1 Privacy policy

1.1 Introduction

With the following privacy policy, we would like to explain the types of your personal data (hereinafter also referred to as "data") that we process, for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us within the Melitta group of undertakings, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as an "online offer").

The terms used are not gender specific.

Status: October 02, 2024

1.2 Controller

The controller, who is responsible for data protection, including contact data, can be found in the imprint.

1.3 Contact the data protection officer

Melitta Data Protection Office, Ringstr. 99, 32427 Minden, Germany, +49 571 86-0, data-protection (at) melitta.com

1.4 Advertising objection: No use of our contact data

We expressly object to the processing of our own contact data from the imprint or the privacy policy for the purpose of processing advertising. Although these data are generally accessible, they are not published voluntarily, but instead based on legal regulations. We expressly reserve the right to take legal action in the event of unlawful processing, in particular contacting us and sending emails for marketing and advertising purposes.

1.5 Overview of the processing

The following overview provides an initial overview of the categories of data processed by us, the purposes of their processing and the categories of data subjects. This overview makes no claim to being complete and we refer to the respective details for the relevant processing.

1.5.1 Categories of processed data

· Master data (e.g. names, addresses),

· Content data (e.g. text input, photographs, videos),

· Contact data (e.g. e-mail addresses, telephone numbers),

· Meta / communication data (e.g. device information, IP addresses),

· Usage data (e.g. websites visited, interest in content, access times),

· Social data (data that are subject to social secrecy (section 35 SGB I) and, for example, processed by social insurance agencies, social welfare agencies or providers.),

· Location data (data indicating the location of an end user's device),

· Technical data (e.g. serial number, error log, counter readings, software releases),

· Contract data (e.g. subject of the contract, duration, customer category),

· Payment data (e.g. bank details, invoices, payment history).

1.5.2 Categories of data subjects

· Business customers (business-to-business),

· End customers (business-to-consumer),

· Service providers and suppliers,

· Interested parties (e.g. potential business or end customers),

· Communication partners (e.g. recipients of emails, letters),

· Users (e.g. website visitors, users of online services),

· Participants (e.g. from sweepstakes and competitions).

1.5.3 Purposes of processing

· Assessment of financial standing and creditworthiness,

· Carrying out A / B tests,

· Provision of our online offer,

· Design of the internal processing organisation,

· Implementation of direct marketing measures (e.g. by email or post),

· Implementation of sweepstakes and competitions,

· Implementation of interest-based and behaviour-based marketing / remarketing,

· Processing of contact inquiries and communication (e.g. with customers and interested parties),

· Conversion measurement (measurement of the effectiveness of marketing measures),

· Profile creation (creation of user profiles),

· Creation of a user account,

· Range measurement (e.g. access statistics, recognition of returning visitors),

· Implementation of security measures,

· Server monitoring and error detection,

· Conducting surveys and evaluations (e.g. customer surveys, product evaluations),

· Provision and provision of agreed services,

· Forwarding to the target website in the corresponding language version.

· Target group formation (determination of target groups relevant for marketing purposes or other output of content).

1.5.4 Automated decisions in individual cases

· Credit information (decision based on a credit check).

1.5.5 Relevant legal bases

In the following, we will inform you of the legal bases of the General Data Protection Regulation (GDPR), on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, the national data protection requirements in your or in our country of residence or domicile may apply. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you about this during the respective processing.

· Consent (art. 6 para. 1 lit. a GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes of processing.

· Fulfilment of the contract and pre-contractual activities (art. 6 para. 1 lit. b GDPR) - The processing is necessary for the fulfilment of a contract to which the data subject is a party or for the implementation of pre-contractual measures that take place at the request of the data subject.

· Legal obligation (art. 6 para. 1 lit. c GDPR) - The processing is necessary to fulfil a legal obligation to which the controller is subject.

· Legitimate interests (art. 6 para. 1 lit. f GDPR) - The processing is necessary to safeguard the legitimate interests of the controller or a third party, and the interests or fundamental rights and freedoms of the data subject do not prevail.

1.6 Technical and organisational measures

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

The measures include, in particular, securing the confidentiality, integrity, availability and resilience of data by controlling physical and electronic access to the data as well as access, input, forwarding, transmission and separation pertaining to these. Furthermore, we have set up procedures that ensure the exercise of data subject rights, the erasure of data and reactions to a threat to the data. Furthermore, we consider the protection of personal data as early as the development or selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and data protection-friendly default settings.

