RAL stands for quality in many areas of daily life. This also applies to the processing of your data. In order to ensure the security and privacy of your data, it is our aim to collect as little personal data as possible from you and to handle any required data as securely as possible. Please find information below on what personal data we collect and how we process this data.
1. Name and contact details for the responsible entity
RAL Deutsches Institut für Gütesicherung und Kennzeichnung e.V.
Fränkische Straße 7
Telephone: +49 228 68895 0
Fax: +49 228 68895 431
Chairwoman: Doris Möller, Attorney-at-Law
Chief Executive Officer: Rüdiger Wollmann, Attorney-at-Law
Managing Director: Thomas Roßbach, Attorney-at-Law
2. Contact details for the data protection officer
If you have any questions about the collection and processing of your personal data or a request for information, our external data protection officer would be pleased to assist you. The data protection officer can be contacted via firstname.lastname@example.org.
3. Scope and purpose of the processing of personal data
3.1 Personal data
According to Art. 4 (1) EU GDPR, personal data describes all information relating either directly or indirectly to an identified or identifiable natural person. This includes, for example, your name, your contact details and data which you provide when registering for a customer account, processing your orders or as part of an application.
3.2 Server statistics
Every time our website is accessed, data is automatically transferred to the web server by the respective Internet browser and stored in log files. The following data is stored till its deletion:
- Date: Date of the request.
- Time: Time of the request.
- URI stem (cs-uri-stem): The Uniform Resource Identifier (URI) or the target of the action.
- URI query (cs-uri-query): The query the client tried to execute.
- Client-IP-Address (c-ip): IP Address at the time the page was accessed.
- User-Agent (cs(UserAgent)): Browser type used by the client.
- Cookie (cs(Cookie)): The content of the cookie sent or received, if any.
- Referrer (cs(Referrer)): Last visited page from which the current page was redirected.
The data is processed for the following purposes:
- to enable the connection to the website
- to enable the optimised presentation of the website
- to check and guarantee the security and stability of the systems and
- to enable and improve the administration of the website
The stored data is not combined with other sources of data. It is generally not possible for us to assign the data to any specific person. The data is not processed for the purpose of gaining further information about the respective visitor to the website.
We reserve the right to store the IP addresses of visitors to our websites for a maximum time period of 30 days. The logging of this data serves to recognise advanced persistent threats and limit and resolve faults, as well as for ensuring system and data security.
The legal basis is a legitimate interest in accordance with Article 6 (1) (f) EU GDPR for the purposes mentioned.
Visitors can inform themselves by phone and send messages to us by email. The requesting person can voluntarily transmit all information to us and thereby consent to the processing of personal data. To enable us to respond by email, you must provide a valid email address. The data is processed exclusively for the purpose of telephone and written advice and the processing and answering of inquiries.
The processing takes place on the basis of a voluntarily given consent acc. Art. 6 (1) (a) EU GDPR. The personal data collected will be deleted as soon as the request has been completed and there are no reasons for further storage.
3.4 Registration and customer account
Our websites offer you the opportunity to register and open a customer account. Personal data (e.g. name, e-mail, contact details) will be requested from you in order to carry out the registration. During the registration process, the mandatory information is indicated and your consent to the processing of the data is explicitly requested. The data you enter will be collected and processed in the context of pre-contractual services, contract processing and customer care. In addition, other parameters of your registration (date and time of your registration, IP address during registration) are stored to ensure proper operation of the websites and to prevent or, if necessary, prosecute abuse. The data collected is used exclusively in the context of setting up and maintaining your customer account and the associated processes. Data will not be passed on to third parties.
If you consent to this processing when registering, Art. 6 (1) (a) EU GDPR is the legal basis for the processing. If a contract is initiated or processed via your customer account (e.g., when purchasing goods), the legal basis is Art. 6 (1) (b) EU GDPR.
