Data Protection Policy in Terms of Article 13 GDPR – LUXX United GmbH
We would like to inform you as precisely and clearly as possible about how the special data protection requirements are implemented at our company. In the following data protection policy, we have therefore described the type, scope and purpose of the collection, processing and use of personal data.
The controller for the data processing on these websites is:
LUXX United GmbH
Ronheider Berg 225
Peter Boltersdorf, Managing Director
Phone: +49 241 60 85 97 73
Data Protection Officer
We have appointed an external data protection officer for our company:
ER Secure GmbH
In der Knackenau 4
When our web pages are visited, our system automatically records data and information on the visitor’s end device.
The following data are collected for a limited period of time:
(1) Information on the browser type and version used
(2) The user’s operating system
(3) The user’s internet service provider
(4) The user’s IP address
(5) Date and time of visit
(6) Websites from which the user’s system reaches our website
The data are stored in the log files of our system. These data are only necessary for the analysis of any malfunctions and erased within seven days. The temporary storing of the IP address by our system is necessary to allow for the delivery of the website to the user’s end device. The user’s IP address must be stored for the length of the session. The storage in log files is to ensure the functionality of the website. Furthermore, the data are intended to optimize the website and protect our IT systems. The data are not analyzed for marketing purposes in this connection and conclusions are not drawn about the person visiting. Our websites are hosted, meaning, they are operated in data centers of our partners and administered by them. The data centers where our webservers run are located exclusively in the EU.
The legal basis for the processing of these data is Art. 6 (1) (f) GDPR. Our interest is in guaranteeing the integrity, confidentiality and availability of the data processed through these web pages.
At our website, you have the possibility of booking a place in one of our seminars. We provide you with a contact form for this. To process your request and reserve a space for you, we need your name and your email address. After processing your request, our employees will get in contact with you by email to complete the booking. Information that you provide in the comments field is absolutely voluntary and not required for the booking. Legal basis: Art. 6 (1) (b) GDPR. It is not possible to book a seminar through our website without providing your full name and your email address.
Registration for Master
At our website, we provide a special “master area” for our trained masters. Here, as a master, you can edit your master profile, buy tests or book participation in seminars or manage your company profile in accordance with your authorizations. Instructors can also enter seminars
If you have completed the master training with one of our trainers, this trainer will set up a profile with some basic data in our system. Then you will receive temporary access to the “Master Area.” For security reasons, we recommend that you change the initial password to your own secure password when logging in for the first time.
Data that we process in connection with the login area:
Profile data: So you can be found by potential customers via our website, you have the opportunity to set up a master profile. The publication of a master profile is completely voluntary. If you decide to publish a profile on our website, all the information you provide, with the exception of some basic data (name, location, contact details), is voluntary. You determine what information is published on our website. You have the opportunity at any time to take your master profile offline and to erase the information contained in it. Legal basis: Art. 6 (1) (a) GDPR. If you decide to publish your profile, you must give us the consent necessary for that. You can revoke this at any time by switching the profile offline via the master area.
Billing data: We process all data required for the purchase transaction (e.g. billing data) only for this purpose and retain it as long as we need it to fulfill our statutory retention and documentation obligations (usually 5-10 years). Legal basis: Art. 6 (1) (b) GDPR. A purchase transaction is not possible with us if you do not provide the purchase and billing data required.
Master newsletter: We inform our masters regularly about new developments at our company and various campaigns (e.g. offers made by the LUXX Academy). For the newsletter, we use the platform CleverReach (CleverReach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany). CleverReach makes it easy and secure for us to manage and send our newsletter and the associated data. You have the option to unsubscribe from the newsletter at any time by clicking on the unsubscribe link that is at the bottom of each newsletter. Your email address is then placed on a so-called black list at CleverReach so that you will not receive any other newsletters from us until you subscribe again. The legal basis: Sec. 7 (3) of the German Act against Unfair Competition [UWG] in conj. with Art. 6 (1) (f) GDPR. Our legitimate interest is to inform our masters regularly about special campaigns related to the LUXX profile or seminars and to keep increasing the quality of advice by our masters.
Master info: Our masters receive essential information for the partnership with LUXX via a distributor list. We also handle the administration of the distributor list and its sending through CleverReach (see preceding section). Since this list is used for internal communication and we only distribute information that is necessary for the execution of the contract, you cannot simply unsubscribe to it. Legal basis: Art. 6 (1) (b) GDPR.