Masking of the IP address: If it is possible for us and if full IP address storage is not necessary, we will shorten or have the IP addresses shortened. If the IP address is shortened, also known as "IP masking", the last octet (the last three numbers) of an IP address is deleted (e.g. 192.168.100.xxx). By masking of the IP address, the identification of a person based on their IP address is prevented or made significantly more difficult.

SSL encryption (https): In order to protect your data transmitted via our online offer, we use SSL encryption. You can recognise such encrypted connections by the prefix https: // in the address line of your browser.

1.7 Transmission and disclosure of personal data

As part of our processing of personal data, it may happen that the data is transmitted to or disclosed to authorities and organisations, companies, legally independent organisational units of our group of undertakings or individuals. The recipients of this data can include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding order processing contracts or other agreements that serve to protect personal data, with the recipients of the data.

Data transfer within the group of undertakings: We can transfer personal data to other companies within our group of undertakings or grant them access to this data. If this transfer takes place for administrative purposes of processing, the transfer of the data is based on our legitimate entrepreneurial and economic interests or takes place when it is necessary to fulfil our contractual obligations or when the consent of the person concerned or legal permission is available.

1.8 Data processing in third countries

Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the transmission of data to other persons, authorities or organisations, agencies or companies, this is done only in accordance with the legal requirements.

Subject to express consent or contractually or legally required transmission, we only process or have the data processed in third countries with a recognised level of data protection, if so-called EU standard contractual clauses or other contractual guarantees, certifications or binding group-wide data protection guidelines exist.

1.9 Use of cookies

Cookies are text files that contain data from visited websites and are stored on the user's computer by a browser. A cookie is primarily used to store information about a user during or after their visit to an online offer. The stored information can include, for example, the language settings on a website, the login status, a shopping cart or the location where a video was viewed. The term cookies also includes other technologies that fulfil the same functions as cookies (e.g. if user information is stored using pseudonymous online identifiers, also known as "user IDs").

A distinction is made between the following types of cookies and purposes:

Absolutely necessary cookies: These cookies are absolutely necessary for the website to function (e.g. to save logins or other user input or for security reasons) and cannot be deactivated in your systems. You can set your browser to block these cookies or to notify you about these cookies. However, some areas of our website may then not function correctly. These cookies do not save any personal data.
Analysis cookies: These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our website. They support us in answering the questions of which pages are most popular, which are the least used and how visitors move around the website. All information collected by these cookies is aggregated and therefore anonymous. If you do not allow these cookies, we cannot know when you visited our website.
Functional cookies: The website is able to provide extended functionality and personalisation with these cookies. They can be set by us or by third-party providers whose services we use on our website. If you do not allow these cookies, some or all of these services may not work properly.
Marketing cookies: These cookies can be set by our advertising partners via our website. They can be used by these companies to build a profile of your interests and show you relevant advertisements on other websites. They do not store personal data directly, but are based on a unique identification of your browser and device. If you do not allow these cookies, you will experience less targeted advertising.
Social media cookies: These cookies are set by a number of social media services that we use on our websites so that you can share our content with your friends and networks. These cookies are able to track your browser across other websites and to create a profile of your interests. This can affect content and messages that you see on other websites. If you do not allow these cookies, you may not be able to use or see these sharing tools.

Notes on legal bases: The legal basis on which we process your personal data with the help of cookies depends on whether we ask for your consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is the declared consent. Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests (e.g. in the functioning and secure operation of our online offer and its improvement) or, if the use of cookies is necessary, in order to fulfil our contractual obligations.

Retention period: Unless you provide explicit information on the retention period for permanent cookies (e.g. in the context of cookie information), please assume that the storage duration can be up to two years.

Processing using cookies on the basis of consent (opt-in): Before we process or have data processed in the context of the use of cookies, we ask the user for consent that can be withdrawn at any time by means of a cookie banner. Before consent has not been given, cookies that are absolutely necessary for the operation of our online offer may be used.

Cookie settings / Objection option:

The cookie settings for a website can be changed at any time via the cookie banner or the link below.

