Privacy

1. General Information
1.1 Processing of Personal Data
1.2 Controller
1.3 Rights of the Data Subject
1.4 Recipients (general information)
2. Collection and Processing of Personal Data when visiting our Website
2.1 Hosting
2.2 Cookies/Tools
2.2.1 Consentmanager CMP – Central cookie management platform
2.2.2 Google Analytics
2.2.3 Google Tag Manager
3. Further services offered (on- and offline)
3.1 Contacting/Communication/Collaboration)
3.2 Campaigns (e.g. Sweepstakes, Product Tests)
3.3. Surveys
4. Objection or Withdrawal of your consent to the Processing of Personal Data

1. General Information

The purpose of this privacy policy is to provide you with information concerning the processing of personal data when using our website and related services. This privacy policy applies to all websites or services that refer to this privacy policy.

1.1. Processing of Personal Data

Personal data (in short data) within the meaning of Art. 4 of the EU General Data Protection Regulation (GDPR) are all information relating to an identified or identifiable natural person, e.g. name, address, email address, etc.

1.2. Controller

Responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is: Beiersdorf AG, Unnastraße 48, D-20245 Hamburg, Tel: +49 (40) 4909-0, Fax: +49 (40) 4909-3434, hello[at]oscar-and-paul.com (see our imprint).

Contact details of the data protection officer: Dataprotection[at]Beiersdorf.com or under the postal address of the controller for the attention of the “data protection officer”.

Specific data processing activities might occur under the responsibility of other controllers. It is indicated in the respective description of those activities below, where this is the case.

1.3. Rights of the Data Subject

As data subject affected by the data processing activity, you have the following rights with regard to your personal data in accordance with the legal provisions:

  • Right of access;
  • Right to rectification and to erasure;
  • Right to restriction of processing;
  • Right to data portability; and
  • Right to object.

Furthermore, you have the right to lodge a complaint with a supervisory authority concerning the processing of your personal data.

When we work on your above-mentioned right, we may ask you for proof of your identity. For more information on how we process your data, see 3.1.

1.4. Recipients (general information)

Additionally to the recipients that are listed within the recipients paragraph of each section below, we transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors in accordance with the purposes required. We also forward the data to the following recipients:

-Platform/hosting providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

-Analytical service providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

-IT support service providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

-Authorities: In the event of a legal obligation, we reserve the right to disclose information about you if we are required to surrender it to competent authorities or law enforcement bodies acc. to: Art. 6 (1) c GDPR (legal obligation).

Further information can be found within the recipients paragraph of each section.

2. Collection and Processing of Personal Data when visiting our Website

When visiting and using our website we already collect personal data. You can find within this section more information about website specific processes and tools especially from external partners. Further information about processes which can also occur in an offline context can be found in section 3.

2.1 Hosting

Purpose/Information:
When visiting and using our website for information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server, which are technically necessary for us to display our website to you and to guarantee stability and security.

Used Cookies/Tools: Type A. More information can be found in the “Cookies/Tools” section.

Recipients:
-Platform/hosting providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

-Service Provider for IT-Support will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4.

Deletion:
The deletion of the log files takes place after 7 days.

Legal basis:
Art. 6 (1) f GDPR (legitimate interest)

2.2 Cookies/Tools

This website uses cookies or other technologies/tools like pixels, local storage, tags, IDs or external services (hereinafter referred to as “Cookies/Tools”) and are used on when visiting and using our website. Cookies are small text files that are stored by your browser on your device to save certain information or image files, such as pixels. The next time you visit our website on the same device, the information saved in the cookies will subsequently be accessed on your device and transmitted either to our website (“First Party Cookie”) or to another website to which the cookie belongs (“Third Party Cookie”).

Through the information saved and returned, the respective website can recognise that you have already accessed and visited it with the browser you use on that device. We use this information to be able to design and display the website in an optimum way in line with your preferences. In that respect, only the cookie itself is identified on your device. Beyond this extent, your personal data will only be saved upon your express consent or if it is strictly necessary to be able to use the service offered to and accessed by you accordingly.

