Data privacy policy
I Name and address of the controller
The controller in the sense of the General Data Protection Regulation and other national data protection laws of the member states and other data protection regulations is:
Weingut Ernst Steffens
Hauptstraße 47
56856 Zell-Merl/Mosel
Telephone: +49 (0) 6542 2402
E-Mail: info@weingut-steffens.de
II Name and address of the data protection officer
We don´t need data protection officer.
III General information about data processing
1. Scope of processing personal data
We generally only process personal data if this is necessary to provide a functioning website as well as our contents and services. Personal data will only be processed with the user’s consent or in cases where prior consent cannot be obtained for practical reasons and where data processing is permitted by law.
2. Legal basis for processing personal data
If we obtain the consent of the data subject for processing personal data, Art. 6 Abs. 1 lit. a EU General Data Protection Regulations (GDPR) serves as the legal basis.
When processing personal data required for the performance of a contract to which the data subject is a party, Art. 6 Abs. 1 lit. b serves as the legal basis. This also applies to processing required for executing precontractual measures.
If processing personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 Abs. 1 lit. c GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 Abs. 1 lit. f GDPR serves as the legal basis for processing.
3. Data deletion and storage duration
The personal data of the data subject is deleted or blocked as soon as the purpose for storage ceases to exist. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
IV Provision of the website and creation of log files
1. Description and scope of data processing
On every visit to our website, our system automatically collects data and information from the computer system of the computer being used.
The following data is collected:
1.1. browser type and version
1.2. the operating system used
1.3. the IP address
1.4. data and time of access
1.5. websites from which the user’s system reaches our website
The data is also stored in the log files of our system. The IP addresses of the user or other data that enables the assignment of the data to a user are not affected by this. Storage of this data together with other data of the user does not take place.
2. Legal basis for data processing
The legal basis for the temporary storage of the data and log files is Art. 6 Abs. 1 lit. f GDPR.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. The user’s IP address must be stored for the duration of the session for this purpose.
Data is stored in log files to ensure the functionality of the website. The data also helps us to optimise the website and to ensure the security of our information technology systems. An analysis of the data for marketing purposes does not take place in this context.
Our legitimate interest in data processing in accordance with Art. 6 Abs. 1 lit. f GDPR so lies in these purposes.
4. Storage duration
The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. In the case of data collection for the provision of the website, this is the case when the respective session has ended.
In the case of data being stored in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the user’s IP address is deleted or distorted so that the assignment of the client is no longer possible.
5. Objection or removal option
The collection of the data for website provision and data storage in log files is necessary for operating the website. As a result, there is no objection option for the user.
V Use of cookies
1. Description and scope of data processing
Our website uses “cookies”. Cookies are text files that are stored in the Internet browser or by the Internet browser of the user’s computer system. If a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string that enables the unique identification of the browser when the website is visited again. We use cookies to make our website more user-friendly. Some elements of our website require that the browser can be identified even after a page change. This includes, for example, access data for closed areas of our website that require a login. We also use cookies on our site which enable an analysis of the user’s surfing behaviour. When you visit our website, the user is informed of the corresponding use and his consent to the processing of the personal data used in this context is obtained. In this context, there is also a reference to this data protection declaration
2. Legal basis for data processing
The legal basis for processing personal data using cookies is Art. 6 Abs. 1 lit. c GDPR, Art. 6 Abs. 1 lit. a GDPR and Art. 6 Abs. 1 lit. f GDPR.
3. Purpose of data processing
The purpose of using of technically necessary cookies is to simplify the use of websites for users. Not all functions can be offered without using cookies. The data collected by cookies that are not technically necessary are not used to create user profiles. These types of cookies are also used for the purpose of improving the quality of our website and content. As a result, we learn how the website is used and can constantly optimize our offer. Our legitimate interest in processing personal data in accordance with Art. 6 Abs. 1 lit. f GDPR also lies in these purposes.
