I. NAME AND CONTACT DETAILS OF THE DATA CONTROLLER
This Privacy Statement applies to data processing carried out by:

Data Controller:
Topcart GmbH
Gustav-Stresemann-Ring 12-15
D–65189 Wiesbaden
Germany
Tel.: +49 (0)611-949190
Email: info@topcart.com
Website: www.topcart.com

II. NAME AND ADDRESS OF THE DATA PROTECTION OFFICER
The Data Protection Officer at Topcart GmbH can be contacted at the above address (FAO Mr Hoer) and/or at dataprotection@topcart.com.

III. GENERAL INFORMATION ON DATA PROCESSING
1. Scope of Data Processing
We shall only process the personal data of our users if this is necessary to provide a fully functional website, as well as our content and services. The personal data of our users shall only be processed on a regular basis with their consent. This shall not apply if it is practically impossible to obtain users’ prior consent and the processing of the data is permitted by statutory regulations.

2. Legal Basis for the Processing of Personal Data
If we obtain the consent of data subjects to process their personal data, we shall do so on the basis of Article 6(1) (a) of the EU General Data Protection Regulation (GDPR). If personal data is processed for the performance of a contract to which the data subject is party, the legal basis for this shall be Article 6(1) (b) of the GDPR. This shall also apply to any data processing required for the execution of pre-contractual measures. If data processing is necessary for compliance with a legal obligation to which our company is subject, the legal basis for this shall be Article 6(1) (c) of the GDPR. If data processing is necessary to protect the vital interests of the data subject or another natural person, the legal basis for this shall be Article 6(1) (d) of the GDPR. If data processing is necessary to safeguard a legitimate interest of our company or third party – and this interest is not outweighed by the interests and fundamental rights and freedoms of the data subject – data shall be processed on the basis of Article 6(1) (f) of the GDPR.

3. Erasure of Data and Storage Period
The personal data of the data subject shall be deleted or blocked as soon as the storage purpose no longer exists. Personal data may be stored beyond this period if this is stipulated by EU Law or national legislation in EU regulations, laws or other provisions that are legally binding for the data subject. The data shall then be deleted or blocked at the end of a storage period established by such regulations, unless the further storage of the data is necessary for the conclusion or performance of a contract.

IV. AVAILABILITY OF THE WEBSITE AND CREATION OF LOG FILES
1. Description and Scope of Data Processing
When you access our website (topcart.com), the browsers used on your device shall automatically send information to our website’s server. This information shall be temporarily stored in a so-called “log file”. In doing so, the following information shall be collected from you or recorded without any intervention on your part and then stored until it is automatically deleted:
(a) Information on the browser type and version used;
(b) The user’s operating system;
(c) The user’s Internet provider;
(d) The user’s IP address;
(e) The date and time of access;
(f) Websites from which the user’s system has accessed our website; and
(g) Websites accessed by the user’s system via our website.
We shall process the data listed above for the following purposes:
(a) To ensure a smooth connection on the website;
(b) To ensure the comfortable use of our website;
(c) To evaluate system security and stability; and
(d) To carry out other administrative tasks.

2. Legal Basis for Data Processing
The legal basis for the temporary storage of data and log files is Article 6(1) (f) of the GDPR.

3. Purpose of Data Processing
The system must temporarily store IP addresses to deliver the website to users’ computers. IP addresses must remain stored for the duration of the session. Log files are saved to ensure the functionality of the website. We also use this data to optimise the website and ensure the security of our IT systems. The data collected in this context shall not be analysed for marketing purposes. Data shall be stored on log files after seven days at the latest. Data may be stored beyond this period. In such cases, the user’s IP address shall be deleted or distorted in such a way that the accessing client can no longer be identified. These purposes also represent our legitimate interest in data processing pursuant to Article 6(1) (f) of the GDPR.

4. Right to Object and Remove Data
The collection of data for the provision of the website and the storage of data on log files is essential for the operation of the website. As such, users shall not be able to oppose this.

