Data Protection Information
Degussa Sonne/Mond Goldhandel GmbH, Kettenhofweg 29, 60325 Frankfurt am Main, Germany, (hereinafter „Degussa“ or „we“) provides the Degussa website under the domain degussa-global-custodian.com to which this Data Protection Information applies.
In the following you will find information about the controller and the data protection officer of the controller (Section A), as well as your rights in relation to the processing of your personal data (Section B). You will also find below information about the processing of your personal data (Section C).
A. Information on the controller
I. Identity and contact details of the controller
Degussa Sonne/Mond Goldhandel GmbH
Kettenhofweg 29
60325 Frankfurt
Germany
Phone: 0800 / 1882288
E-Mail: info@degussa-goldhandel.de
II. Identity and contact details of the controller’s data protection officer
@-yet-GmbH
Schloss Eicherhof
42799 Leichlingen
Germany
Phone: 02175 / 16550
E-Mail: datenschutz@degussa-goldhandel.
Information on the rights of data subjects
As a data subject, you have the following rights with regard to the processing of your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (”right to be forgotten”) (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7 (3) GDPR)
You may contact us for the purpose of exercising these rights using the contact information in Section A.
Where applicable, you find information on any specific modalities and mechanisms which facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, in the information on the processing of personal data in Section C of this Data Protection Information.
You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
Below you find more detailed information on your rights with regard to the processing of your personal data:
I. Right of acccess
As a data subject, you have a right to obtain access and information under the conditions provided in Art. 15 GDPR.
This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in Art. 15 (1) GDPR. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (Art. 15 (1) (a), (b) and (c) GDPR).
You can find the full extent of your right to access and information in Art. 15 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
II. Right to rectification
As a data subject, you have the right to rectification under the conditions provided in Art. 16 GDPR.
This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.
You can find the full extent of your right to rectification in Art. 16 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
III. Right to erasure (“right to be forgotten”)
As a data subject, you have a right to erasure (”right to be forgotten”) under the conditions provided in Art. 17 GDPR.
This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Art. 17 (1) GDPR applies. This can be the case, for example, if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Art. 17 (1) (a) GDPR).
If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Art. 17 (2) GDPR).
The right to erasure (”right to be forgotten”) does not apply if the processing is necessary for one of the reasons listed in Art. 17 (3) GDPR. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (Art. 17 (3) (b) and (e) GDPR).
You can find the full extent of your right to erasure (”right to be forgotten”) in Art. 17 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
IV. Right do restriction of processing
As a data subject, you have a right to restriction of processing under the conditions provided in Art. 18 GDPR.
This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Art. 18 (1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Art. 18 (1) (a) GDPR).
Restriction means that stored personal data are marked with the goal of restricting their future processing (Art. 4 (3) GDPR).
You can find the full extent of your right to restriction of processing in Art. 18 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
V. Right to data portability
As a data subject, you have a right to data portability under the conditions provided in Art. 20 GDPR.
This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is carried out by automated means (Art. 20 (1) GDPR).
You can find information as to whether an instance of processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR in the information regarding the legal basis of processing in Section C of this Data Protection Information.
In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (Art. 20 (2) GDPR).
You can find the full extent of your right to data portability in Art. 20 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
VI. Right to object
As a data subject, you have a right to object under the conditions provided in Art. 21 GDPR.
At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object.
More detailed information on this is given below:
1. Right to object on grounds relating to the particular situation of the data subject
As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 (1) (e) or (f), including profiling based on those provisions.
You can find information as to whether an instance of processing is based on Art. 6 (1) (e) or (f) GDPR in the information regarding the legal basis of processing in Section C of this Data Protection Information.
In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You can find the full extent of your right to objection in Art. 21 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
2. Right to object to direct marketing
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
You can find information as to whether and to what extent personal data are processed for direct marketing purposes in the information regarding the legal basis of processing in Section C of this Data Protection Information.
If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.
You can find the full extent of your right to objection in Art. 21 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
VII. Right to withdraw consent
Where an instance of processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, as a data subject you have the right to withdraw your consent at any time pursuant to Art. 7 (3) GDPR,. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.
You can find information as to whether an instance of processing is based on Art. 6 (1) (a) or Art. 9 (2) (a) GDPR in the information regarding the legal basis of processing in Section C of this Data Protection Information.
VIII. Right to lodge a complaint with a supervisory authority
As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Art. 77 GDPR.
You can find the contact information of the supervisory authority responsible for us here: https://www.bfdi.bund.de/SharedDocs/Adressen/EN/LfD/Hessen.html.
C. Information on the processing of personal data
I. Informational use of our website
When the use of our website is purely informational, certain information is sent to the web server of our website from your device for technical reasons, for example your IP address. We process this information in order to provide our website content requested by you and to ensure the security of the IT infrastructure used to provide our website. To ensure the security of the IT infrastructure used to provide the website, this information is also temporarily stored in a so-called server log file.