4. Storage duration, objection or removal option
Cookies are stored on the user’s computer and transmitted to our site. Therefore, users also have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing the settings in their Internet browser. Cookies that are already stored can be deleted at any time. This can be done automatically. If cookies are deactivated for our website, it is possible that not all functions can be used to their full extent. The transmission of Flash cookies cannot be prevented via the browser settings but by changing the settings of the Flash Player.
VI Newsletter
1. Description and scope of data processing
On our website there is the option of subscribing to a free newsletter. When registering, at least the following information is transmitted to us from the input screen data:
1.1. name
1.2. email address
The following data will also be stored at the time of sending the message:
1.3. user’s IP address
1.4. date and time of registration
During the registration process, the user’s consent is obtained for processing and reference is made to this data privacy policy, which also contains the specific consent text below.
No data is passed on to third parties in connection with data processing for sending of newsletters. The data is only used for sending the newsletter.
2. Legal basis for data processing
The legal basis for processing personal data after registering for the newsletter is Art. 6 Abs. 1 lit. a GDPR.
3. Purpose of data processing
Collecting the user’s data is for delivering the newsletter. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
4. Storage duration
The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. The user’s email address will therefore be stored as long as the newsletter subscription is active.
5. Objection or removal option
The newsletter subscription can be cancelled by the user concerned at any time. There is a corresponding link in each newsletter for this purpose.
This also makes it possible to revoke the consent to the storage of personal data collected during the registration process.
VII Contact form and email contact
1. Description and scope of data processing
There are contact forms on our website that can be used for electronic contact. If a user uses this option, the data entered in the input screen will be transmitted to us and stored. This data includes at least:
1.1. Salutation
1.2. First name
1.3. name
1.4. email address
1.5. address
1.6. City
1.7. Telephone
The following data will also be stored at the time of sending the message:
1.8. user’s IP address
1.9. date and time of registration
During contact, the user’s consent is obtained for processing and reference is made to this data privacy policy, which also contains the specific consent text below.
Alternatively, you can contact us via the email address provided. In this case, the user’s personal data transmitted by email will be stored.
Data is not passed on to third parties in connection with this. The data is only used for processing the conversation.
2. Legal basis for data processing
The legal basis for processing data is Art. 6 Abs. 1 lit. a GDPR if the user has given consent.
The legal basis for processing data transferred as part of sending an email is Art. 6 Abs. 1 lit. f GDPR. If the aim of the email is concluding a contract, the additional legal basis for processing is Art. 6 Abs. 1 lit. b GDPR.
3. Purpose of data processing
Processing personal data from the input screen is for processing any contact by us alone. Contact by email also constitutes the necessary legitimate interest in the data processing.
The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
4. Storage duration
The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. For personal data from the contact form input screen and that which was sent by email, this is the case when the respective conversation with the user is finished. The conversation is terminated when the circumstances show that it is certain that the matter in question has been conclusively resolved.
The other personal data collected during the sending process will be deleted after a period of seven days at the latest.
5. Objection or removal option
The user has the option of revoking his/her consent to the processing of personal data at any time. If the user contacts us via email, he/she can object to the storage of his/her personal data at any time. In a case such as this, the conversation cannot be continued.
The revocation of consent and the objection to storage is possible verbally, in writing or by email.
All personal data stored in the course of contacting us will be deleted in this case.
VIII Google Maps
1. Description and scope of data processing
On our website, we use Google Maps (API) from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (“Google”). Google Maps is a web service for displaying interactive maps to visually display geographical information. By using this service, users can, for example, see our location or that of our partners and find their way to us more easily.
Information about the use of our website (such as the IP address) is transmitted to and stored by Google on servers in the USA as soon as the sub-pages into which the Google Maps’ map is integrated are accessed. This happens regardless of whether Google provides a user account through which users are logged in or no user account exists. If users are logged in to Google, their data is assigned directly to their account. If users do not wish to be assigned to their profile on Google, they must logout before activating the button. Google saves the data (even for users who are not logged in) as usage profiles and analyses them.