Processed data types: Usage data, meta / communication data.
Data subjects: Users.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

The following cookies are used on this website:

1.10 Commercial and business services

We process data from our business customers, end customers and interested parties (collectively referred to as "customers") in the context of pre-contractual, contractual and comparable legal relationships as well as related activities and in the context of communication, e.g. to answer inquiries.

We process this data to fulfil our contractual obligations, to secure our rights and for the purposes of processing the administrative tasks associated with this information as well as the business organisation. We pass on customer data to third parties only within the framework of applicable law to the extent that this is necessary for the aforementioned purposes of processing or to fulfil legal obligations or with the consent of the data subjects (e.g. to telecommunications, transport and other auxiliary services involved as well subcontractors, banks, tax and legal advisors, payment service providers or tax authorities).

The data are generally deleted as soon as the purpose of processing no longer applies or has been fulfilled, unless a legal retention period (e.g. tax and commercial retention periods, warranty obligations) requires longer storage. In this case, the data will be deleted only after the retention period has expired.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply for the relationship between the users and the providers.

In the case of a repair order, machine data can be read out in order to identify and rectify faults of our machine.

Customer account: Customers can create an account within our online offer ("customer account”). The customer accounts are not public and cannot be indexed by search engines. As part of the registration and subsequent login into and uses of the customer account, we save customer IP addresses along with access times in order to be able to prove the registration and prevent any misuse of the customer account.

If customers have terminated their customer account, the data relating to the customer account will be deleted, subject to their retention being further required for legal reasons. It is the customer's responsibility to secure their data if the customer account is terminated.

Shop and e-commerce: We process the data of our customers in order to enable them to select, purchase or order the selected products, goods and related services, as well as their payment and delivery or execution.

The information required is marked as such in the context of the order or comparable purchase processing and includes the information required for delivery or provision and billing as well as contact information in order to be able to hold any consultation.

Processed data types: Master data, payment and creditworthiness data, contact data, contract data, usage data, meta / communication data.
Data subjects: Business customers, end customers, interested parties
Purposes of processing: Provision and delivery of agreed services, processing of contact inquiries and communication, design of the internal process organisation, implementation of security measures.
Legal bases: Fulfilment of the contract and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legal obligation (art. 6 para. 1 lit. c GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.11 Online marketplaces

We offer our services on online platforms operated by other service providers. In this context, in addition to our data protection notices, the data protection notices of the respective platform apply. This applies in particular with regard to the methods used by the platforms for range measurement and for interest-based marketing.

Processed data types: Master data, payment and creditworthiness data, contact data, contract data, usage data, meta / communication data.

Data subjects: Business customers, end customers, interested parties.

Purposes of processing: Provision and provision of agreed services.
Legal bases: Fulfilment of the contract and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.12 Payment service provider

In the context of contractual and other legal relationships, based on legal obligations or on the basis of our legitimate interests, we offer efficient and secure payment options and use other payment service providers in addition to banks and credit institutions (collectively "payment service providers").

The data processed by the payment service providers include master data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, sum and recipient-related information. The information is required to carry out the transactions. However, the data entered will be processed and stored only by the payment service providers. Accordingly, we do not receive any account or credit card-related data, but only information with confirmation or negative information about the payment. The data may be transmitted to credit agencies by the payment service provider. The purpose of this transmission is to check your identity and creditworthiness.

For payment transactions, the terms and conditions and the data protection notices of the respective payment service provider that apply are those that can be called up within the respective websites or transaction applications. We refer to this also for the purpose of processing further information and assertion of withdrawal, information and other rights of data subjects.

Processed data types: Master data, payment and creditworthiness data, contract data, usage data, meta / communication data.
Data subjects: Customers, prospects.
Purposes of processing: Provision and provision of agreed services.
Legal bases: Fulfilment of the contract and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.13 Credit check

If we make advance payments or take comparable economic risks (e.g. when ordering on account), we reserve the right to obtain an identity and credit report for the purpose of assessing the credit risk on the basis of mathematical-statistical procedures from service companies specialising in this, in order to safeguard legitimate interests ).

We process the information received from the credit reporting agencies on the statistical probability of a payment default within the framework of an appropriate discretionary decision on the establishment, implementation or termination of the contractual relationship. In the event of a negative credit check result, we reserve the right to refuse payment on account or any other advance payment.

