Privacy Policy

Privacy Policy

In principle, our website can be used without providing any personal data. However, as soon as a person wishes to use certain services of our company via the website, it may become necessary for us to process personal data. Where there is no legal basis for such processing, we generally ask the person concerned for their consent in advance.

Whenever personal data such as name, address, email address or telephone number is processed, this is always done in accordance with the General Data Protection Regulation and with the country-specific requirements applicable to hurenkind.studio. With this policy, we want to explain which personal data we collect and use, for what purpose and to what extent. At the same time, we inform data subjects of the rights to which they are entitled.

To protect the data processed via this website as effectively as possible, we, as the controller, have implemented a range of technical and organisational measures. Because data transmitted over the internet can, in principle, still contain security gaps, complete protection cannot be guaranteed. Every person is therefore free to provide us with personal data by other means, for example by telephone.

Definitions

Our privacy policy uses the terms introduced by the European legislator in the General Data Protection Regulation (GDPR). It is intended to be clear and understandable for the public as well as for our customers and business partners. For this reason, we explain the most important terms used in advance.

In this policy we use, among others, the following terms:

a) personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). A person is regarded as identifiable if they can be identified, directly or indirectly, in particular by reference to a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

b) data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

c) processing

Processing means any operation — whether automated or not — performed on personal data. This includes, among other things, collecting, recording, organising and storing, as well as adapting, altering, retrieving and consulting, and further the use, disclosure by transmission or dissemination, the alignment, combination, restriction, and the erasure or destruction of data.

d) restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting its future processing.

e) profiling

Profiling means any form of automated processing of personal data in which such data is used to evaluate certain personal aspects relating to a natural person. The focus is often on analysing or predicting aspects such as work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

f) pseudonymisation

Pseudonymisation means processing after which personal data can no longer be attributed to a specific person without the use of additional information. This is provided that such additional information is kept separately and that technical and organisational measures ensure that the data cannot be attributed to an identified or identifiable person.

g) controller or controller responsible for the processing

The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are already determined by Union law or the law of the Member States, the controller or the specific criteria for its nomination may be provided for by such laws.

h) processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) recipient

A recipient is any natural or legal person, public authority, agency or other body to which personal data is disclosed, whether or not a third party. However, public authorities that may receive data in the framework of a particular inquiry in accordance with Union law or the law of the Member States are not regarded as recipients.

j) third party

A third party is any natural or legal person, public authority, agency or other body, other than the data subject, controller, processor and the persons who, under the direct authority of the controller or processor, are authorised to process the data.

k) consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes. It takes the form of a statement or of a clear affirmative action by which the person signifies agreement to the processing of the personal data relating to them.

Name and address of the controller

The controller for the purposes of the General Data Protection Regulation and other data protection provisions of the EU Member States is:

hurenkind.studio
Oberauerstraße 15
81377 Munich
Germany
hi@hurenkind.studio

Cookies

Like many other websites, the hurenkind.studio website also uses cookies. These are small text files that are stored on the respective device via the browser.

Many of these cookies contain a so-called cookie ID — a unique identifier consisting of a character string. It allows websites and servers to be assigned to the specific browser in which the cookie was stored. This enables the browser of a data subject to be distinguished from other browsers with different cookies and to be recognised by the cookie ID.

By means of cookies, we can provide the users of our website with features and services that would not be possible without this technology. This allows content to be tailored more closely to the needs of users.

The practical benefit becomes apparent in everyday use: anyone visiting a website that uses cookies does not, for example, have to re-enter their access credentials on every visit, because these are recognised via the stored cookie. Another example is the shopping cart of an online shop, which remembers the items placed in it via a cookie.

Whether cookies are set can be controlled by each data subject: using the relevant browser settings, the setting of cookies can be permanently prevented, or already stored cookies can be deleted at any time. These options are available in all common browsers. If cookies are completely deactivated, however, it may no longer be possible to use all functions of our website to their full extent.

Where, in addition to technically necessary cookies, we use cookies that require consent — for example for statistics or analytics purposes — we obtain this consent via a cookie consent banner integrated into our website. Non-essential cookies are only set after explicit consent. The legal basis is Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG (German Telecommunications Digital Services Data Protection Act). Consent once given can be withdrawn at any time with effect for the future by reopening and changing the settings in the cookie banner.

