to contact us. The data transmitted with and in the contact form or your e-mail are used exclusively for the purpose of processing and answering your request.

9.3       Legal basis

The processing is necessary in order to safeguard the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in item 9.2. If the e-mail contact is aimed at the conclusion or fulfilment of a contract, the data processing is carried out for the purpose of fulfilling the contract (Art. 6 para. 1 lit. b GDPR).

9.4       Storage duration

The data will be deleted by us as soon as they are no longer necessary for the purpose of their collection. This is usually the case when the respective communication with you has ended. The communication is terminated when it is clear from the circumstances that your request has been finally clarified. If legal retention periods prevent erasure, the data will be deleted immediately after the legal retention period has expired.

10.   Cookies

10.1     Description of the processing

Our website uses cookies. Cookies are small text files that are stored on your end device when a website is visited. Cookies contain information that enables the recognition of an end device and, if applicable, certain functions of a website. In most cases we only use so-called "session cookies". These are automatically deleted when you end your internet session and close the browser. Other cookies remain stored on your end device for a longer period of time and enable partner companies to recognize your browser or computer (persistent cookies). Depending on the cookie, in the case of persistent cookies these are automatically deleted depending on the preset storage period.

10.2     Purpose

We use cookies to make our website more user-friendly and to offer the functions described in section 10.1. We work together with advertising partners, among others, who help us to make our website as interesting as possible for you. For this purpose, cookies from third parties, our partner companies, may also be stored on your hard drive on our website. If we allow third parties to use such cookies, we will inform you in the following sections about the information collected in this way.

10.3     Legal basis

Cookies, which are necessary for the electronic communication process or for the provision of certain functions you require (e.g. shopping basket function), are stored on the basis of Art. 6 Para. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimised provision of his services. Insofar as other cookies (e.g. cookies for analysing your surfing behaviour) are stored, these are treated separately in this data protection declaration.

10.4     Storage duration

Cookies are automatically deleted at the end of a session or when the specified storage period expires. Since cookies are stored on your terminal device, you as a user also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies.

In the following we have put together the links that will lead you to instructions on how to change the settings for the most common browsers. For further information please refer to the Support Menu of your browser:

Internet Explorer: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies

Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen

Chrome: http://support.google.com/chrome/bin/answer.py?hl=delrm=ennswer=95647

Safari: https://support.apple.com/kb/ph21411?locale=de_DE

Opera: http://help.opera.com/Windows/10.20/de/cookies.html

Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, individual functions of our website cannot be used or can only be used to a limited extent.

11.   Newsletter

11.1     Description of the processing

We send out a newsletter at irregular intervals. With the newsletter we inform you about our offers and services around toys. You will only receive our newsletter if you actively subscribe to our mailing list. You can subscribe to it by filling out and sending a newsletter registration form on our website or by placing an order in our online shop.

To subscribe to the newsletter, you only need to enter your e-mail address. All other details (such as your first name and surname) are voluntary and are used solely to personalise the e-mails.

We use the so-called double opt-in procedure for the execution and verification of newsletter registrations. A registration takes place in several steps. First you register for the newsletter on our website. You will then receive an e-mail from us to the e-mail address you have entered. With this e-mail we ask you to confirm that you have actually subscribed to the newsletter and wish to receive it. A confirmation is made by clicking on a confirmation link in the e-mail. Only after a successful confirmation will we add you to our newsletter distribution list and send you e-mails in the future. Within the scope of the double opt-in procedure, we save the date, time and your IP address both during registration and confirmation.

If you purchase goods or services on our website and enter your e-mail address, we may use this address to send you a newsletter for existing customers. In such a case, the newsletter will only be used to send direct advertising for our own similar goods or services.

11.2     Purpose

The processing is done in order to offer the newsletter function and to be able to send newsletter e-mails to subscribers and existing customers. The collection and storage of date, time and IP addresses during newsletter registration serves the documentation of granted consent and protection against the misuse of e-mail addresses.