The decision as to whether we make advance payments is made in accordance with art. 22 GDPR solely on the basis of an automated decision on a case-by-case basis, which our software makes on the basis of information from the credit agency.

If we obtain express consent from customers for the credit check, this consent is the legal basis for the credit report and the transmission of the customer's data to the credit agencies. If no consent is obtained, the credit check is based on our legitimate interests in the security of our payment claims against failure.

Processed data types: Master data, payment and creditworthiness data, contact data, contract data.
Data subjects: Customers, prospects.
Purposes of processing: Assessment of financial standing and creditworthiness.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.
Automated decisions in individual cases: The credit check is an automated, individual decision-making process within the meaning of art. 22 para. 2 lit. a GDPR.

1.14 Provision of the online offer and web hosting

In order to be able to provide our online offer safely and efficiently, we use the services of web hosting providers whose servers (or servers managed by them) can access the online offer. For these purposes of processing, we can use infrastructure and platform services, computing capacity, storage space and database services as well as security services and other IT services.

The data processed in the context of the provision of the hosting offer can include all information relating to the users of our online offer that is generated in the context of use and communication. This regularly includes the IP address that is necessary in order to be able to deliver the content of online offers to browsers, further technical data and all entries made within our online offer or from websites.

Collection of access data (log files): Every time a server is accessed, technical data is collected, which is automatically transmitted by the user's browser, and stored in server log files. These technical data can include the address and name of the web pages and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP -addresses and the requesting provider.

The server log files can be used on the one hand for security purposes, e.g. to avoid overloading the server (especially in the case of improper attacks, so-called DDoS attacks) and on the other hand to ensure the load on the servers and their stability.

Content delivery network: We use a "content delivery network" (CDN). A CDN is a service with the help of which the contents of an online offer, in particular large media files such as graphics or program scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet.

Processed data types: Content data, usage data, meta / communication data.
Data subjects: Users.
Purposes of processing: Provision of our online offer.
Legal bases: Legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.15 Self-developed apps

We process the data of the users of our self-developed apps, insofar as these are necessary to provide the app functions, to monitor their security and to develop them further. We can also contact users in compliance with legal requirements, provided that communication is desired and necessary for the purpose of providing the scope of services.

Legal bases: The processing of data that are necessary for the provision of the functionalities of the applications serves for the fulfilment of contractual obligations. This also applies if the provision of the functions requires user authorisation (e.g. enabling device functions). If the processing of data is not necessary for the provision of the functionalities of the applications, but serves for the security of the application or our business interests (e.g. collection of data for the purpose of optimising the application or security purposes), it is carried out on the basis of our legitimate interests. If users are expressly asked for their consent to the processing of their data, the processing of the data covered by the consent takes place on the basis of the consent.

Commercial use: We process the data of the users of our applications, registered as well as any test users (hereinafter uniformly referred to as "users") in order to be able to provide them with our contractual services and on the basis of legitimate interests to ensure the security of our application and to be able to further develop it. The information required is marked as such in the context of the conclusion of the use-, service-, order- or comparable contract and can include the information required for the provision of services and any billing as well as contact information in order to be able to hold any consultations.

Storage of a pseudonymous identifier: We use a pseudonymous identifier so that we can provide the applications and ensure their functionality. The identifier is a mathematical value (i.e. no clear data such as names are used) which is assigned to a device and / or to the installation of the application installed on it. This identifier is generated when this application is installed, remains stored between the start of the application and its updates, and is deleted when users remove the application from the device.

Device permissions for access to functions and data: The use of our applications or their functionalities may require authorisations for access to certain functions of the devices used or to the data stored on the devices or that is accessible with the help of the devices. By default, these authorisations must be granted by the users and can be withdrawn at any time in the settings of the respective devices. We point out that the denial or withdrawal of the respective authorisations can affect the functionality of our application.

Access to the camera and saved recordings: The use of our applications can include the processing of image and / or video recordings (which also includes audio recordings) by accessing the camera function or stored recordings. Access to the camera functions or saved recordings requires an authorisation that can be revoked at any time by the user. The processing of the image and / or video recordings serves only for the provision of the respective functionality of our application according to its description to the users or its typical and expected functionality.