Collection of general data and information

Each time our website is accessed — whether by a person or an automated system — various general data and information is collected and stored in the server’s log files. The data collected may include (1) the browser type and version used, (2) the operating system of the accessing system, (3) the website from which the access is made (referrer), (4) the individual sub-pages accessed, (5) the date and time of access, (6) the IP address, (7) the internet service provider of the accessing system, and (8) other similar data used to avert danger in the event of attacks on our IT systems.

hurenkind.studio does not draw any conclusions about individual persons from this general data. Rather, we need it in order to (1) deliver the content of our website correctly, (2) optimise this content as well as the related advertising, (3) ensure the ongoing operation of our IT systems and the technology used, and (4) provide law enforcement authorities with the information necessary in the event of a cyberattack. This anonymously collected data is, on the one hand, evaluated statistically and, on the other hand, used to further improve data protection and data security in our company, so as to ensure a high level of protection for the personal data we process. The anonymous log file data is stored separately from all personal data provided by a data subject.

Hosting and provision of the website via Squarespace

Our website is created and operated using the website builder and content management system provided by Squarespace. The provider is Squarespace Ireland Ltd., Le Pole House, Ship Street Great, Dublin 8, D08 WV48, Ireland; the parent company is Squarespace, Inc., 225 Varick Street, 12th Floor, New York, NY 10014, USA. Through this service, our website is created, hosted and delivered.

When a data subject accesses our website, Squarespace processes various personal data on our behalf. This includes, in particular, technical access data such as the IP address, information about the browser and device, the date and time of access, and other data necessary to deliver and secure the website. This processing is technically necessary in order to provide the website in a stable, secure and functional manner. The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in a reliable and secure online presence. Where consent has been obtained, the processing is based exclusively on Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as it concerns the storage of cookies or access to information on the end device; this consent can be withdrawn at any time.

When using Squarespace, personal data may be transferred to the USA to the parent company Squarespace, Inc. This company is certified under the EU-U.S. Data Privacy Framework (DPF). In addition, Squarespace bases transfers to third countries on the European Commission’s Standard Contractual Clauses pursuant to Art. 46 GDPR.

Squarespace Analytics

Our website uses Squarespace Analytics, the analytics feature integrated into the Squarespace system of the provider named above. It evaluates the behaviour of our visitors so that we can understand the performance of the website — for example, based on page views, the origin of visits (referrer) and user behaviour.

In order to recognise visitors across multiple page views, Squarespace Analytics uses techniques such as cookies or comparable technologies and forms pseudonymised usage profiles from them. The data collected includes, among other things, information about the browser, network and device, the IP address, and the date and time of the visit; in some cases this constitutes personal data. In the course of the evaluation, this data may also be transferred to the parent company Squarespace, Inc. in the USA.

Where consent has been obtained, the use of Squarespace Analytics is based exclusively on Art. 6(1)(a) GDPR and Section 25(1) TDDDG. We obtain this consent via our cookie consent banner; it can be withdrawn at any time with effect for the future. If no consent has been given, we base the processing — insofar as legally permitted — on our legitimate interest in the statistical evaluation of user behaviour for the further development of our online presence pursuant to Art. 6(1)(f) GDPR.

Online shop, order processing and payment processing

We operate an online shop via our website. If a data subject places an order there, the processing of personal data is necessary in order to fulfil the contract. This includes, in particular, master data such as name, billing and delivery address and email address, as well as other information required for the performance of the contract. The basis for this processing is the performance of the purchase contract, including pre-contractual measures; the legal basis is Art. 6(1)(b) GDPR.

The data arising during the order process is processed and stored via the shop function of Squarespace. For processing payments, we use external payment service providers to whom we pass on the data necessary for the respective payment method.

Data collected in connection with an order is retained for the purpose of performing the contract until the contract has been completed — and beyond that insofar and for as long as statutory retention obligations exist, in particular under commercial and tax law. Once these periods have expired, we delete the data, provided it is no longer required for the performance of the contract or for the establishment, exercise or defence of legal claims.

Routine erasure and blocking of personal data

We process and store the personal data of a data subject only for as long as is necessary to achieve the respective purpose of storage — or insofar as this is provided for by the European legislator or by other competent legislators in laws or regulations to which we, as the controller, are subject.