Master test: In the course of the master training, your trainer may also give you one of our tests and discuss the results with you so that you can convince yourself of the quality of our tests and the subsequent advisory meetings, and to learn the process for your future customers. This test is stored in the master area in your data and is available to you at any time. Besides you, only your trainer who gave you the test can access it. Legal basis: Art. 6 (1) (b) GDPR (The giving of a test and the subsequent grading are a component of the contract for the master training and are intended to ensure our quality expectations with respect to our masters). If you refuse to take a personal test, this can lead inter alia to you not being admitted as a master with us.
Purchase transaction: When a purchase is made on our website, you have two possibilities for payment.
Payment service provider: You can complete the purchase transaction via our service provider Adyen (Adyen N.V. German Branch, Friedrichstraße 63, Entry Mohrenstraße 17, 10117 Berlin). If you select this option, your billing and purchase data will be transmitted to Adyen during the purchase transaction and you will be redirected to the Adyen page where you have the option to choose various payment methods (e.g. credit card, iDeal, or Sofortüberweisung). Please regard the data protection policy of Adyen and the respective payment service provider.
Purchase by invoice: You also have the option of completing the purchase with us and making payment by invoice. Please speak with us about this option. If you make a purchase by invoice with us, our Accounting department will issue an invoice and you will receive a link to the master area where you can download the invoice. You must transfer the owed amount personally to our account.
We store all billing data in our internal systems for up to 10 years, to comply with our statutory documentation obligations.
Legal basis: Art. 6 (1) (b) GDPR. If you do not provide the required purchase and billing data in each case, you cannot complete the purchase via the selected method.
Blog: Every master can make blog contributions at our website. These posts are published on our website after a review and release by our employees. When a blog contribution is published, your name is stated as the author. Legal basis: Art. 6 (1) (a) GDPR. Publishing blog posts is absolutely voluntary. You can have us erase your blog contributions at any time. To do so, just send us an email at: email@example.com
Company administrator: If you are not only a master with us, but also have a company profile, you can designate a company administrator. This person has extended authorizations in your company area on our website. For example, this person can view the company log. This involves a list of all activities that the masters assigned to the company have carried out. This function is intended to ensure the confidentiality and integrity of the data managed by your company. Accordingly, the administrator can track at any time when what data was changed or erased by whom. The logs, however, should only be analyzed in exceptional cases (e.g. to troubleshoot). Legal basis: Art. 6 (1) (f) GDPR. Our legitimate interest in the production of log files is to ensure the confidentiality and integrity of the processed data.
2-factor authentication: You have the option to make your log-in even more secure by activating the 2-factor authentication. For some user roles in our system, the 2-factor authentication is technically required, since these roles have extended authorizations, and access via these accounts must be secured in particular.
If you take a personality test on our website via a link (e.g. through one of our masters), we will only use the personal data you provide to grade your test and to provide further advice through our masters. The process looks like this:
– During the advising by the master, you will receive a link to the personality test
– You will provide your personal data on the website in question and take the test
– The grading of the test takes place on our webservers, which are hosted by our partners, as described under “Webserver.”
– The results are transmitted to the master so that he or she can discuss the results with you and provide further advice.
– Furthermore, your test results are transmitted anonymously to us (LUXX United GmbH). We cannot draw any conclusions about your person on the basis of the information you provide. The statistical results of the tests are used by us for the research and development of our personality tests.
– After the transmission of the results, they will be stored by us for 1 year so the master can refer back to them or retrieve them. Then they will be erased.
The legal basis for the processing of your data and information in the taking of our personality test is Art. 6 (1) (b) GDPR. Taking the test or grading your results is not possible without the complete entry of your data.
If you take a test in consultation with your master, and special categories of personal data in accordance with Art. 9 GDPR (in this case, questions about your sex life) are processed, we need your consent to give the test. You can consent at the beginning of the test. The legal basis for the processing of special categories of data is then Art. 9 (2) (a) GDPR.
Google Web Fonts
To ensure that our websites are always displayed in the same way on the different systems of our visitors, we use Google Web Fonts. This means that when you access our pages, our webserver connects to a Google Web Fonts server and transmits information about you, such as your IP address, to Google LLC.
The legal basis for this processing is Art. 6 (1) (f) GDPR. Our legitimate interest is to provide an appealing and uniform presentation of our websites on different systems and browsers.
Data that we process in connection with business communication are stored on our email server and in our (customer) administration system. We store your data for the period of communication or the processing of your request, if there is no business relationship between you and us. Furthermore, we archive our entire business email correspondence for up to 5 years, to meet statutory documentation obligations and to defend ourselves in the event of legal claims.