3.5 Contract initiation and processing
In the store area of our website, you have the opportunity to purchase goods (e.g., colour guides, colour cards, etc.). We need your data for the processing of the contract and for sending or transmitting the purchased goods. Without this data, the conclusion and processing of the contract would not be possible. For the processing of the respective contract, we pass on your data to the transport company commissioned with the delivery of the goods, insofar as this is necessary for the delivery. For the financial processing, we transmit your data to the commissioned financial service provider for payment.
The legal basis for the processing is the initiation and execution of the contract according to Art. 6 (1) (b) EU GDPR.
This website uses the services of MailChimp for sending newsletters. The provider is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.
MailChimp is a service with which, among other things, the sending of newsletters can be organized and analyzed. If you enter data, such as your e-mail address, salutation, title, surname or first name, for the purpose of receiving newsletters, this data will be stored on MailChimp’s servers in the USA.
With the help of MailChimp, we can analyze our newsletter campaigns. When you open an email sent with MailChimp, a file contained in the email (so-called web-beacon) connects to the servers of MailChimp in the USA. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked. In addition, technical information is collected (e.g., time of retrieval, IP address, browser type and operating system). This information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients.
The data processing is based on your consent (Art. 6 Section 1 lit a GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.
The data you provide for the purpose of receiving the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe. Data that has been stored by us for other purposes remains unaffected by this.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://mailchimp.com/eu-us-data-transfer-statement/ and https://mailchimp.com/legal/data-processing-addendum/#Annex_C_-_Standard_Contractual_Clauses.
After you have unsubscribed from the newsletter distribution list, your e-mail address will be stored by us or the newsletter service provider in a blacklist, if necessary, in order to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of Art. 6 Section 1lit f GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.
It is possible to deactivate the saving of cookies at any time. The help function in the menu for most browsers (e.g. Internet Explorer or Firefox) will describe how users and visitors to our application portal can prevent the browser accepting cookies, how the user and visitor to our website can be informed by the browser when they receive a new cookie or also how he or she can delete all of the cookies already received and block the saving of any cookies in the future. In the latter case, the previously described functions (login and administration options) will no longer be available. It is necessary to remove the block on cookies in order to use these functions.
The legal basis for the use of consentmanager is a legitimate interest pursuant to Art. 6 (1) (f) EU GDPR in the context of offering error-free and legally compliant functions of the website. In the context of consentmanager granted consent to the processing of personal data by cookies, the legal basis is based on Art. 6 (1) (a) EU GDPR.
The stored data will be deleted at the latest after 12 months of cookie consent or after objection to the processing of the service.
Further information on consentmanager’s handling of your transferred data can be viewed at https://www.consentmanager.de/.
3.9 Use of etracker
This website uses technologies from etracker GmbH, Erste Brunnenstr. 1, 20459 Hamburg (www.etracker.de). It collects and stores data for marketing and optimization purposes. Pseudonymized usage profiles are created from this data. Cookies may be used if you explicitly agree to the setting of analysis cookies. Those cookies are used to enable a statistical analysis of the use of this website by its visitors and the display of usage-related content or advertising. etracker cookies do not contain any information that enables the identification of a user.
The data processing takes place on the legal basis Art. 6 (1) (f) EU GDPR based on the legitimate interest to optimize the website. You can object to the mentioned data processing at any time
Further information on data protection when using etracker can be found on the provider’s website: https://www.etracker.com/datenschutz/
3.10 Social media
On our website logos of social networks are shown in the form of buttons with the corresponding logos of the operators. Social networks include:
- Facebook, operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland,
- Twitter, operated by the Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland,
- LinkedIn, operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland and
- YouTube, operated by Google Ireland Limited, Gordon House, Bar-row Street, Dublin 4, Ireland.
The buttons are implemented as hyperlinks to the respective pages. No data is passed on via the mere link.