Processing of stored contacts: The use of our applications may include the processing of contact information from people in the user's address book. The use of the contact information requires an authorisation that can be withdrawn at any time by the user. The use of the contact information serves only for the provision of the respective functionality of our application according to its description to the users or its typical and expected functionality. The users are advised that permission for processing the contact information must be granted and that consent or another legal basis must be provided especially for natural persons.

Use of contact data for the purpose of processing contact comparisons: The contact data stored in the device's contact directory can be used to check whether these contacts are also using our application. For this purpose, the contact data of the respective contacts are uploaded to our server and used only for the purpose of processing comparisons.

Processing of location data: The location data collected by the device used or otherwise entered by the user is processed as part of the use of our application. The use of the location data requires authorisation that can be withdrawn at any time by the user. The use of the location data serves only for the provision of the respective functionality of our application according to its description to users.

Facebook SDK: With the help of the Facebook Software Development Kit (SDK) we can link various Facebook services with our apps. For example, users can share content from our apps within their own Facebook timeline or send messages to other Facebook users. When using our apps, events can be triggered that are used to measure the reach of Facebook advertising campaigns. We receive only an aggregated and anonymous evaluation of user behaviour for the respective app from Facebook. We have no further influence on the data processed by Facebook. The Facebook SDK is published and maintained by Facebook. Further information on the Facebook SDK:https://developers.facebook.com/docs.

Processed data types: Master data, meta / communication data, payment and creditworthiness data, contract data, image and / or video recordings, location data.
Data subjects: Users.
Purposes of processing: Provision and provision of agreed services.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), contract fulfilment and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.16 Sales of our self-developed apps via App stores

We sell self-developed apps via app stores that are operated independently by other service providers and over whose design we have no influence. In this context, in addition to our privacy policy, the data protection notices of the respective app store applies in particular.

Processed data types: Master data, payment and creditworthiness data, contact data, contract data, usage data, meta / communication data.
Data subjects: Customers.
Purposes of processing: Provision and provision of agreed services.

Legal bases: Fulfilment of the contract and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.17 Brand Shops: Registration, login and user account

Users can create a user account. As part of the registration, the required mandatory information is requested from the users and processed for the purpose of providing the user account on the basis of contractual obligations.

Users can be informed by email about processes that are relevant to their user account, such as technical changes. If users have terminated their user account, their data will be deleted with regard to the user account, subject to a statutory retention obligation. It is up to users to save their data in the event of termination before the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract.

As part of the use of our registration and login functions as well as the use of the user account, we save the IP address and the time of the respective user activity. The storage takes place on the basis of our legitimate interests as well as those of the users in protecting against misuse and other unauthorised use. A transfer of this data to third parties will not take place unless it is necessary to pursue our claims or there is a legal obligation to do so.

Device registration: When a customer uses our device registration function, the data entered is saved and linked to the customer's user account. By registering the device, the user gives their consent to participate in questioning and surveys about our service and product quality.

Notepad: If a customer uses the notepad function in our shop, the data entered will be saved and linked to the customer's user account. The use of cookies is required for the provision and use of the notepad function. The user's data from the notepad will not be used for other purposes of processing. The notepad data will be deleted after one year.

Processed data types: Master data, contact data, content data, meta / communication data.
Data subjects: Users.
Purposes of processing: Provision and provision of agreed services, implementation of security measures, processing of contact requests and communication.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), contract fulfilment and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.18 Melitta Insights

We process personal data of our customers in connection with the use of Melitta Insights. Melitta Insights is our private B2B platform for the management of catering coffee machines. Melitta Insights transmits technical data from compatible devices for efficient monitoring, control and optimisation of business and service-relevant processes.

The technical operating data include in particular: Serial number, system configuration (e.g. media uploads and downloads, beverage and recipe settings), system log (e.g. error, event and vacancy messages), statistics and counter values (e.g. brewing cycles, temperature and maintenance performed), mobile phone usage data, software release

In principle, technical data are not personal data. Personal data is created only when a Melitta Insights user profile (primary and / or secondary user) is created and linked to compatible devices.

Personal data is stored for the duration of the contractual relationship for the use of Melitta Insights. After termination of the contractual relationship, the data will be deleted unless a statutory retention period (e.g. tax and commercial retention periods) requires longer storage. In this case, the data will be deleted only after the retention periods have expired.