If the purpose of storage no longer applies, or if a statutory storage period expires, the data concerned is routinely blocked or erased in accordance with the statutory provisions.

Rights of the data subject

a) Right to confirmation

Every data subject has the right granted by the European legislator to obtain from us confirmation as to whether personal data concerning them is being processed. Anyone wishing to exercise this right may contact one of our employees at any time.

b) Right of access

Every data subject has the statutory right to obtain, at any time and free of charge, information about the personal data stored concerning them, as well as a copy of this information. In addition, they are entitled to information about the following:

  • the purposes of the processing
  • the categories of personal data processed
  • the recipients or categories of recipients to whom the data has been or will be disclosed, in particular recipients in third countries or international organisations
  • where possible, the envisaged storage period or — if that is not possible — the criteria used to determine it
  • the existence of a right to rectification or erasure of the data concerning them, to restriction of processing, or a right to object to the processing
  • the existence of a right to lodge a complaint with a supervisory authority
  • where the data was not collected from the data subject: all available information as to its source
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and — at least in those cases — meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing

The data subject also has the right to obtain information as to whether their data has been transferred to a third country or to an international organisation. Where this is the case, the data subject may also request information about the appropriate safeguards relating to that transfer.

Anyone wishing to exercise this right of access may contact one of our employees at any time.

c) Right to rectification

Every data subject has the statutory right to obtain the immediate rectification of inaccurate data concerning them. Taking into account the purposes of the processing, they also have the right to have incomplete data completed — including by means of a supplementary statement.

Anyone wishing to exercise this right to rectification may contact one of our employees at any time.

d) Right to erasure (right to be forgotten)

Every data subject has the statutory right to obtain from us the immediate erasure of data concerning them where one of the following grounds applies and the processing is not necessary:

  • The data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • The data subject withdraws the consent on which the processing is based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
  • The data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects pursuant to Art. 21(2) GDPR.
  • The data has been processed unlawfully.
  • The erasure is necessary for compliance with a legal obligation under Union law or the law of the Member States to which we are subject.
  • The data was collected in relation to the offering of information society services referred to in Art. 8(1) GDPR.

If one of these grounds applies and a data subject wishes to arrange for the erasure of data stored at hurenkind.studio, they may contact one of our employees at any time. We will then ensure that the erasure request is complied with without delay.

Where data has been made public by hurenkind.studio and we are obliged to erase it pursuant to Art. 17(1) GDPR, we will — taking account of available technology and the cost of implementation — take reasonable measures, including of a technical nature. The aim is to inform other controllers processing the published data that the data subject has requested the erasure of all links to, and copies or replications of, that data, insofar as the processing is not necessary. We will take the necessary steps in each individual case.

e) Right to restriction of processing

Every data subject has the statutory right to obtain from us the restriction of processing where one of the following conditions is met:

  • The data subject contests the accuracy of the data — for a period enabling us to verify its accuracy.
  • The processing is unlawful, but the data subject opposes the erasure of the data and instead requests the restriction of its use.
  • We no longer need the data for the purposes of the processing, but the data subject requires it for the establishment, exercise or defence of legal claims.
  • The data subject has objected to the processing pursuant to Art. 21(1) GDPR, and it is not yet clear whether our legitimate grounds override theirs.

If one of these conditions is met and a data subject wishes to request the restriction of data stored at hurenkind.studio, they may contact one of our employees at any time. We will then arrange for the restriction of the processing.

f) Right to data portability

Every data subject has the statutory right to receive the data concerning them, which they have provided to us, in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR, and is carried out by automated means. This does not apply insofar as the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

In exercising this right pursuant to Art. 20(1) GDPR, the data subject also has the right to have the data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

To assert this right, the data subject may contact an employee of hurenkind.studio at any time.

g) Right to object

Every data subject has the statutory right, on grounds relating to their particular situation, to object at any time to the processing of data concerning them, insofar as this is based on Art. 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.

In the event of an objection, hurenkind.studio will no longer process the data concerned — unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the establishment, exercise or defence of legal claims.