V. USE OF COOKIE
a) Description and Scope of Data Processing
We use cookies on our website. These are small files that are generated automatically by your browser and saved on your device (e.g. laptop, tablet, smartphone, etc.) when you visit our website. Cookies shall not damage your device, as they do not contain any viruses, trojans or other malware.
The information stored on cookies depends on the specific device used. However, this does not mean that we shall obtain immediate knowledge of your identity. On the one hand, we use cookies to make the use of our services more comfortable for you. For example, we use so-called “session cookies” to determine whether you have already visited specific pages on our website. These shall be automatically deleted once you leave our website. We also optimise the user friendliness of our website by using temporary cookies that are stored for a set period on your device. If you return to our website to use our services, these cookies shall automatically recognise that you have visited us in the past and remember the data and settings you have already submitted, so that you do not have to re-enter this information. On the other hand, we use cookies to collect and analyse statistical data on the use of our website to optimise our services for you. If you return to our website, these cookies will allow us to automatically recognise that you have visited us in the past. These cookies shall be automatically deleted after a set period.
b) Legal Basis for Data Processing
The legal basis for the processing of personal data with technically necessary cookies is Article 6(1) (f) of the GDPR. If users consent to the processing of personal data with cookies for analytical purposes, this shall be done on the basis of Article 6(1) (a) of the GDPR.
c) Purpose of Data Processing
Technically necessary cookies are used to simplify the use of websites for users. Some features of our website cannot be offered without the use of cookies. These features need the browser to be recognised when changing from one page to another. We require cookies for the following applications:
(1) Shopping cart;
(2) Changes to language settings;
(3) Saved search terms.
The user data collected with technically necessary cookies shall not be used to create user profiles. Analysis cookies are used to improve the quality of our website and its contents. We use analysis cookies to find out how the website is used and to constantly optimise our services. These purposes also represent our legitimate interest in data processing pursuant to Article 6(1) (f) of the GDPR.
d) Storage Period and the Right to Object and Remove Data
Cookies are saved on a user’s computer and then transferred to us from the device. As such, you as the user have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by altering the settings in your Internet browser. Saved cookies may be deleted at any time. This may also be done automatically. However, fully deactivating cookies may prevent you from using some of the features on our website.

VI. NEWSLETTER
1. Description and Scope of Data Processing
If you have given us your express consent in accordance with Article 6(1) (a) of the GDPR, we shall use your email address to send you our newsletter on a regular basis. We only require your email address to send you the newsletter. We shall only use the newsletter to send you direct advertising for our similar products and services. The personal data processed for the distribution of newsletters shall not be passed on to third parties. This data shall be used exclusively for the distribution of the newsletter.

2. Legal Basis for Data Processing
If users consent to the processing of personal data after subscribing to the newsletter, this shall be done on the basis of Article 6(1) (a) of the GDPR. The legal basis for the distribution of newsletters for the sale of goods and services is Section 7 Paragraph 3 of the German Law on Unfair Competition (UWG).

3. Purpose of Data Processing
The user’s email address shall be collected to deliver the newsletter. Any other personal data collected during the registration process shall be obtained to prevent the misuse of the services or email address.

4. Storage Period
Data shall be deleted as soon as it is no longer required for the purposes for which it was originally collected. As such, the user’s email address shall be saved for as long as the newsletter subscription is active. Any other personal data collected during the registration process shall generally be deleted after seven days.

5. Right to Object and Remove Data
Users may cancel their newsletter subscription at any time. A corresponding link can be found in every newsletter for this purpose. If the newsletter has been sent following registration on our website, users may also revoke their consent to the storage of the personal data collected during the registration process.

VII. REGISTRATION
1. Description and Scope of Data Processing
We offer users the possibility of registering on our website by submitting their personal data. This data is entered into an input mask, transferred to us and saved. Data shall not be passed on to third parties. The following data shall be collected during the registration process:
(a) The user’s IP address;
(b) The date and time of registration;
(c) The user’s name;
(d) Phone number;
(e) Email address.
Users shall give their consent to the processing of this data during the registration process.