Categories of personal data processed | Personal data included in the categories | Sources of the data | Obligation of the data subject to provide the data | Storage duration |
Protocol data which accrue when visiting our website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons (“HTTP Data”). | These include IP address, type and version of your internet browser, operating system used, site accessed, last site accessed before visiting the site (referrer URL), date and time of visit. | User of our website | The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data. If the data is not provided, we cannot provide the content of our website requested by you. | The data are stored in server log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved. |
Purpose of processing the personal data | Categories of personal data processed | Automated decision-making | Legal basis and, where applicable, legitimate interests | Recipient |
Provision of content of our website requested by the user: For this purpose, data are temporarily processed on our web server. | HTTP Data | No automated decision-making takes place. | Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is the provision of the content of our website requested by the user. | Hosting Provider IT Provider |
Ensuring the security of the IT infrastructure used for the provision of our website, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks): For this purpose, data are temporarily stored in log files on our web server and automatically evaluated. | HTTP Data | No automated decision-making takes place. | Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is ensuring the security of the IT infrastructure used for the provision of our website, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks). | Hosting Provider IT Provider |
Recipient | Recipient’s role | Transfers to third countries and/or international organisations | Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations |
Hosting Provider: | Processor | There is no transfer to third countries and/or international organisations | – |
IT Provider: | Processor | There is no transfer to third countries and/or international organisations | – |
II. Use of third-party provider plug-ins (video plug-in)
So-called ”third-party provider plug-ins” are embedded in our website, with which you can use functions on our website offered by third-party providers. The plug-ins are embedded in our website by way of a ”2-click solution”. With this solution, the relevant plug-in is not activated directly when our website is accessed, but only once you click on the activation button provided for the relevant plug-in.
If you activate a third-party provider plug-in, you use a function offered by the provider of the respective plug-in under their own responsibility, which is only visually embedded in the presentation of our website. When activating the respective plug-in, the provider of the respective plug-in may receive personal data from you.
You receive more detailed information on this below:
1. Third-party provider plug-ins embedded in our website
The following third-party provider plug-ins are embedded in our website, with which you can use the functions on our website offered by third-party providers:
Plug-in | Third-party provider | Further information of the provider of the plug-in |
YouTube player | Google: For users based in the European Economic Area or Switzerland: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Otherwise: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA | More detailed information on the function can be found in the provider’s description: https://developers.google.com/youtube/iframe_api_reference Additional information on data processing by the provider can be found in the Data Protection Information of the provider: https://policies.google.com/privacy?hl=en&gl=en |
2. Processing of personal data by provider of the third-party provider plug-in
The third-party provider plug-ins are embedded in our website by means of a ”2-click solution”. With this solution, the relevant plug-in is not activated directly when our website is accessed, but only once you click on the activation button provided for the relevant plug-in. The activation button contains the designation of the relevant plug-in and, if applicable, a logo of the third-party provider.
It is ensured with the 2-click solution that your internet browser does not initially connect to the servers of the provider of the relevant plug-in when you access our website. When you access our website, the provider of the relevant plug-in therefore initially cannot collect any personal data regarding you via this plug-in. The relevant plug-in is only activated in case you click on the button provided for activating this plug-in. Once activated, a connection is established to the servers of the provider of the relevant plug-in. The provider of the relevant plug-in can also receive personal data from you when the relevant plug-in is activated. The activation of the relevant plug-in can be compared technically with clicking on a link to an external website, with the difference that the content requested in the process does not appear in a new window/tab of your internet browser, but are visually embedded in our website. The data exchange initiated by you by activating and using the relevant plug-in only takes place between your internet browser and the servers of the provider of the relevant plug-in. If you activate a third-party provider plug-in, you therefore use a function offered by the provider of the relevant plug-in under its responsibility, which is visually embedded in the layout of our website.
When the relevant plug-in is activated, the provider of this plug-in can (comparable to accessing an external website via a link) in particular receive your IP address and the address (URL) of the website, from where you carried out the activation. The provider of the activated plug-in can also receive information from any cookies of the relevant provider stored in your internet browser. The provider of the relevant plug-in can therefore, due to the activation of this plug-in initiated by you, already receive at least the information that our website has been accessed from the IP address allocated to you at the time of access. If you are registered as a user with the relevant third-party provider, the provider of the relevant plug-in can also typically allocate the data it received to your user account. We emphasise that we do not have any knowledge about the personal data the provider actually obtains. We also do not have any knowledge about specific purposes of the processing of data collected by the provider of the relevant plug-in or about any further details of the data processing of the relevant provider. In particular, we also do not know whether the relevant provider only processes the data collected to provide the function of the relevant plug-in (e.g. to share certain content or to make a comment) or, beyond this, for any other purposes (e.g. to create usage profiles or to personalise advertising).
3. Data transfer to third countries without an appropriate level of security
It is possible that by using a plug-in activated by you, personal data is transferred to third countries for which there is no so-called adequacy decision by the European Commission and no appropriate safeguards are provided for. To that extent there is the risk that there is no appropriate level of security for the transferred data. This means that your personal data which the third-party provider receives from you may not be subject to a level of security comparable to the General Data Protection Regulation. This in particular means there may not be compliance with the principles for the processing of personal data laid down in Art. 5 GDPR. It may also be the case that no enforceable rights or effective remedies are available to you with respect to the processing of personal data. We inform you when you activate the relevant plug-in about these risks which may exist for you regarding such data transfers without the existence of an adequacy decision or appropriate safeguards. If you click of the activation button provided for the relevant plug-in, you accept these possible risks in your own responsibility.