The USA is classified as a country whose level of data protection does not meet the standards in the European Union. There is also no adequacy decision by the EU Commission that rates the level of data protection in the USA as appropriate. In particular, there is a risk that data can be processed by US authorities for control and monitoring purposes and that you may not have sufficient legal remedies.
2. Legal basis for processing personal data
The legal basis for processing users’ personal data is Art. 6 Abs. 1 lit. a and Art. 49 Abs. 1 a GDPR.
3. Purpose of data processing
Our purpose is to integrate a dynamic map into our website.
4. Storage duration
According to its own information, the log data collected by Google is anonymised by deleting part of the IP address and the cookie information after 9 or 18 months. Users will find more information here.
5. Objection or removal option
If users do not agree to their data being transmitted to Google when using Google Maps, they have the option of completely deactivating the Google Maps web service by switching off the JavaScript application in the browser. Google Maps, and therefore also the map display on this website, cannot be used.
IX Google fonts
1. Description and scope of data processing
Our web site uses so-called web fonts provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland("Google") for consistent font presentation. When you access a website, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. These are stored locally, so that no transfer to the US takes place.
2. Legal basis for the processing of personal data
The legal basis for processing users’ personal data is Article 6 Para. 1 Lit. f GDPR.
3. Purpose of the data processing
The use of Google Web Fonts is in the interest of the consistent and appealing presentation of our online services. For these purposes, our legitimate interest also comprises the processing of the data according to Art. 6 para. 1 lit. f GDPR.
4. Data storage period
The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. In the case of data collection for the provision of the website, this is the case when the respective session has ended.
5. Right to object and options for removal of data
The collection of the data for website provision and data storage in log files is necessary for operating the website. As a result, there is no objection option for the user.
X Newsletter dispatch via Rapidmail
1. Scope of processing personal data
Our email newsletter is dispatched via the technical service provider rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg i.Br. to whom we pass on the data provided by the user when registering for the newsletter. Data entered by the user for the purpose of subscribing to the newsletter (e.g. email address) is stored on Rapidmail servers in Germany.
Rapidmail uses this information to send and statistically evaluate the newsletter on our behalf. For the evaluation, the emails sent contain so-called “web beacons” or “tracking pixels” which represent single-pixel image files stored on our website. This determines whether a newsletter message is opened and which links have been clicked on. It can also be analysed whether a predefined action has been made after clicking on the link in the newsletter with the help of so-called “conversion tracking”. Technical information is also recorded (e.g. time of visit, IP address, browser type and operating system). Data is collected exclusively in pseudonymised form and is not linked to other personal data of the users, direct links to a particular individual are excluded. This data is only used for statistically analysing newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to recipients’ interests.
2. Legal basis for processing personal data
The legal basis for processing users’ personal data is Article 6 Para. 1 Lit. f GDPR.
3. Purpose of data processing
The disclosure of users’ personal data enables us to use an effective, secure and user-friendly newsletter system that can be optimised.
Our legitimate interest in processing data in accordance with Article 6 Para. 1 Lit. f GDPR also lies in these purposes. By anonymising the IP address, users' interest in protecting their personal data is sufficiently taken into account.
4. Storage duration
The IP address is anonymised at an early stage as described above. It is not used for any other purpose, combined with other data or passed on to third parties.
5. Objection or removal option
You can object to the aforementioned data processing at any time by cancelling the newsletter subscription.
XI Rights of the data subject
If users’ personal data is processed, they are the data subject within the meaning of the GDPR and they are entitled to the following rights from the controller, whereby the following list includes all of their rights, not just the rights arising from the use of our services:
1. Right to information
Users can ask the controller to confirm whether personal data concerning you will be processed by us.