2. Legal Basis for Data Processing
If users consent to the processing of their personal data, this shall be done on the basis of Article 6(1) (a) of the GDPR. If registration is necessary for the performance of a contract to which the user is party or the execution of pre-contractual measures, the additional legal basis for data processing shall be Article 6(1) (b) of the GDPR.

3. Purpose of Data Processing
Registration shall be required for the performance of a contract with the user or the execution of pre-contractual measures.

4. Storage Period
Data shall be deleted as soon as it is no longer required for the purposes for which it was originally collected. This shall apply to any personal data collected during the registration process that is no longer required for the performance of a contract or the execution of pre-contractual measures. The personal data of a contractual partner may need to be retained after the conclusion of a contract, in order to fulfil contractual or statutory obligations.

5. Right to Object and Remove Data
You may cancel your user registration at any time. You may also have your stored data changed at any time.

6. Description of Account Deletion and Data Changes
If the data is required for the performance of a contract or the execution of pre-contractual measures, it may only be deleted prematurely if no contractual or statutory obligations oppose this.

VIII. CONTACT FORM AND EMAIL CORRESPONDENCE
1. Description and Scope of Data Processing
There is a contact form on our website that can be used to get in touch with us electronically. If you use this option, the data you enter into the input mask shall be transferred to us and saved. This data comprises:
(a) The user’s IP address;
(b) The date and time of registration;
(c) The user’s name;
(d) Phone number;
(e) Email address.
When you submit the contact form, you shall be asked for your consent to data processing and made aware of this Privacy Statement. You may alternatively get in touch via the email address provided. In such cases, the personal data submitted with your email shall be saved. No data shall be passed on to third parties during this process. This data shall be used exclusively to process correspondence.

2. Legal Basis for Data Processing
If users consent to the processing of their personal data, this shall be done on the basis of Article 6(1) (a) of the GDPR. The legal basis for the processing of data submitted with an email is Article 6(1) (f) of the GDPR. If the aim of email correspondence is to conclude a contract, the additional legal basis for data processing shall be Article 6(1) (b) of the GDPR.

3. Purpose of Data Processing
We shall only use personal data obtained from the input mask to process contact requests. We shall also have a legitimate interest in data processing if users get in touch with us via email. Any other personal data collected with the submission of the contact form shall be used to prevent misuse of the same and ensure the security of our IT systems.

4. Storage Period
Data shall be deleted as soon as it is no longer required for the purposes for which it was originally collected. This shall apply to any personal data obtained from the input mask of the contact form – and any data submitted via email – as soon as correspondence with a user is over. Correspondence shall be considered over once it can be inferred from the circumstances that the issue has been conclusively settled. Any additional personal data collected with the submission of the contact form shall be deleted after seven days at the latest.

5. Right to Object and Remove Data
Users may revoke their consent to data processing at any time. If users get in touch with us via email, they may object to the storage of their personal data at any time. Correspondence cannot be continued in such cases, as the user’s account shall be deactivated. In such cases, all personal data saved during correspondence shall be deleted.

IX. ANALYSIS TOOLS
1. Tracking Tools
We shall carry out the tracking measures listed below on the basis of Article 6(1) (f) of the GDPR. We shall use these tracking measures to ensure the constant optimisation of our website and tailor its design to users’ needs. We shall also use these tracking measures to collect and analyse statistical data on the use of our website to optimise our services for you. These interests are legitimate within the meaning of the aforementioned regulation. The various data categories and purposes for data processing can be found in the respective tracking tools.
Google Analytics
In order to constantly optimise our website and tailor its design to users’ needs, we use Google Analytics, a web analysis service developed by Google Inc. (https://www.google.de/intl/de/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter referred to as “Google”). This involves the creation of pseudonymised user profiles and the use of cookies (see Section 4). Information generated by cookies regarding your use of this website shall be transferred and stored on a Google server in the USA. This shall include the following data:

• Browser type/version;
• Operating system;
• Referrer URL (previously visited website);
• Host name of the computer requesting access (IP address);
• Time of the server request.