This website uses the following types of cookies/tools, the scope and functionality of which are explained below:

  • Type A: Technical/Audience Measurement – to ensure that the demanded service can be provided including basic analysis. (No consent necessary acc. to ePrivacy Directive 2002/58 EC).
  • Type B: Functional and Performance – Additional tools to measure the performance/attractiveness of our website and to provide further additional (personalised) functionalities.
  • Type C: Marketing – Cross websites tools for marketing profiling based on user behaviour.

You can find more information on in the description of the tools implemented on our websites in this privacy policy. In case this website is using a consent management platform you can additionally find further information in there.

Please note that the tools listed in the following subsection might not be constantly in use.

2.2.1 Consentmanager CMP – Central cookie management platform

Purpose/Information:
This website is using the consent management tool “Consentmanager” (www.consentmanager.net) to obtain consent for data processing and use of cookies or comparable functions. With the help of "consentmanager" you have the possibility to give your consent for certain functionalities of our website, e.g. for the purpose of integrating external elements, integrating streaming content, statistical analysis, measurement and personalised advertising. With the help of “Consentmanager” you can grant or reject your consent for all or individual purposes or functions. The settings you have made can also be changed afterwards. The purpose of integrating “consentmanager” is to let the users of our website decide about the above-mentioned functions and, as part of the further use of our website, to offer the option of changing settings that have already been made. By using “consentmanager”, personal data and information from your end device, such as the IP address, are processed.

By processing the data, consentmanager helps us to fulfil our legal obligations (e.g. obligation to provide evidence). Our interests in processing lie in the storage of user settings and preferences with regard to the use of cookies and other functionalities. "Consentmanager" stores your data as long as your user settings are active.

The provision of your personal data is required for the performance of the contract or a situation similar to a contract. You are not obliged to provide your personal data. If your personal data is not provided, you cannot use the described service.

Cookies/Tools: Type A. More information can be found in the “Cookies/Tools” section.

Recipients:
Main service provider is Consentmanager AB, Håltegelvägen 1b, 72348 Västerås Sweden.

Further recipients can be found in the general recipients section 1.4.

Deletion:
The data will be deleted after 13 months. The choice you have made (consent/setting) will be stored for one year and can be viewed here. You can always delete your choice by deleting the cookies within your browser.

Legal basis:
Art. 6 (1) b GDPR (situation similar to a contract)
Art. 6 (1) c GDPR (when processing is necessary for compliance with a legal obligation)

2.2.2 Google Analytics

Purpose/Information:
This website uses Google Analytics, a web analysis service of Google Ireland Ltd. (“Google”). The configuration of Google Analytics has been modified by us to the measurement only function, unless separate consent for further advertising features has been given.

Google Analytics uses a specific form of cookie, which is stored on your computer and enables an analysis of your use of our website. The cookies set by Google Analytics for measurement are first party cookies, which means that data subjects’ cookie values will be different for each customer (i.e. there is not a single Google Analytics cookie ID that is used on all sites using Google Analytics). The information about your use of this website generated by the cookie is generally transmitted to a Google server in the USA and stored there.

We would like to point out that Google Analytics has been expanded on this website to include the code “gat._anonymizeIp();” to ensure the anonymised recording of IP addresses (so-called IP masking). Due to the IP anonymization on this website, your IP address is shortened by Google within the territory of the EU and the Treaty States of the European Economic Area. Only in exceptional cases the full IP address is transmitted to a Google server in the USA and shortened there.

Google uses this information on our behalf to analyse your use of this website in order to compile reports on website activities and provide additional services related to website and internet use. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.

We use Google Analytics to analyse and regularly improve the usage of our website. We can use the statistics obtained to improve our offer and make it more interesting for you as a user. In addition, we gain information about the functionality of our site (for example to detect navigation problems).

In the configuration of Google Analytics, we ensured that Google receives this data as a processor and is therefore not allowed to use this data for its own purposes. The "Google Analytics Advertising Features" configuration is independent from this and is described in the appropriate section below, provided it is also used on this website.