3.11 Integration of videos
Some of the videos on the YouTube platform are embedded in our website. YouTube is a portal of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. During the playback of the video data from YouTube, a connection to the YouTube servers is established and the data is transmitted to YouTube via the retrieval. This includes at least your IP address, the date and time of the call and the website you visited. If you are logged into your YouTube account at the same time, information about the video file accessed will be assigned to your YouTube account. If you want to prevent this, you must either log out of YouTube before visiting our website or make the appropriate settings in your YouTube user account.
We use the “Extended data protection mode” function so that the connection data is only transmitted to the YouTube servers when a video is actually called up and you consent into the
calling up of YouTube and agree to the associated setting of further cookies by Google, e.g., for Google Fonts.
To ensure functionality and analyze usage behavior, YouTube permanently stores cookies on your device. If you do not agree to this storage, you have the option of preventing this by making the appropriate settings in your Internet browser. For more information, see 3.8 Cookies above.
The legal basis for data processing is a consent according to Article 6 (1) (a) EU GDPR.
Google holds further information on the collection and use of data as well as your rights and protection options in this regard under https://policies.google.com/privacy available.
3.12 E-Mail and Security
Please note that emails are generally not protected against unauthorized access, falsification, etc. Therefore, please do not send any confidential information (e.g., account details, passwords, etc.) by email.
4. Transferring data
Personal data is only transferred to a third party if:
- the data subject has expressly given their consent for the data to be used for this purpose in accordance with Art. 6 (1) (a) EU GDPR,
- in the event of the transfer of data in accordance with Art. 6 (1) (f) EU GDPR, this is required for the establishment, exercise or defence of legal claims and there is no reason to believe that the data subject has an overriding legitimate interest for the non-transfer of their data,
- in the event of the transfer of data in accordance with Art. 6 (1) (c) EU GDPR, a legal obligation to this end exists,
- it is necessary in accordance with Art. 6 (1) (b) EU GDPR for the performance of a contract to which the data subject is party and/or
- services are used by companies where the transfer takes place on the basis of a contract processing agreement pursuant to Art. 28 EU GDPR.
4.1 Payment processing
For the financial processing of orders (e.g., in our store in the area of colours) it may be necessary to transfer your data to the respective financial service provider.
The data is processed on the basis of Art. 6 (1) (b) EU GDPR for the fulfilment of a contractual relationship with the data subject.
4.2 Logistics and processing of orders
We generally process your orders in-house. For the delivery of ordered goods, personal data will be disclosed to the necessary extent (address and possibly product data) to delivery companies and carriers (parcel and postal services). By voluntarily disclosing your data to us, you agree that we may pass on your data to the third parties involved to the extent necessary to process the transactions you have requested.
The data is processed on the basis of Art. 6 (1) (b) EU GDPR for the fulfilment of a contractual relationship with the data subject.
4.3 RAL Events and RAL Academy
When registering for the various RAL events and the RAL Academy, personal data is transmitted to the extent necessary for the implementation of the events. The RAL Academy is partly conducted by external lecturers. For this purpose, it is necessary to transfer personal data to the respective persons entrusted with the implementation.
The basis for data processing is your express consent in accordance with Art. 6 (1) (a) EU GDPR upon registration or the fulfilment of a contractual relationship with the data subject in accordance with Art. 6 (1) (b) EU GDPR.
5. Your rights as the data subject
If your personal data has been processed due to your visit to our website, you have the following rights as the “data subject” in the sense of the EU GDPR:
5.1 Right to obtain information
You can request information from us about whether we are processing personal data about you. No right to obtain information exists if the data cannot be deleted due to legal or contractual retention periods or has been processed exclusively for data backup or data security purposes and the provision of this information would require a disproportionate amount of cost and effort and any processing of the data for other purposes is excluded using suitable technical and organisational measures. Where applicable, you can request information about:
- the purposes of the processing.
- the categories of your personal data that were processed.
- the recipients or categories of recipients to whom your personal data is made public, especially recipients in third countries.
- if possible, the period for which your personal data will be stored, or if that is not possible, the criteria used to determine that storage period.