If processing has taken place, users can request the following information from the controller:
1.1. the purposes for which personal data is being processed;
1.2. the category of personal data being processed;
1.3. the recipient or categories of recipients to whom the personal data concerning you has been or is still being disclosed;
1.4. the planned storage duration of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
1.5. the existence of a right to have the personal data concerning you corrected or deleted, a right to have processing restricted by the controller or a right to object to this kind of processing;
1.6. the existence of a right to complain to a supervisory authority;
1.7. all available information regarding the origin of the data if the personal data is not collected from the data subject;
1.8. the existence of automated decision-making, including profiling in accordance with Art. 22 Abs. 1 and 4 GDPR and – at least in these cases – significant information on the logic involved and the scope and intended effects of this kind of processing for the data subject.
Users have the right to request information as to whether the personal data concerning them is transferred to a third country or to an international organisation. In this context, they can request to be informed of the appropriate guarantees according to Art. 46 GDPR in connection with the transmission.
2. Right to correction
Users have a right to the correction and/or completion by the controller if the personal data processed concerning them is incorrect or incomplete. The controller must make the correction without delay.
3. Right to restrict processing
Users may request that the processing of personal data concerning them be restricted under the following conditions:
3.1. if users dispute the accuracy of the personal data concerning them for a period of time that enables the controller to verify the accuracy of the personal data;
3.2. processing is unlawful and users refuse the deletion of the personal data and instead request that the use of the personal data be restricted;
3.3. the controller no longer needs the personal data for processing purposes but users need it to assert, exercise or defend legal claims, or
3.4. if users have filed an objection to the processing according to Art. 21 Abs. 1 GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh their reasons.
If the processing of personal data concerning users has been restricted, this data may only be processed – aside from being stored – with their consent or for the purpose of asserting, exercising or defending rights or for protecting the rights of another natural or legal person or on grounds of important public interest of the European Union or a member state.
If the processing restriction has been restricted in accordance with the aforementioned conditions, users will be informed by the controller before the restriction is lifted.
4. Right to deletion
4.1. Deletion obligation
Users can request that the controller delete the personal data concerning them without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:
4.1.1. The personal data concerning users is no longer necessary for the purposes for which it was collected or otherwise processed.
4.1.2. Users revoke their consent on which the processing was based according to Art. 6 Abs. 1 lit. a or Art. 9 Abs. 2 lit. a GDPR and there is no other legal basis for processing.
4.1.3. Users file an objection against processing according to Art. 21 Abs. 1 GDPR and there are no overriding legitimate reasons for processing or they file an objection against processing according to Art. 21 Abs. 2 GDPR.
4.1.4. The personal data concerning the users has been unlawfully processed.
4.1.5. The deletion of personal data concerning the users is necessary to fulfil a legal obligation under EU law or the member state law to which the controller is subject.
4.1.6. The personal data concerning the users has been collected in relation to information society services offered according to Art. 8 Abs. 1 GDPR.
4.2. Information to third parties
If the controller has made personal data concerning users public and is obliged to delete it according to Art. 17 Abs. 1 GDPR it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.
4.3. Exceptions
The right to deletion does not exist if processing is required
4.3.1. to exercise the right to freedom of expression and information;
4.3.2. to perform a legal obligation required for processing under EU law or member states’ law to which the controller is subject or to perform a task in the public interest or to exercise public authority that has been given to the controller;
4.3.3. for reasons of public interest in the field of public health according to Art. 9 Abs. 2 lit. h and i such as Art. 9 Abs. 3 GDPR.
4.3.4. for archiving purposes in the public interest, academic or historical research purposes or for statistical purposes according to Art. 89 Abs. 1 GDPR if the right referred to in a) is likely to make it impossible or seriously impair the attainment of the objectives of this processing or
4.3.5. for asserting, exercising or defending legal claims.
5. Right to notification
If users have exercised their right to have the controller correct, delete or limit processing, it is obliged to inform all recipients to whom the personal data concerning them has been disclosed of this correction or deletion of the data or processing restriction, unless this proves impossible or involves a disproportionate effort.