Cookies/Tools: Type B. More information can be found in the “Cookies/Tools” section.

Recipients:
Main service provider: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics Terms of Service: https://www.google.com/analytics/terms/gb.html, General overview on Google Analytics security and privacy principles: https://support.google.com/analytics/answer/6004245?hl=en, as well as Google’s privacy policy: https://policies.google.com/privacy?hl=en.

Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4.

Deletion/Withdrawal:
You can deactivate this tool via the Cookie Settings here.

Cookie lifetime: up to 12 months (this applies only to cookies which have been set by this website)

Maximum storage period of data: up to 26 months.

Legal basis:
Art. 6 (1) a GDPR (consent)

2.2.3 Google Tag Manager

Purpose/Information:
This website uses the Google Tag Manager. This service allows website tags to be managed through an interface. The Google Tag Manager only implements tags. This means that no cookies are used and no personal data are stored. The Google Tag Manager triggers other tags, which in turn collect data if necessary. However, the Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains valid for all tracking tags if they are implemented with the Google Tag Manager.

Cookie/Tools: Type A. More information can be found in the “Cookies/Tools” section.

Recipients:
Main service provider: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4.

Deletion:
The Google Tag Manager does not store any personal data.

Legal basis:
Art. 6 (1) f GDPR (legitimate interest)

3. Further services offered (on- and offline)

In addition to the online use of our website, we offer various other services, for which we process your personal data also in an offline context.

Contrary to 1.2, in some cases a Beiersdorf Company is Controller for the services offered below, which has already been named to you as part of the communication. If reference is therefore made to sections of this privacy policy, e.g. by link, and a Controller has already been named, e.g. in the footer/signature of an email or campaign card, this person is the Controller in accordance with. Art. 4 No. 7 GDPR.

3.1 Contacting/Communication/Collaboration

Purpose/Information:
When communicating and/or collaboration with us, e.g. by email or via contact form on our website, data exchange platform, be it e.g. as a consumer, test person, business partner or customer, the data you provide (your email address, if applicable your name and your telephone number, or personal data submitted during the conversation) will be stored and processed by us in order to e.g. answer your questions, requests or for the purpose of business related correspondence.

With regard to the cooperation with our suppliers, we have implemented an internal evaluation process which, in our legitimate interest, is intended to improve the business relationship by developing an "action plan". As a rule, we only process information about the company, but conclusions can be drawn about you as the contact person, if the communication with suppliers is examined with regard to response times, reliability and transparency.

We may ask you when you contact us by telephone as a consumer whether the telephone call may be recorded for quality assurance and training measures. If you agree to the recording, we will process all information that you share with us during the call (communication content, possibly also sensitive (health) data, as well as your phone number and other personal data).

When processing data arising in the course of communication, we have a legitimate interest in processing the data in accordance with legal requirements, for internal verification or in accordance with the respective communication request.

The provision of your personal data is required for the performance of the contract or a situation similar to a contract. You are not obliged to provide your personal data. If your personal data is not provided, you cannot use the described service.

Controller:
If you purchase products in the eShop Beiersdorf NV, De Passage 126-136, 1101 AX Amsterdam, Netherlands, Beiersdorf NV is responsible for the data processing described in this clause. This applies also to any questions about your order that you might ask through the contact form provided in the eShop. For all other cases of contacting/communication/collaboration is the controller named under clause 1.2 above.

Recipients and sources:
In order to combat terrorism, we are obliged by law to carry out a comparison with sanctions lists. Therefore, we also process your data to meet legal requirements for comparison with these lists. Furthermore, we process your data in the Beiersdorf Group for the prevention and investigation of criminal offences and other misconduct, the assessment and control of risks, for internal communication and for corresponding administrative purposes. If an affiliated company reports a need to work with you as a supplier, we will share our experiences from working with you with the affiliated company.