We reserve the right to remove the link between the user profile and technical operating data in order to use these in anonymised form, in particular for statistical purposes and to further develop our products, even after the contractual relationship has ended. A personal evaluation does not take place.

Personal data are generally not passed on to third parties. It will be passed on only to contract processors (service providers) commissioned by us for the purpose of providing the services contractually agreed with the customer, in this case a contract for order processing has been concluded with the order processor, or to fulfil legal obligations.

In principle, the data will not be passed on to third parties, unless we call in service providers (processors) for the purposes of processing as mentioned or this is permitted on another legal basis in accordance with art. 6 para. 1 GDPR. In such cases, we observe the legal requirements and, in particular, conclude corresponding order processing contracts or other agreements that serve to protect personal data, with the recipients of the data.

· Processed data types: Technical specifications

· Data subjects: Business customers

· Purposes of processing: Contractual services and services

· Legal bases: Fulfilment of the contract and pre-contractual activities (art. 6 para. 1 lit. b GDPR).

Data recipients: providers of digital services, service providers, associated Melitta companies.

1.19 Making contact

When you contact us (e.g. via the contact form, email, telephone or via social media), the details of the inquiring person are processed, insofar as this is necessary to answer the contact inquiries and any requested measures.

Answering contact inquiries in the context of contractual or pre-contractual relationships takes place to fulfil our contractual obligations or to answer (pre) contractual inquiries and otherwise on the basis of the legitimate interests in answering the inquiries.

Processed data types: Master data, contact data, content data, usage data, meta / communication data.
Data subjects: Business customers, end customers, communication partners.
Purposes of processing: Processing contact requests and communication.
Legal bases: Fulfilment of the contract and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.20 Communication via Messenger

We use Messenger for communication purposes and therefore ask you to observe the following information on the functionality of Messenger, for encryption, on the use of the communication meta data, and on your options for objection.

You can also contact us in alternative ways, e.g. by phone or email. Please use the contact options provided to you or the contact options given within our online offer.

In the case of end-to-end encryption of content (i.e. the content of your message and attachments), we point out that the communication content is encrypted from end to end. This means that the content of the messages cannot be viewed, not even by the Messenger providers themselves. You should always use the latest version of Messenger with activated encryption.

However, we also point out to our communication partners that the providers of Messenger do not see the content, but can come to know of it, and when communication partners are communicating with us, technical information about the device used by the communication partner and, depending on the settings of their device, location information (so-called meta data) will be processed.

Notes on legal bases: If we ask communication partners for permission before communicating with them via Messenger, the legal basis for our processing of their data is their consent. In addition, if we do not ask for consent and, for example, you contact us, we use Messenger as a contractual measure in relation to our customers and in the context of contract initiation and, for other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and meeting the needs of our communication partner for communication via Messenger. Furthermore, we would like to point out that we do not transmit the contact data provided to us to Messenger for the first time without your consent.

Withdrawal, objection and erasure: You can withdraw your consent at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete the messages in accordance with our general erasure guidelines (i.e. for example, as described above, after the end of contractual relationships, in the context of retention periods, etc.) and otherwise as soon as we can assume that we have responded to any information from the communication partner, if no reference to a previous conversation is to be expected and the erasure does not conflict with any statutory retention obligations.

Reservation of reference to other communication channels: For reasons of your security, we reserve the right not to answer inquiries via Messenger. This is the case if, for example, internal contract information requires special confidentiality or a response via Messenger does not meet the formal requirements. In such cases, we will refer you to more appropriate communication channels.

Processed data types: Contact data, usage data, meta / communication data, content data.
Data subjects: Communication partner.
Purposes of processing: Processing of contact requests and communication, direct marketing.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.21 Chatbots and chat functions

We offer online chats and chatbot functions as a means of communication (collectively referred to as "chat services"). A chat is an online conversation conducted within a certain timeframe. A chatbot is software that answers users' questions or informs them of news. We can process your personal data if you use our chat functions.

If you use our chat services within an online platform, your identification number will also be stored within the respective platform. We can also collect information about which users interact with our chat services and when. We also store the content of your conversations via the chat services and log the registration and consent processes in order to be able to prove these are in accordance with legal requirements.

