Skip to content

Cart

Your cart is empty

processing directory

documentation of the processing activity

information about the person responsible

Responsible body (according to Art. 4 No. 7 GDPR)

joint controller

Katharina Richter

kontakt@original - unverpackt . de

Legal Representative (Management)

Katharina Richter

kontakt@original - unverpackt . de

Basic information on processing

Description of the processing activity:

 

· E - mail processing

· General customer management

· Processing of order processes

· Handling of shipping processes

Responsible contact person

Katharina Richter

kontakt@original - unverpackt . de

General data protection requirements GDPR

intended purpose

 

· Processing activity : “ E - mail processing
Pursued purposes : “ Implementation of the electronic   communication and customer service "

· Processing activity : “ General   customer management "
Pursued purposes : “ Order processing and   Accounting "

· Processing activity: “Address management” Pursued purpose “Processing and forwarding of address data for shipping processing”

Lawfulness of processing, Art. 6 GDPR

Consent ( Article 6, paragraph 1, letter a , Article 7 )

 

collection of data

circle of affected groups of people

The group of people affected is limited to our customer base .

Type of data or data categories stored:

 

· Billing data

· Address data

· IT - usage data / log data / log files

· IP address

· Contact details

· Name / First name / Salutation / Title

· Payment data

 

Origin of the data:

The data is exclusively provided or collected by our customers during the ordering process .

Recipients or categories of recipients to whom the data may be communicated

Internal recipients

· Accounting

· Customer service

· IT department

External recipients and third parties:

· tax office

· Shipping service providers

order processing as a client

processor

· DHL Paket GmbH

· Trusted Shops GmbH

· Google Analytics

Written data protection compliant contract

Yes

suitability of the processor

The processor is suitable

location of processing

Germany

Data transfer to third countries / international organizations

Data transfer to third countries:

There is no transfer of data to third countries outside the EU .

Adequate level of data protection through:

· Adequacy decision of the EU Commission pursuant to Art . 45 para . 3 GDPR

· Guarantees pursuant to Art . 46 GDPR

Binding Corporate Data Protection Rules ( BCR )

·  EU standard contract

Standard deadlines for the deletion of data

storage period

All order data is retained for 10 years for accounting and legal reasons . After this time, it is deleted according to our deletion concept .

Assessment of the appropriateness of technical and organizational measures (TOM)

1. General description of the technical and organizational measures (Art. 30 para. 1 lit. g, Art. 32 para. 1 GDPR)

a) Access control (rooms and buildings)

Objective description: To prevent unauthorized persons from accessing data processing systems with which personal data is processed or used or in which personal data is stored.

· Our office building is secured by a manual locking system .

· Keys are issued via coded key safes

b) Access control

Measures that are suitable to prevent data processing systems from being used by unauthorized persons. The information relates to our database system and the server access

· User rights and user access must be requested and approved by the system administrator

· If employees leave the company , access is blocked and access rights are revoked

· Access rights are logged

· Work equipment is encrypted according to the latest technical standards and is all password protected

 

 

c) Access control

Objective description: It must be ensured that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.

The measures relate to our customers’ data.

· Existence of an authorization concept

· The number of administrators is reduced to the bare minimum

· Management of rights by our system administrator

· Compliance with internal password policies including password length and password changes

d) Pseudonymization (Article 32 paragraph 1 lit. A; Article 25 paragraph 1 GDPR)

 

2. Integrity (Art. 32 para. 1 lit. BDSGVO)

 

a) Control of data transfer

Objective description: It must be ensured that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or storage on data carriers, and that it can be checked and determined to which locations personal data is intended to be transmitted by data transmission facilities.

· E - mail encryption

· Compliance with internal password policies including password length and password changes

· Strict checking and separation of read and write rights for our employees and service providers

 

 

3. Availability and resilience (Article 32 paragraph 1 letter B GDPR)

 

a) Availability control of data

Objective description: It must be ensured that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.

· Selection of the contractor under special care aspects

· Written instructions to the contractor

· Concluding a data processing contract with all service providers

· Regular checks and consultation with all service providers