III. Booking an appointment with us
When clicking on the button “book appointment” on our website, we offer you the possibility to book an appointment with us via email.
When you book an appointment with us by email, certain information is technically required, which we process in order to provide the email infrastructure and to ensure its security.
When you book an appointment with us via email, we also process personal data to process your request including communicating with you to make an appointment with you. Where applicable, we also process the information for evidence purposes for any assertion, exercise or defence of legal claims or in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations, or to provide personal data on the instructions of supervisory authorities, law enforcement agencies, courts or other public bodies in order to comply with legal obligations.
You receive more detailed information on this below:
Categories of personal data processed | Personal data included in the categories | Sources of the data | Obligation of the data subject to provide the data | Storage duration |
Data that is generated for technical reasons when booking an appointment with us via e-mail (“E-mail-Traffic Data”) | This includes email addresses, date and time of emails, IP addresses and information about the servers involved in the e-mail communication. | Data subjects | The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data. If the data is not provided, you cannot book an appointment with us via email. | The data are stored in server log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved. |
Data that you provide to us to process your appointment request via e-mail (“Request Data”). | Depending on your request, this may include for example: First name, last name, contact details (address, telephone number, e-mail address), date of birth, customer number, invoice number, time and date of requested appointment. | Data subject | The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data. If the data is not provided, you cannot book an appointment with us via email. | We store the data until we have made an appointment with you. We also store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which we finished processing your request and in the event of any legal disputes until such have been concluded. We also store these data if any statutory, in particular commercial and tax law document retention obligations exists. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)). |
Data that we generate independently in order to process your request and data from written (including electronic) responses from us to you via email in response to your appointment request (“Documentation and Answer Data”). | This includes the date and time of your request, the date of the deadline for responding to your request, the date of our response to your request, the date of completion of your request and the documentation we have produced about your request (for example, summaries of communications and the actions we have taken to deal with your request). Furthermore, depending on your particular request, this may include, for example, the following data: First name, last name, address, e-mail address, date and time of the reply, content of the reply, time and date of requested appointment, time and date of made appointment. | Generated by us | – | We store the data until we have made an appointment with you. We also store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which we finished processing your request and in the event of any legal disputes until such have been concluded. We also store these data if any statutory, in particular commercial and tax law document retention obligations exists. Depending on the document type, document retention requirements under commercial or tax law can be between six and ten years (sec. 147 German Tax Code (Abgabenordnung – AO), sec. § 257 German Commercial Code (Handelsgesetzbuch – HGB)). |
Purpose of processing the personal data | Categories of personal data processed | Automated decision-making | Legal basis and, where applicable, legitimate interests | Recipient |
Providing our email infrastructure and ensuring its security. | E-mail-Traffic Data Request Data Documentation and Answer Data | No automated decision-making takes place. | Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is to provide the e-mail infrastructure and to ensure its security.. | IT Provider |
Processing your request and making an appointment with you | E-mail-Traffic Data Request Data Documentation and Answer Data | No automated decision-making takes place. | Insofar as your appointment request concerns a contract with you or the performance of pre-contractual measures: Art. 6 (1) (b) GDPR (performance of a contract of which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract). Otherwise: Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is to process your request and to make an appointment with you. | IT Provider |
Storage and processing for evidence purposes for any assertion, exercise or defence of legal claims | Request Data Documentation and Answer Data | No automated decision-making takes place. | Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests): Our legitimate interest is assertion, exercise or defence of legal claims. | – |
Proper accounting and document retention in order to comply with statutory, in particular commercial and tax law document retention obligations | Request Data Documentation and Answer Data | No automated decision-making takes place. | Art. 6 (1) (c) GDPR (Compliance with a legal obligation), in particular compliance with statutory requirements for proper accounting and statutory, in particular professional, commercial and tax law document retention obligations. | –
|
Where applicable, providing personal data on the instructions of supervisory authorities, law enforcement agencies, courts or other public bodies in order to comply with legal obligations. | Request Data Documentation and Answer Data | No automated decision-making takes place. | Art. 6 (1) (c) GDPR (Compliance with a legal obligation), | Supervisory authorities, law enforcement authorities, courts or other public authorities |
Recipient | Recipient’s role | Transfers to third countries and/or international organisations | Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations |
IT Provider: | Processor | There is no transfer to third countries and/or international organisations | – |
Supervisory authorities, law enforcement authorities, courts or other public authorities | Controller | There is no transfer to third countries and/or international organisations | – |
D. Effective date of and changes to this Data Protection Information
The effective date of this Data Protection Information is 22/09/2023.
It may be necessary to modify this Data Protection Information due to technical developments and/or amendment of statutory or official requirements.