We at Centa-Star are delighted that you are interested in our product range and have visited our websites. When you use our websites, various types of personal data are collected. Personal data as defined by the General Data Protection Regulation (“GDPR”) refers to all information that enables you to be personally identified.
1. Name and address of the data controller as defined by the GDPR
Centa-Star Bettwaren GmbH & Co. KG
represented by its managing directors Carl-Christoph Held and Thomas Müller
Augsburger Str. 275 | 70327 Stuttgart | Deutschland
Tel.: +49 (0)711 305 05-0
Fax: +49 (0)711 305 05-230
Our data protection officer:
ER Secure GmbH
In der Knackenau 4
Please note that security loopholes may occur when transferring data over the Internet (e.g. when communicating by email). It is not possible to provide seamless protection of data from third-party access.
This page uses TLS encryption for security reasons and to protect the transfer of confidential content, such as orders or inquiries that you send to us as the operator of the page. You can identify an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and that your browser bar displays a padlock icon. When TLS encryption is activated, the data that you transmit to us cannot be intercepted by third parties.
3. Collection and processing of your personal data
3.1. Extent of processing of personal data
We only ever collect and use our users’ personal data to the extent necessary to provide both a functional website and our content and services. In many cases the collection and use of personal data is only performed with the user’s consent. An exception only applies in cases where consent cannot be obtained for practical reasons and the processing of the data is permitted by law.
You can use the Centa-Star websites without having to provide any personal data yourself or without personal data being collected for analytics purposes. For more information about cookies and ways in which you can control them, see section „4.3. Cookies“.
3.2. Legal basis for the processing of personal data
Centa-Star will only collect and process personal data if you provide your consent (Art. 6 (1) (a) GDPR), for the performance of a contract or in order to take steps prior to entering into a contract (Art. 6 (1) (b) GDPR) or for the purposes of our legitimate interests (Art. 6 (1) (f) GDPR).
Where we obtain your consent for the processing of personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) shall serve as the legal basis for the processing of personal data.
Where personal data needs to be processed for the purpose of performing a contract to which you are party, the legal basis shall be Art. 6 (1) (b) GDPR. This also applies to processing operations that are necessary in order to take steps prior to entering into a contract.
If personal data needs to be processed in order to fulfil a legal obligation to which our company is subject, the legal basis is Art. 6 (1) (c) GDPR.
Where the processing of personal data is necessary to protect your vital interests or those of another natural person, Art. 6 (1) (d) GDPR shall serve as the legal basis.
If the processing is necessary to protect a legitimate interest pursued by our company or a third party and this interest is not overridden by your interests or your fundamental rights and freedoms, Art. 6 (1) (f) GDPR shall serve as the legal basis for the processing.
3.3. Data erasure and storage duration
Your personal data will be deleted or made unavailable as soon as the purpose for which it was saved ceases to apply. Data may additionally be stored if so intended by European or domestic legislation in the form of EU regulations, statutes or other stipulations to which we are subject. Data will also be made unavailable or erased when a storage period prescribed by the specified regulations lapses unless there is a necessity for the continued storage of the data in order to enter into or fulfil a contract.
4. Data collection on our websites
4.1. Server log files
When you visit our websites, the provider of the pages automatically records information in “server log files” that your browser automatically transmits to us. This data contains for example:
- Browser type and browser version
- Operating system used
- Referrer URL (last page visited)
- Host name of the querying computer
- Access date and time of the server query
- IP address
This data will only be collected for the purpose of statistical analysis and on security grounds (e.g. to investigate acts of misuse or fraud), stored for the duration of seven days and then erased. If a longer retention period of the data is required for evidential purposes, this data shall be excluded from erasure until the incident has been conclusively investigated. This data will not be merged with any other data sources. The system needs to store the IP address temporarily to enable the website to be provided to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session. This data is recorded and temporarily stored on the basis of Art. 6 (1) (f) GDPR. As a website operator we have a justified interest in the technically flawless presentation and optimisation of our website, and this requires the server log files to be recorded.
4.2 Query by contact form, email, phone or fax
If you contact us via contact form, email, phone or fax, we store and process your query including all personal data arising from it. The data is used exclusively for the purpose of handling the matter about which you made contact and will not be passed to third parties without your consent. The data transmitted contains your name and the content and time of your query.