The legal basis for the processing of data with our email program is:
Art. 6 (1) (b) GDPR, if the email correspondence is for the initiation, execution or termination of a contractual relationship
Art. 6 (1) (a) GDPR, for the sending of advertisements requested by you
We use Zoom to hold phone conferences, online meetings, video conferences and/or webinars (hereinafter: “online meetings”). Zoom is a service of Zoom Video Communications, Inc., which has its headquarters in the U.S.
When Zoom is used, different kinds of data are processed. The scope of the data also depends on what information on data you have provided before or during participation in an “online meeting.”
The following personal data may be the subject matter of processing:
Information on the User
First name, last name, phone no. (optional), email address, password (if “single sign-on” is not used), profile picture (optional), department (optional)
Subject matter, description (optional), participant IP address, device/hardware information
For Recordings (Optional)
MP4 file of all video, audio and presentation records, M4A file of all audio recordings, text file of the online meeting chat.
For Participation by Phone
Information on the incoming and outgoing call number, country name, start and end time. Other connection data such as the IP address of the device may be stored.
Text, Audio and Video Data
You have the option of using the chat, question or survey function in an “online meeting.” In this regard, the text entries made by you are processed in order to show and possibly log them in the “online meeting.” To allow for the display of video and to play back audio, the data from the microphone of your end device and from any video camera on the end device are processed accordingly during the time of the meeting. You can turn off the camera or silence the microphone at any time via Zoom applications.
In order to participate in an “online meeting” or to enter the “meeting room,” you must provide at least your name details.
If we want to record “online meetings,” we will communicate this to you transparently in advance and – if required – request your consent. The act of recording is also shown to you in the Zoom app.
If it is required for the purpose of documenting the results of an online meeting, we will record the chat contents. That is usually not the case, however.
In the event of webinars, it is also possible that we will process the questions asked by webinar participants for the purpose of recording and processing webinars.
If you are registered at Zoom as a user, then reports on “online meetings” (meeting metadata, data on phone dial-in, questions and answers in webinars, survey function in webinars) can be stored for up to one month at Zoom.
Personal data processed in connection with participation in “online meetings” are fundamentally not shared with third parties, if they are not intended for sharing. Please remember that the contents from “online meetings” as well as during personal discussion meetings are frequently intended to communicate information to customers, prospective customers or third parties and are therefore intended for sharing.
The provider of Zoom receives the necessary knowledge of the aforementioned data, if this is required as part of our contract data processing agreement with Zoom.
Zoom is a service that is provided by a company from the U.S. The processing of personal data also takes places in a third country. We have concluded a contract data processing agreement with the provider of Zoom so that the requirements under Art. 28 GDPR are met.
An adequate level of data protection is guaranteed, inter alia, by the conclusion of so-called EU standard contract clauses. As supplementary protection measures, we have also set up our Zoom configuration so that only data centers in the EU, EEA or secure third countries such as Canada or Japan are used for holding “online meetings.”
Legal Basis of Processing
If personal data are processed by employees of “LUXX United GmbH,” Sec. 26 of the German Federal Data Protection Act [BDSG] serves as the legal basis for the data processing. If personal data in connection with the use of Zoom are not required for the establishment, execution or termination of the employment relationship, but are nonetheless a fundamental part for the use of Zoom, Art. 6 (1) (f) GDPR is the legal basis for the data processing. Our legitimate interest in these cases is in the effective holding of “online meetings.”
Otherwise, the legal basis for the data processing in the event of “online meetings” held is Art. 6 (1) (b) GDPR, if the meetings are held as part of the contractual relationship.
If there is no contractual relationship, the legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest is also here in the effective holding of “online meetings.”
We have a publicly available profile in social media. We have described the social networks used by us below.
Social networks such as Facebook, Twitter, etc. can usually analyze your user behavior more comprehensively if you visit their websites or website with integrated social media contents (e.g. Like buttons or advertising banners). When you visit our social media sites, this triggers numerous processing operations relevant for data protection.
When you are logged into your social media account and visit our social media site, the operator of the social media portal can assign this visit to your user account. Your personal data may also be recorded, however, if you are not logged in or do not have an account with the respective social media portal. These data are recorded in this case, e.g., via cookies that are stored on your end device or by recording your IP address.
The data recorded in this way can be used by the operator of the social media portals to create a user profile in which your preferences and interests are stored. This makes it possible for the operator to show you interest-related advertisements in and outside of the respective social media presence. If you have an account at the respective social network, the interest-related advertising can be displayed on all logged-in devices.