11.3     Legal basis

In the case of our existing customer newsletter, processing is carried out on the basis of Art. 6 Para. 1 letter f GDPR in order to safeguard the predominant interests of the person responsible. Our legitimate interest lies in direct advertising to existing customers. This is permissible within the framework of § 7 para. 3 UWG, which we observe.

11.4     Storage period and revocation of consent

We process your personal data for the duration of your newsletter subscription. You can cancel your subscription to our newsletter at any time by revoking your consent. A simple declaration by e-mail to info@goki.eu or by post is sufficient. It is also possible to unsubscribe from the newsletter by clicking on the unsubscribe link in each newsletter e-mail. With the revocation of your consent, no more newsletters will be sent to you and your personal data will be removed from our active mailing list. To enforce your revocation, we will add your e-mail address to our so-called black list in a restricted manner. In this way we can ensure that you will not receive any newsletters from us in the future and that your e-mail address will not be misused by third parties.

11.5     Recipient and transfer to third countries

For the administration of our newsletter distribution list and for sending the e-mails we use the services of the newsletter provider Mailchimp. This takes place in the context of an order processing. Mailchimp is an offer of The Rocket Science Group, LLC, 512 Means Street, Suite 404 Atlanta, GA 30318, USA (in the following called "Mailchimp"). With your newsletter registration the data given during the registration process is transferred to Mailchimp and processed on Mailchimp servers in the USA. Mailchimp is subject to the EU-US Privacy Shield. Further information about the EU-US-Privacy-Shield can be found at https://www.privacyshield.gov/EU-US-Framework. For more information about Mailchimp's privacy policy, please refer to the service provider's privacy policy at http://mailchimp.com/legal/privacy/

12.   YouTube videos

12.1     Description of the processing

Our website uses services from "YouTube" a video platform operated by YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA (hereinafter referred to as "YouTube"). YouTube is represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use YouTube by embedding individual videos from the platform on our website as so-called iFrames so that they can be played directly on our website. The videos are embedded in the "extended data protection mode" offered on YouTube, i.e.  h. No personal data will be transferred from you to Google as long as you do not play the videos. Only when a video is played will data be transferred to Google, over which we have no influence. If you play an embedded video on a subpage of our website, Google is informed which subpage you have visited and which video you have viewed. If necessary, your IP address is also transmitted to Google. If you are logged in as YouTube or Google user, Google will assign this information to your user account. Google stores your data as user profiles and uses them for advertising purposes, for market research and/or for the design of Google websites according to your needs. You have a right of objection to the creation of these user profiles, and to exercise this right you must contact Google directly. You can find further information on data protection at Google at http://www.google.com/intl/de-DE/policies/privacy/.

12.2     Purpose

The processing is done to be able to show you videos on our website.

12.3     Legal basis

The processing is necessary in order to safeguard the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Section 16.2.

12.4     Recipient and transfer to third countries

By integrating YouTube, personal data may be transmitted to YouTube LLC or Google. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield. Further information on the EU-US Privacy Shield can be found at https://www.privacyshield.gov/EU-US-Framework.

Prize game

13.   Conducting the prize games

13.1     Description of the processing

We occasionally run prize games. In doing so, we process data from you that you actively provide (e.g. by publishing on social media platforms or by sending a direct message to us).

Participation in our prize games is voluntary. Participation in a prize game results in a prize game contract between you and us, which is free of charge for you. Within the framework of the fulfilment of the contract - namely to determine the winners and to send the prizes - we collect personal data from you. After the closing date for entries, we will determine the winners by lot from all entries.