This information shall be used to analyse the use of the website, compile reports on website activities and render other services associated with the use of the website and Internet; these services shall be carried out for market research purposes and to tailor the design of the website to users’ needs. This information may also be transferred to third parties if this is prescribed by law or if such third parties are commissioned to process the data. Your IP address shall never be collated with other Google data. IP address shall be anonymised in such a way that prevents identification (IP masking). You can prevent the installation of cookies by selecting the relevant browser software setting; however, we would like to remind you that this may prevent you from fully using some of the features of this website. You can also stop cookies from collecting data on your use of the website (incl. your IP address) and prevent Google from processing this data by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en). As an alternative to the browser add-on – especially for browsers on mobile devices – you can also prevent Google Analytics from collecting data by clicking on this link. This will place an opt-out cookie on your device to prevent your data from being collected during future visits to this website. The opt-out cookie will be saved on your device, and it will only work in this browser and on our website. If you delete cookies from this browser, you will have to re-save the opt-out cookie. You can find more information on the data protection measures implemented by Google Analytics in the Google Analytics Help Centre https://support.google.com/analytics/answer/6004245?hl=en.

X. RIGHTS OF DATA SUBJECTS
If personal data concerning you is processed, you shall be a “data subject” within the meaning of the GDPR and have the following rights vis-à-vis the data controller:

1. Right of Access
You may request confirmation from the data controller as to whether personal data concerning you is processed by us.
If we do process your personal data, you may obtain access to the following information from the data controller:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom your personal data has been or will be disclosed;
(d) the envisaged storage period for your personal data or, if exact information cannot be provided, the criteria used to determine the length of the period;
(e) the right to request the rectification or erasure of your personal data or the restriction of data processing, or the right to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) any available information regarding the source of the data if it has not been collected from the data subject;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
You shall have the right to obtain information as to whether your personal data is transferred to a third country or international organisation. If your personal data is transferred to a third country or international organisation, you shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.

2. Right to Rectification
If personal data concerning you is inaccurate or incomplete, you shall have the right to request the rectification and/or completion of this data from the data controller. The data controller must immediately rectify the data.

3. Right to the Restriction of Processing
You shall have the right to ask for the processing of your personal data to be restricted under the following conditions:
(a) If you dispute the accuracy of your personal data for a period that allows the data controller to verify its accuracy;
(b) The processing is unlawful, and you oppose the erasure of the personal data and instead request the restriction of its use;
(c) The data controller no longer needs the personal data for the purposes of the processing, but you require the data to establish, exercise or defend legal claims; or
(d) You have objected to processing pursuant to Article 21(1) of the GDPR, and it has not yet been decided whether the legitimate grounds of the data controller override yours.
If the processing of your personal data has been restricted, it shall only be processed (with the exception of storage) with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If data processing has been restricted in accordance with the requirements described above, you shall be informed by the data controller before the restriction of processing is lifted.

4. Right to Erasure
4.1. Obligation to Erase Data
You may ask the data controller to immediately delete your personal data; the data controller shall then be obliged to immediately delete this data, provided your request is based on one of the following reasons:
(a) Your personal data is no longer required for the purposes for which it was collected or otherwise processed;
(b) You revoke your consent on which the processing is based according to Article 6(1) (a) or Article 9(2) (a) of the GDPR, and there are no other legal grounds for the processing;
(c) You object to processing in accordance with Article 21(1) of the GDPR, and there are no overriding legitimate reasons for this processing, or you object to processing in accordance with Article 21(2) of the GDPR;
(d) Your personal data has been unlawfully processed;
(e) Your personal data has to be deleted to comply with a legal obligation in Union Law or the Member State legislation to which the controller is subject;
(f) Your personal data has been collected in relation to services provided by information societies and described in Article 8(1) of the GDPR.

4.2. Transfer of Information to Third Parties
If the data controller has made your personal data public and is obliged to delete it in accordance with Article 17(1) of the GDPR, the data controller shall consider the technology available and implementation costs to take reasonable steps, including technical measures, to inform any other data controllers who are processing your personal data that you have asked them to delete any links to, or copy or replication of, your personal data.