Where hurenkind.studio processes data for the purposes of direct marketing, the data subject may object at any time to such processing; this also applies to any associated profiling. If the data subject objects to processing for marketing purposes, we will no longer use the data for these purposes.

In addition, the data subject has the right, on grounds relating to their particular situation, to object to processing carried out by hurenkind.studio for scientific or historical research purposes, or for statistical purposes pursuant to Art. 89(1) GDPR — unless the processing is necessary for the performance of a task carried out in the public interest.

To exercise the right to object, the data subject may contact any employee of hurenkind.studio directly. Notwithstanding Directive 2002/58/EC, the data subject is also free, in the context of the use of information society services, to exercise their right to object by automated means using technical specifications.

h) Automated individual decision-making, including profiling

Every data subject has the statutory right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them. This does not apply if the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and the controller, (2) is authorised by Union or Member State law to which the controller is subject and which lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, or (3) is based on the data subject’s explicit consent.

If the decision (1) is necessary for entering into or performing a contract, or (2) is based on explicit consent, hurenkind.studio takes suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject. This includes at least the right to obtain human intervention on the part of the controller, to express one’s point of view, and to contest the decision.

If the data subject wishes to assert rights relating to automated decision-making, they may contact one of our employees at any time.

i) Right to withdraw consent under data protection law

Every data subject has the statutory right to withdraw consent to the processing of personal data at any time, once given.

Anyone wishing to make use of this right of withdrawal may contact one of our employees at any time.

Data protection for applications and in the application procedure

We collect and process the personal data of applicants for the purpose of handling the application procedure; this may also be done electronically. This is the case in particular where application documents are submitted to us by electronic means — for example by email or via a web form on our website. If an employment contract is concluded, we store the transmitted data in compliance with the statutory provisions for the purpose of managing the employment relationship. If no employment contract is concluded, we automatically delete the application documents two months after notification of the rejection decision — unless other legitimate interests on our part prevent such deletion. One such legitimate interest is, for example, the burden of proof in proceedings under the German General Equal Treatment Act (AGG).

Legal basis for the processing

For processing operations for which we obtain consent for a specific purpose, Art. 6(1)(a) GDPR serves as our legal basis. Where the processing is necessary for the performance of a contract to which the data subject is party — for example when goods are supplied or other services are provided — it is based on Art. 6(1)(b) GDPR. The same applies to processing carried out to perform pre-contractual measures, for example in the case of enquiries about our products or services. Where we are subject to a legal obligation that requires processing — for example to fulfil tax obligations — Art. 6(1)(c) GDPR is the basis. In rare cases, processing may become necessary to protect the vital interests of the data subject or of another natural person; this would be the case, for example, if a visitor were injured on our premises and their name, age, health insurance details or other vital information then had to be passed on to a doctor, hospital or other third party — in which case Art. 6(1)(d) GDPR applies. Finally, processing may be based on Art. 6(1)(f) GDPR. This basis covers operations not captured by any of the grounds mentioned above, provided that the processing is necessary to safeguard a legitimate interest of our company or of a third party, and that the interests, fundamental rights and freedoms of the data subject do not override it. Such processing is permitted to us in particular because it was expressly mentioned by the European legislator; the legislator took the view that a legitimate interest may be assumed where the data subject is a customer of the controller (Recital 47, sentence 2 GDPR).

Legitimate interests pursued in the processing

Where processing is based on Art. 6(1)(f) GDPR, our legitimate interest lies in carrying out our business activities for the benefit of all our employees and shareholders.

Period for which the personal data will be stored

The criterion for the storage period of personal data is the respective applicable statutory retention period. Once this period has expired, we routinely delete the data concerned, provided it is no longer required for the performance or initiation of a contract.

Provision of personal data: requirements, necessity and consequences

We point out that the provision of personal data is in part required by law (for example by tax regulations) or may result from contractual arrangements (for example, information about the contractual partner). In some cases, the conclusion of a contract requires that a data subject provide us with personal data, which we must subsequently process. For example, the data subject is obliged to provide us with data if our company concludes a contract with them; if the data is not provided, the contract could not be concluded. Before providing the data, the data subject may contact one of our employees, who will explain in each individual case whether the provision of the data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the data, and what the consequences of not providing it would be.

Existence of automated decision-making

As a responsible company, we do not use automated decision-making or profiling.