Please also remember that we cannot track all the processing steps on social media portals. Depending on the provider, therefore, additional processing steps may be taken by the operators of social media portals. You can find these details in the social media portals’ respective terms and conditions of use and privacy policies.
Our social media sites should ensure the most complete possible presence online. This is a legitimate interest in terms of Art. 6 (1) (f) GDPR. The analysis processes initiated by social networks may be based on deviating legal bases that are to be indicated by the operators of social networks (e.g. consent in terms of Art. 6 (1) (a) GDPR).
Controller and Assertion of Rights
If you visit our social media sites (e.g. Facebook), we and the operator of the social media platform are responsible for the data processing operations triggered by this visit. You can assert your rights (information, rectification, erasure, restriction of processing, data portability and appeals) fundamentally with respect to us and the operator of the respective social media portal (e.g. Facebook).
Please remember that we cannot entirely influence the data processing operations of social media portals despite our joint responsibility with the operators of social media portals. Our options are largely based on the corporate policy of the respective provider.
Period of Storage
The data directly recorded by us via the social media site are erased from our systems as soon as the reason for their storage ceases to apply, or you request erasure, revoke your consent to storage, or the purpose of data storage ceases to apply. Stored cookies remain on your end device until you erase them. Mandatory statutory requirements – especially retention periods – remain unaffected.
We have a profile at Facebook. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The collected data are also transferred to the U.S and other third countries, according to statements made by Facebook.
We have an agreement on joint processing (Controller Addendum) with Facebook. This agreement stipulates the data processing operations that Facebook is responsible for and the ones that we are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.
You can adjust your advertising settings autonomously in your user account. To do so, click on the following link and log in at: https://www.facebook.com/settings?tab=ads.
The data transfer to the U.S. is based on the standard contractual clauses of the EU Commission. You will find the details here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
We have a profile at Instagram. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA.
The data transfer to the U.S. is based on the standard contractual clauses of the EU Commission. You will find the details here:https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381.
We have a profile at LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.
If you would like to deactivate LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
The data transfer to the U.S. is based on the standard contractual clauses of the EU Commission. You will find the details here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.
Your Rights as Data Subject
Revocation of your Consent to Data Processing
Some data processing operations are only possible with your explicit consent. You can revoke consent already given at any time. To do so, please send us an informal communication by email: firstname.lastname@example.org. The legality of the data processing carried out until the revocation remains unaffected by the revocation. You can revoke consent for cookies or analysis functions on our websites via the data protection settings or through corresponding settings in your browser.
Right of Appeal to Responsible Supervisory Authority
In the event of breaches of data protection legislation, the data subject has a right to appeal to the responsible supervisory authority. The responsible supervisory authority for data protection issues is the state data protection commissioner of the federal state in which our company is based. A list of data protection officers and their contact details can be found at the following link: www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Right to Data Portability
You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
This site uses TLS encryption for security reasons and to protect the transfer of confidential content, such as orders or requests that you send to us as site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
If the TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Encrypted Payment Transactions
If, after the conclusion of a cost-based contract, there is an obligation to transmit your payment data to us (e.g. account number in the case of direct debit authorization), these data are required for the processing of payments.
The payment transactions via the common means of payment (Visa/MasterCard, Ideal, Sofort, direct debit) are handled exclusively via an encrypted TLS connection. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
In the case of encrypted communication, the payment data you transmit to us cannot be read by third parties.
Information, Unavailability, Erasure, Restriction
Right to Information
You have the right to demand information about your data processed by us. In the event of an information request that is not made in writing, we may request evidence that you are the person who you attest to be.
Right to Rectification
Naturally, you can also contact us at any time if we have stored false or old data from you. We will then rectify these data.
Everywhere on our website where you have left personal data, you can amend and/or erase such data directly via the respective registration page.
Right to Erasure
If you no longer want us to store or process your data in the future, you can demand the erasure of your data if you are entitled to this by law. If we continue to need your data for legal reasons (e.g. statutory documentation obligations) or due to a legitimate interest (e.g. to defend against legal claims), your data will be restricted in the processing.
Right to Object
You have the right to object to the processing of your data by us where such is based on a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. In this case, we reserve the right to carefully examine and evaluate the particular personal situation described by you for this purpose.
Changes to Data Protection Policy
We revise this Data Protection Policy on various occasions if this is necessary, for example, when we make changes to our websites. You will find the latest version here.
Version: Aug. 27, 2021