This data is processed on the basis of Art. 6 (1) (b) GDPR, provided your query is connected with the performance of a contract or the taking of steps prior to entering into a contract. In all other cases the processing is based on your consent (Art. 6 (1) (a) GDPR) and/or our legitimate interests (Art. 6 (1) (f) GDPR) because we have a legitimate interest in the effective handling of the queries addressed to us.
You may revoke a consent at any time. To do so, send us an email (firstname.lastname@example.org), no specific form required. The data processing operations performed up to the point of revocation will be deemed lawful and shall not be affected by the revocation. We shall retain the data you send to us by way of contact requests until you ask us to erase it, revoke your consent to its storage or until the purpose for which the data is stored lapses (e.g. once your matter has been conclusively dealt with). Applicable statutory stipulations, in particular statutory retention periods, shall be unaffected by this.
You will find a list of the cookies we use below:
5. Plugins and tools
We also use third-party products on our websites, for instance to make our online presence more appealing, more informative and more user-friendly, for analysis purposes or to increase the visibility of our company via links to social media. These purposes constitute a legitimate interest pursued by our company pursuant to Art. 6 (1) (f) GDPR, which, alongside any consent (Art. 6 (1) (a) GDPR) you may have granted us, forms the legal basis for processing.
5.1. YouTube with enhanced privacy
5.2 Google Web Fonts
This page uses “web fonts” provided by Google to ensure a uniform presentation of fonts. The Google Fonts are installed locally. No connection is made to Google’s servers.
5.3. Google Maps with consent
5.4 Social media plugins with Shariff
Social media plugins are used on our pages. Currently these are plugins of the platforms Facebook, Instagram and YouTube. You can identify the plugins based on the respective social media logos. Centa-Star itself does not collect any personal data relating to you via these plugins. To prevent personal data being transferred to the service providers of the social media platforms without your knowledge, we only use these plugins in conjunction with what is referred to as the “Shariff” solution. Shariff is provided as an open-source application by Heise online (news website of the Heise magazine publishing house). This application prevents the plugins integrated on our website from transferring data to the respective service providers as soon as our websites are accessed. Only when you activate one of the plugins by clicking the corresponding social media button is a direct connection to the server of the respective service provider created. Further information about data protection using Shariff can be found here:
Clicking the respective social media button is deemed to be consent to the use of the social media platform in question pursuant to Art. 6 (1) (a) GDPR. As soon as you activate the plugin, the provider in question is notified that you accessed one of our websites with your IP address. For this to occur you neither need an account with this service provider, nor do you need to be logged in. If you are logged into your account with the social media platform in question at the point at which a plugin is activated, the respective provider may allocate the visit to our pages to your user account. If you do not want the service provider in question to be able to allocate your visit to our page to your social media profile, you need to log out of your account before clicking one of the social media buttons.
Please be aware of the following: some service providers have their registered office in the USA. From the perspective of the European Union, there is no “adequate level of protection” in the USA compliant with the EU standards for the processing of personal data. However, for individual companies this level of protection can be replaced by a certification under what is known as the “EU-US Privacy Shield”. Some service providers are certified under the Privacy Shield framework and as a result undertake to comply with European data protection laws.
You can find further information on the social media platforms whose plugins we use on our websites and how they deal with data protection issues below:
Facebook is a service of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. We use the Facebook plugin in conjunction with the Shariff solution described above. Facebook is certified under the Privacy Shield framework and consequently undertakes to comply with European data protection laws. You can view Facebook’s Privacy Shield certificate here:
Instagram is a service of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. We use the Instagram plugin in conjunction with the Shariff solution described above. Facebook is certified under the Privacy Shield framework and consequently undertakes to comply with European data protection laws. You can view Facebook’s Privacy Shield certificate here:
YouTube is a service of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. We use the YouTube plugin in conjunction with the Shariff solution described above. Google is certified under the Privacy Shield framework and consequently undertakes to comply with European data protection laws. You can view Google’s Privacy Shield certificate here:
5.5. Google Analytics
We want to tailor the content of our online presence as closely as possible to your interests and by doing so improve our offer to you. Centa-Star uses the Google Analytics web analytics service on the basis of our legitimate interest in an optimisation of our websites, the creation of a more targeted offer and monitoring the effectiveness of advertising measures. This is operated by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
- Browser type and browser version
- Operating system used
- Referrer URL (last page visited)
- Host name of the accessing computer (IP address)
- Time of server request
This data is usually transferred to a Google server in the USA and stored there. We have activated IP anonymisation on our websites via the code extension “_anonymizeIp()”, meaning that a Google Analytics script automatically shortens your IP address by the last three digits within the member states of the EU or other signature states to the Agreement on the European Economic Area prior to transfer to the USA. Only in exceptional cases will your full IP address be transferred to one of Google’s servers in the USA and shortened there. This procedure ensures that the pseudonymised user profiles created in this way cannot be clearly traced to a given individual. Google uses this information on behalf of Centa-Star to analyse your use of our websites, to generate reports relating to website activity for Centa-Star and to provide further services connected to the use of the website and the Internet. Google may also transfer this information to third parties to the extent prescribed by law or where third parties process the data on Google’s behalf.