We point out to users that the respective platform provider can come to know what and when users communicate with our chat services as well as technical information about the device used by the user and, depending on the settings of their device, location information (so-called meta data) for the purpose of optimising the respective services and for security purposes. Likewise, meta data from communication via chat services (i.e., for example the information about who has communicated with whom) could be used by the respective platform provider, in accordance with their provisions and to which we refer for further information, for marketing purposes or to display advertising tailored to users.

If users agree to a chatbot to activate information with regular messages, they have the option to unsubscribe from the information at any time for the future. The chatbot tells users how and with what terms they can unsubscribe from the messages. By unsubscribing from chatbot messages, user data is deleted from the message recipient directory.

We use the above information to operate our chat services, e.g. to address users personally, to answer their inquiries, to transmit any requested content and also to improve our chat services (e.g. to provide chatbots answers to frequently asked "informational" questions or recognising unanswered questions).

Notes on legal bases: We use the chat services on the basis of consent if we have previously obtained the users' permission for processing their data in the context of our chat services, e.g. so that a chatbot sends them messages on a regular basis. If we use chat services to answer user inquiries about our services or our company, this is done for contractual and pre-contractual communication. In addition, we use chat services on the basis of our legitimate interests in optimising the chat services, their economic efficiency and for increasing the positive user experience.

Withdrawal, objection and erasure: You can withdraw your consent at any time or object to the processing of your data in the context of our chat services.

Processed data types: Contact data, content data, usage data, meta / communication data.
Data subjects: Communication partner, user.
Purposes of processing: Processing of contact inquiries and communication, direct marketing, range measurement, remarketing, profiling, conversion measurement.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.22 Push messages

With the consent of users, we can send so-called "push notifications" to users. These are messages that are displayed on screens, devices or in the browsers of users, even when our online service is not actively being used.

In order to register for the push messages, users must confirm the query on their browser or device to receive the push messages. This consent process is documented and saved.

The push messages may be necessary for the fulfilment of contractual obligations (e.g. technical and organisational information relevant to the use of our online offer) and are otherwise, unless specifically mentioned below, sent on the basis of the consent of the user. Users can change the receipt of push messages at any time using the notification settings of their respective browser or device.

Push messages with promotional content: The push notifications that we send may contain promotional information. The promotional push messages are processed on the basis of the consent of the user.

Processed data types: Contact data, content data, usage data, meta / communication data.
Data subjects: Communication partner, user.
Purposes of processing: Provision and provision of agreed services, direct marketing.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), contract fulfilment and pre-contractual activities (art. 6 para. 1 lit. b GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.23 Video conferencing, online meetings, webinars and screen sharing

We use platforms and applications from other providers (hereinafter referred to as “third party providers”) for the purpose of holding video and audio conferences, webinars and other types of video and audio meetings.

In this context, data from the communication participants are processed and stored on the servers of the third-party providers, insofar as they are part of communication processes with us. This data can include, in particular, registration and contact data, visual and vocal contributions as well as entries in chats and shared screen contents.

If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers can process usage data and meta data for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the data protection notices from the respective third party provider.

Notes on legal bases: If we ask users for their permission to use third-party providers or certain functions (e.g. consent to recording conversations), the legal basis for processing is the consent. Furthermore, their use can be part of our pre-contractual or contractual services, provided that the use of third-party providers has been agreed in this context. Otherwise, user data will be processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

Processed data types: Master data, contact data, content data, usage data, meta / communication data.
Data subjects: Applicants, employees, communication partners, users.
Purposes of processing: Provision and provision of agreed services, processing of contact inquiries and communication, design of the internal process organisation.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), contract fulfilment and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.24 Music and Podcasts

We use music hosting and analysis offers from service providers to offer our audio content for listening or downloading and to receive statistical information on the retrieval of the audio content.

Processed data types: Usage data, meta / communication data.
Data subjects: Users.
Purposes of processing: Range measurement, profile formation.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.25 Cloud services

We use software services (so-called "cloud services", also known as "software-as-a-service") that are accessible via the Internet and run on the servers of their providers for the following purposes of processing: Document storage and management, calendar management, sending e-mails, spreadsheets and presentations, exchanging documents, files, content and information with specific recipients or publishing websites, forms or other content and information as well as chats and participation in audio and video conferences.