If you are a business partner, we will compare your data against published lists of misleading suppliers (e.g. warning lists of World Intellectual Property Organization and Bundesanzeiger Verlag GmbH) to make an informed decision about potential payments. We also regularly check your creditworthiness in certain cases (e.g. when concluding contracts). Our legitimate interest is the minimization of the financial risk. For this purpose, we cooperate with credit agencies from which we receive the necessary data. For this purpose we transmit your name and your contact data to the credit agencies.

If you are a business customer or partner, it may be necessary to transfer your personal data to prospective buyers as part of a company transaction. In the course of due diligence, usually anonymised data is processed. However, it may be necessary in specific individual cases to process personal data. Our legitimate interest lies in the execution of the company transaction.

Additionally we transfer the data to the following recipients:

  • Customer/Consumer service providers
  • Platform/hosting provider

Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. Additionally binding corporate rules were approved at a platform/hosting provider. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4.

Deletion /Objection:
We delete the data arising in this context once storage is no longer necessary, unless statutory retention obligations exist or periods of limitation must be observed.

In case of consumer inquiries through our internal consumer management tool the personal data will be usually deleted after one year, if no other legal retention periods apply. As an exception, the data will be kept longer if the data is necessary for the establishment, exercise or defence of legal claims.

Call recordings are stored for a maximum of 90 days.

You can object to these processes according to the requirements under 3.

Legal basis:
Art. 6 (1) a GDPR in conjunction with Art. 9 (2) a GDPR (consent: telephone recording)
Art. 6 (1) b GDPR (when processing in the context of a contract or a situation similar to a contract)
Art. 6 (1) c GDPR (when processing is necessary for compliance with a legal obligation)
Art. 6 (1) f GDPR (when processing according to the legitimate interest described above)

3.2 Campaigns (e.g. Sweepstakes, Product Tests)

Purpose/Information:
When you participate in sweepstakes or similar campaigns, we use the personal information you provide to conduct the campaign. Further information on the purposes can be found in the respective terms and conditions of the campaign.

The provision of your personal data is required for the performance of the contract or a situation similar to a contract. You are not obliged to provide your personal data. If your personal data is not provided, you cannot use the described service.

Recipients:

  • Platform/hosting provider
  • Consumer service provider
  • Shipping service provider (e.g. for sending samples, prises)
  • External agencies for support in campaigns

Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. Additionally binding corporate rules were approved at a platform/hosting provider. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4.

Deletion:
Your data will be deleted after the final processing of the campaign (see terms and conditions of participation), unless this conflicts with statutory retention obligations or statutes of limitations.

Legal basis:
Art. 6 (1) b GDPR (situation similar to a contract)

3.3 Surveys

Purpose/Information:
When you participate in surveys or similar campaigns, we process the personal information for the purpose described in the consent. The collected data covers questions around the intended purpose of the survey or similar campaign, as well as additional socio-demographic information about you. You may participate without identifying yourself, unless this has been part of the consent.

For some surveys it is necessary to ensure technically that no double participation or resumption of the survey is possible. This can be done, for example, through the use of individualised links or cookies.

Cookies used: Type A. More information can be found in the “Cookies/Tools” section.

Recipients:

  • Platform/hosting providers
  • Consumer management service provider
  • External agencies for survey support

Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. Additionally binding corporate rules were approved at a platform/hosting provider. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4.

Deletion:
Your data will be deleted after the final processing of the survey or similar campaign (see terms and conditions of participation), unless this conflicts with statutory retention obligations or statutes of limitations. Usually, data will be deleted after two years.

Cookie lifetime: up to 180 days (this applies only to cookies which have been set by this website)

Legal basis:
Art. 6 (1) a GDPR (consent)

4. Objection or Withdrawal of your consent to the Processing of Personal Data

If you have given your consent (Art. 6 (1) a GDPR) to the processing of your data, you can withdraw your consent at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us.

If we base the processing of your personal data on the weighing of interests (Art. 6 (1) f GDPR), you may object to the processing. This is the case if processing is not necessary in particular to fulfil a contract with you, which is described by us in the description of the functions / services. When exercising such objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust data processing or point out to you our compelling reasons worthy of protection, on the basis of which we will continue processing.

Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us about your objection under the above-mentioned contact details for the controller.