Deactivating cookies may restrict the functionality of our websites. Google offers an add-on for web browsers that can prevent data collection by Google Analytics and the processing of this data by Google. The add-on can be downloaded and installed at your own risk from the following link:
As an alternative to the add-on, in particular for browsers on mobile end devices, you can also prevent data recording by Google Analytics by setting an opt-out cookie in your browser that prevents the future collection of your data when visiting this website. The opt-out cookie only applies in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you need to reset the opt-out cookie.
Set Google Analytics opt-out cookie.
You can find further information about Google Analytics and data protection on the Internet via the following link of the producer Google:
Please be aware of the following: From the perspective of the European Union, there is no “adequate level of protection” in the USA compliant with the EU standards for the processing of personal data. However, for individual companies this level of protection can be replaced by a certification under what is known as the “EU-US Privacy Shield”. Google is certified under the Privacy Shield framework and consequently undertakes to comply with European data protection laws. You can view Google’s Privacy Shield certificate here:
6. Your rights
6.1. Analytics tools and tools from third-party providers
6.2. Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You may revoke a previously granted consent at any time. To do so simply send us an email (no form required) or follow the link provided for this purpose in section “4.3. Cookies“. The data processing performed up to the point of revocation will be deemed lawful and shall not be affected by the revocation.
6.3. Right to object to data collection in special cases and to direct marketing (Art. 21 GDPR)
6.4. Right to lodge a complaint with the competent supervisory authority
In the event of breaches of GDPR, the data subjects have the right to lodge a complaint with a supervisory authority, in particular in the member state in which they are habitually resident, have their place of work or the location of the alleged breach. The right to lodge a complaint exists irrespective of any other administrative or judicial legal remedies.
6.5. Right to data portability
You have the right to receive, or have transmitted to a third party, the data that we have processed in an automated manner on the basis of your consent or in the performance of a contract in a commonly used, machine-readable format. If you request the direct transfer of the data to a different controller, this will only be done if it is technically feasible.
6.6. Information, making unavailable, erasure and rectification
Within the framework of the applicable legislation, you have the right to obtain at any time information free of charge about your stored personal data, its origin and recipients and the purpose of the data processing and, where relevant, a right to the rectification, making unavailable or erasure of this data. If you have any questions about this or any other matters relating to the subject of personal data, you can contact us at the address provided in the legal notice.
6.7. Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us in this regard at any time at the address provided in the legal notice. The right to restriction of processing exists in the following cases: If you contest the accuracy of the personal data regarding you stored by us, we usually need time to verify this. You have the right to request the restriction of the processing of your personal data for the period required for the verification. If your personal data was or is being processed in an unlawful manner, you may request the restriction of the use of the data as opposed to its erasure. If we no longer need your personal data but you require it for the establishment, exercise or defence of legal claims, you have the right to request the restriction of the use of the personal data as opposed to its erasure. If you have lodged an objection pursuant to Art. 21 (1) GDPR, an assessment needs to be made of whether your rights override ours. Until it has been established whose rights prevail, you have the right to request the restriction of the processing of your personal data. Where you have restricted the processing of your personal data, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
6.8. Objection to marketing emails
We hereby object to the use of contact details published in the context of the obligation to provide a legal notice for the purpose of sending advertising and information materials that are not expressly requested. Centa-Star expressly reserves the right to take legal steps in the event of the unsolicited sending of advertising materials, for example in the form of spam emails.
Last revised: June 2019