13.2     CONSENT - WITHDRAWAL OF CONSENT

Every participant in one of the competitions we offer agrees by entering this competition in accordance with Art. 6 Par. 1 letter a GDPR that Goki or companies of the Goki Group (e.g. Spot Versandhaus GmbH) will send him advertising messages about Goki products by post or e-mail until the participant revokes this consent. You can withdraw your consent at any time, without giving reasons, with effect for the future. The withdrawal must be addressed to: Gollnest & Kiesel GmbH & Co KG, Data Protection, Hauptstraße 13-16, 21514 Güster; or by e-mail to: info@goki.eu, subject: data protection.

13.3     Purpose

The processing is carried out for the purpose of carrying out and processing a prize game and for sending advertising messages.

13.4     Legal basis

The processing is necessary for the conclusion and fulfilment of the prize game contract (Art. 6 para. 1 lit. b GDPR). The legal basis for your consent is Art. 6 para. 1 lit. a GDPR.

13.5     Storage duration

The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. The personal data of the participants (first name, surname, address, e-mail address) provided in the context of the competition, as well as further communication with the winners, will be deleted as soon as they object to the use for advertising purposes.

13.6     Recipient and transfer to third countries

Goki will not disclose your personal data to third parties unless you are a winner of the respective prize game. The winner's last name and first name or social media profile name may be published on the social media platforms we use. Your other interaction is stored by the provider of the social media platform, e.g. in the case of Facebook or Instagram by Facebook (Facebook Inc. (Facebook), 1601 S California Ave, Palo Mo, California 94304, USA). Please also note that your interactions with our social media profiles are public and can be viewed by other Internet users. The social media platforms we use also process your personal data in the USA. In each case, they have submitted to the EU-US Privacy Shield. Further information on the EU-US Privacy Shield can be found at https://www.privacyshield.gov/EU-US-Framework.

SECURITY MEASURES

14.   Security measures

In order to protect your personal data from unauthorised access, we have provided our website with an SSL or TLS certificate. SSL stands for "Secure-Sockets-Layer" and TLS for "Transport Layer Security" and encrypts the communication of data between a website and your device. You can identify the active SSL or TLS encryption by a small padlock logo, which is displayed on the far left in the address line of the browser.

your rights

15.   Rights of data subjects

With regard to the data processing by our company described above, you are entitled to the following data subject rights:

15.1     Information (Art. 15 GDPR)

You have the right to ask us to confirm whether we are processing personal data concerning you. If this is the case, you have the right, under the conditions set out in Art. 15 of the GDPR, to access this personal data and the other information listed in Art. 15 GDPR.

15.2     Rectification (Art. 16 GDPR)

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you and, where applicable, to have incomplete personal data completed, including by means of providing a supplementary statement.

15.3     Erasure (Art. 17 GDPR)

You have the right to obtain from us the erasure of your personal data without undue delay, and we shall have the obligation to erase your personal data without undue delay where one of the following grounds under Art. 17 of the GDPR applies (e.g. if your data is no longer required for the purpose for which we were using it).

15.4     Restriction of data processing (Art. 18 GDPR)

You have the right to ask us to restrict processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you dispute the accuracy of your personal data, the data processing will be restricted for the period of time that allows us to verify the accuracy of your data.

15.5     Data portability (Art. 20 GDPR)

You have the right, subject to the conditions set out in Art. 20 GDPR, to request the surrender of data concerning you in a structured, common and machine-readable format.

15.6     Withdrawal of consents (Art. 7 para. 3 GDPR)

You have the right to withdraw your previously provided consent for data processing. The withdrawal will take effect from the time you request it (i.e. it will have future effect but no retrospective affect).

15.7     Complaint (Art. 77 GDPR)

If you believe that the processing of your personal data is in breach of the GDPR, you can complain to a supervisory authority. You can submit your complaint to a supervisory authority in the EU member state where you are habitually resident or work, or where the alleged breach took place.

15.8     Prohibition of automated decisions/profiling (Art. 22 GDPR)

Decisions that have legal consequences for you or that could have a significant detrimental affect on you must not be based solely on the automated processing of personal data, including profiling. We do not apply any such processing or profiling to your personal data.

Status: April 2020