4.3. Exceptions
You shall not have the right to erasure if data processing is necessary:
(a) to exercise the right of freedom of expression and information;
(b) to comply with a legal obligation requiring data processing in accordance with Union Law or the Member State legislation to which the data controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller;
(c) for reasons of public interest in the area of public health in accordance with Article 9(2) (h), Article 9(2) (i) and Article 9(3) of the GDPR;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, provided the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of this processing; or
(e) for the establishment, exercise or defence of legal claims.

5. Right to Information
If you have asserted your right to rectification, erasure or the restriction of data processing, the data controller shall be obliged to inform all data recipients about this rectification/erasure or the restriction of processing, unless this proves impossible or would involve an unreasonable amount of effort and expense. You shall have the right to be told who has received your personal data by the data controller.

6. Right to Data Portability
You shall have the right to receive the personal data you have provided to the data controller in a structured, commonly used and machine-readable format. Furthermore, you shall have the right to transmit this data to another data controller without being hindered by the data controller to whom your personal data has been provided, where:
(a) The processing is based on consent pursuant to Article 6(1) (a) or Article 9(2) (a) of the GDPR, or on a contract pursuant to Article 6(1) (b) of the GDPR; and
(b) The processing is carried out by automated means.
In exercising this right, you shall also have the right to have your personal data transmitted directly from one data controller to another, provided this is technically feasible. This must not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to any processing required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

7. Right to Object
You shall have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Article 6(1) (e) and Article 6(1) (f) of the GDPR, including any profiling based on those provisions. The data controller shall no longer process your personal data, unless it can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or unless processing is carried out for the establishment, exercise or defence of legal claims. If your personal data is processed for direct marketing purposes, you shall have the right to object at any time to processing for such purposes; this also includes any profiling related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. In the context of the use of information society services – and notwithstanding Directive 2002/58/EC – you may exercise your right to object by automated means using technical specifications. If you would like to exercise your right to revoke your consent or object to data processing, you just have to send an email to dataprotection@topcart.com.

8. Right to Revoke your Consent to Data Processing
You shall have the right to revoke your consent to data processing at any time. If you revoke your consent, this shall not affect the legality of data processing carried out on the basis of your consent before your revocation.

9. Automated Individual Decision-Making, including Profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:
(a) is necessary for you to conclude or perform a contract with the data controller;
(b) is authorised by Union Law or the Member State legislation to which the data controller is subject, and which also lays down suitable measures to safeguard your rights, freedoms and legitimate interests;
(c) is based on your express consent.
However, these decisions shall not be based on the special categories of personal data referred to in Article 9(1) of the GDPR, unless Article 9(2) (a) or Article 9(2) (g) of the GDPR applies and suitable measures are in place to safeguard your rights, freedoms and legitimate interests.
In the cases referred to in points (a) and (c) above, the data controller shall implement suitable measures to safeguard your rights, freedoms and legitimate interests; this shall at least include your right to obtain human intervention on the part of the data controller, to express your point of view and to contest the decision.

10. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority – especially in the Member State of your habitual residence, place of work or place of the alleged infringement – if you consider that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

11. Data Security
We implement the widely used SSL procedure (secure socket layer) for visits to our website; this provides a connection with the highest level of encryption supported by your respective browser. This is usually 256-bit encryption. If your browser does not support 256-bit encryption, we shall resort to 128-bitv3 technology instead. You can tell that each page on our website is encrypted, as the key/padlock symbol at the bottom of your browser status bar will be displayed as locked. We also implement the appropriate technical and organisational measures to protect your data against intentional and accidental manipulation, full or partial loss, destruction and unauthorised third-party access. Our safety measures are constantly improved in line with technical developments.

12. Updates and Amendments to this Privacy Statement
This Privacy Statement is currently valid and was last updated in May 2018. It may be necessary to change this Privacy Statement if our website and its features are developed, or if statutory and/or official regulations are amended.

The current version of the Privacy Statement can always be accessed and printed out at https://www.tc-carl.com/en/dataprotectionpolicy/