- the existence of a right to rectification or erasure or restriction of processing of the data about you as the data subject or a right to object to this processing.
- the right to lodge a complaint with a data protection supervisory authority.
- if the personal data was not obtained from you as the data subject, any available information on the source of the data.
- if relevant, the existence of automated decision-making including profiling and meaningful information on the logic involved, as well as the scope and envisaged consequences of such automated decision-making.
- if the personal data is transferred to a recipient in a third country, insofar as the EU Commission has not issued a resolution on the adequacy of the level of protection in accordance with Art. 45 (3) EU GDPR, information on what appropriate safeguards in accordance with Art. 46 (2) EU GDPR have been provided to protect the personal data.
5.2 Right to obtain information
If you find that the personal data, we hold about you is incorrect, you can request that we rectify the incorrect data. If the data is incomplete, you can request completion.
5.3 Right to erasure
You have a right to erasure (“right to be forgotten”) if one of the following grounds applies:
- the personal data is no longer required for the purposes for which they were processed
- you have withdrawn you consent for the processing of the data
- you have objected to the processing of your personal data that we have made public
- you have objected to the processing of personal data that we have not made public and there are no overriding legitimate grounds for the processing of the data
- your personal data has been unlawfully processed
- the erasure of your personal data is required to comply with a legal obligation to which we are subject
The right to erasure does not exist if, in the event of legal non-automated data processing, the erasure of the data would only be possible at a disproportionate amount of cost and effort due to the special type of storage and you only have a low level of interest in its erasure. In this case, the processing of this data will be restricted instead of the data being erased.
5.4 Right to restriction of processing
You have the right to request a restriction of processing if one of the following grounds applies:
- you contest the accuracy of the personal data. In this case, a restriction can be requested for the period required to verify the accuracy of the data.
- the processing is unlawful and the data subject requests a restriction of the use of their personal data instead of the erasure of the data.
- your personal data is no longer required by us for the purposes of the processing, but you require the data for the establishment, exercise or defence of legal claims.
- you have raised an objection in accordance with Art. 21 (1) EU GDPR. A restriction of processing can be requested pending the verification of whether we have legitimate grounds that override your grounds for a restriction of processing.
A restriction of processing means that the personal data will only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We are obligated to inform you before the restriction of processing is lifted by us.
5.5 Right to data portability
You have a right to data portability if the processing is based on your consent according to Art. 6 (1) (a) or Art. 9 (2) (a) EU GDPR or a contract to which you are a contractual party and the processing is carried out with the aid of automated means. In this case, the right to data portability includes the following rights insofar as they do not adversely affect the rights and freedoms of others:
You have the right to receive from us the personal data that you have provided to us in a structured, commonly used and machine-readable format. You have the right to have this data transferred to another controller without hindrance from us. If technically feasible, you can request that we directly transfer your personal data to another controller.
5.6 Right to object
Furthermore, according to Art. 77 GDPR, § 19 BDSG, you have the right to complain to the competent data protection supervisory authority if you have any questions about data protection and data protection issues. For companies located in North Rhine-Westphalia, this is the state representative for data protection and freedom of information. The contact details are:
Landesbeauftragte für Datenschutz und Informationsfreiheit
Postfach 20 04 44
5.7 Withdrawal of consent
Your consent for the processing of personal data can be withdrawn at any time with future effect. The withdrawal of consent can also apply to individual sections of the data processing (e.g. unsubscribing from the newsletter).
Please note that even if you withdraw your consent, processing of the data may still be required due to legal regulations.
Please send us the notification about your withdrawal of consent using the contact details stated above in section 1 and please understand that some identification may be required in the event of a withdrawal of consent to prevent any misuse.
6. Withdrawal of consent for advertising mails
We hereby expressly prohibit the use of our contact details – published as part of our duty to publish a legal notice – for the purpose of sending us any advertising or information materials that we have not expressly requested. The operator of these websites expressly reserves the right to take legal action in the event of the unsolicited sending of advertising information such as in the form of spam emails.