Users shall also have the right to be informed about these recipients by the controller.
6. Right to data transferability
Users have the right to receive the personal data concerning them that they have provided to the controller in a structured, common and machine-readable format. Furthermore, users have the right to transmit this data to another controller without any obstruction by the controller to whom the personal data was made available provided that
6.1. processing is based on consent according to Art. 6 Abs. 1 lit. a GDPR or Art. 9 Abs. 2 lit. a GDPR or on a contract according to Art. 6 Abs. 1 lit. b GDPR and
6.2. processing is carried out using automated methods.
In exercising this right, users also have the right to affect that the personal data concerning them be transferred directly from one controller to another if this is technically feasible. Freedoms and rights of other people may not be affected because of this.
The right to data transferability does not apply to processing personal data necessary for performing a task in the public interest or in the exercise of public authority assigned to the controller.
7. Right to objection
Users have the right, for reasons arising from your particular situation, to object to the processing of personal data concerning you under Art. 6 Abs. 1 lit e or f GDPR at any time; this also applies to profiling based on these provisions.
The controller no longer processes the personal data concerning users unless it can prove compelling legitimate reasons for the processing, which outweigh their interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning users is processed for direct marketing purposes, users have the right to object to the processing of personal data concerning them for the purpose of this kind of advertising at any time; this also applies to profiling if it is in connection with this kind of direct marketing.
If users object to the processing for direct marketing purposes, the personal data concerning them will no longer be processed for these purposes.
Users have the option of exercising their right of objection using automated procedures in which technical specifications are used, in connection with the use of information society services, notwithstanding Directive 2002/58/EC.
8. Right to revoking the declaration of consent relating to data privacy
Users have the right to revoke their declaration of consent relating to data privacy at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
9. Automated decision on a case-by-case basis, including profiling
Users have the right not to be subject to a decision based exclusively on automated processing, including profiling, that has legal effect against them or significantly impairs them in a similar manner. This does not apply if the decision
9.1. is necessary for concluding or fulling a contract between them and the controller,
9.2. is admissible due to EU law or the member state law to which the controller is subject and where this law contains appropriate measures to safeguard their rights, freedoms and legitimate interests or
9.3. takes place with their explicit consent.
However, these decisions may not be based on special categories of personal data according to Art. 9 Abs. 1 GDPR unless Art. 9 Abs. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect your rights, freedoms and legitimate interests.
In the cases referred to in 9.1 and 9.3, the controller shall take reasonable measures to safeguard their rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state its own position and to challenge the decision.
10. Right to complain to a supervisory authority
Irrespective of any other administrative or judicial remedy, users have the right to complain to a supervisory authority, in particular in the member state in which they are residing, working or suspected of violation, if they believe that the processing of personal data concerning them is contrary to the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
XII Consent (content texts)
1. Contact form
I agree to process my data entered in the input screen for the purpose of responding to my contact request, whereby processing according to Art. 4 Nr. 2 GDPR means any operation carried out with or without the help of automated procedures or any such set of operations relating to personal data, such as the collection, recording, organisation, classification, storage, adaptation or alteration, selection, retrieval, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, deletion or destruction.
2. Newsletter
I agree to process my data entered in the input screen for the purpose of transmitting the IR newsletter (investor relations), whereby processing according to Art. 4 Nr. 2 GDPR means any operation carried out with or without the help of automated procedures or any such set of operations relating to personal data, such as the collection, recording, organisation, classification, storage, adaptation or alteration, selection, retrieval, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, deletion or destruction.
3. Data transfers to the USA
I consent to my personal data being transmitted to the USA.
Tasting and wine selling
Opening hours
Daily from 2 pm to 7 pm
and after agreement
Phone +49 (0) 6542 2402, info@weingut-steffens.de
Enjoy your wine in our pavilion from May till mid-June
and from mid-August till the end of October.