In this context, personal data can be processed and stored on the provider's servers, provided that they are part of interactions with us or otherwise processed by us as described in this privacy policy. This data can in particular include master data and contact data of users, data on transactions, contracts, other processes and their content. The cloud service providers also process usage data and meta data, which they use for security purposes and for service optimisation.

If we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers can place cookies on the users' devices for the purpose of range measurement or to note or save user settings (e.g. in the case of media control).

Notes on legal bases: If we ask for permission to use the cloud services, the legal basis for processing is the consent. Furthermore, their use can be part of our pre-contractual or contractual services, provided that the use of the cloud services has been agreed to in this context. Otherwise, user data will be processed on the basis of our legitimate interests in efficient and secure administration and collaboration processes.

Processed data types: Master data, contact data, content data, usage data, meta / communication data.
Data subjects: Customers, interested parties, employees, communication partners.
Purposes of processing: Design of the internal process organisation.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), contract fulfilment and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.26 Newsletters and electronic notifications

We send newsletters, e-mails and other electronic notifications (hereinafter "newsletter") only with the consent of the recipient or legal permission.

To register for our newsletters, it is generally sufficient to provide your email address. However, we can ask you to provide a name for the purpose of addressing you personally in the newsletter, or to provide further information if this is necessary for the purposes of processing the newsletter.

By registering for the newsletter, you confirm that you are at least 16 years old.

Double opt-in procedure: The registration for our newsletter takes place in a so-called double opt-in procedure. After registering, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with someone else's e-mail address. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes storing the time of registration and confirmation as well as the IP address.

Erasure and restriction of processing: Before we delete them, we can store the unsubscribed e-mail addresses for up to two years on the basis of our legitimate interests in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defence against claims. In the event of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blacklist for this purpose alone.

The logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving that it has proceeded properly. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.

Notes on legal bases: The newsletter is sent on the basis of the recipient's consent or, if consent is not required, on the basis of our legitimate interests in direct marketing, if and to the extent that this is permitted by law, e.g. in the case of advertising to existing customers. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests. The registration process for the newsletter is recorded on the basis of our legitimate interests in order to prove that it was carried out in accordance with the law.

Contents: News and information about us and the Melitta group of undertakings, our services, promotions, sweepstakes / competitions, offers and products.

Analysis and success measurement: Our newsletters can contain a so-called "web beacon", a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a shipping service provider, from its server. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected.

This information is used for technical and content improvement for our newsletter based on the technical data or the target groups and their reading habits. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. The evaluations serve to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The evaluation of the newsletter and the measurement of success take place subject to the express consent of the user and on the basis of our legitimate interests for the purpose of using a user-friendly and secure newsletter system that serves both our business interests and the expectations of the users.

A withdrawal that is separate from the performance measurement is not possible. In this case, the entire newsletter subscription must be cancelled or objected to.

Processed data types: Master data, contact data, meta / communication data, usage data.
Data subjects: Communication partner.
Purposes of processing: Direct marketing.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Objection option (Opt-out): You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent or object to further receipt. You will find a link to cancel the newsletter at the end of each newsletter.
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.27 Advertising communication via email, post, fax or telephone

We process personal data for purposes of advertising communication that can take place via various channels such as e-mail, telephone, post or fax, in accordance with legal requirements.

The recipients have the right to withdraw their consent or to object to promotional communication at any time.

After withdrawal or objection, we can store the data required to prove consent for up to two years on the basis of our legitimate interests before we delete them. The processing of this data is limited to the purpose of a possible defence against legal claims.

Processed data types: Master data, contact data.
Data subjects: Communication partner.
Purposes of processing: Direct marketing.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.28 Sweepstakes and competitions

We process personal data of participants in sweepstakes and competitions (hereinafter referred to in brief: sweepstakes) only in compliance with the relevant data protection regulations, insofar as the processing is contractually necessary for the provision, implementation and handling of the sweepstakes, the participants have consented to the processing or the processing serves our authorised interests (e.g. the security of the competition or the protection of our interests against misuse through the possible collection of IP addresses when submitting competition entries).

If participation by the participants is published as part of the competition (e.g. in the context of a vote or presentation of competition participation or the winners or reporting on the competition), we point out that the names of the participants can also be published in this context. Participants can object to this at any time. If a participant objects to the publication, however, the contract between the organiser and the participant can also expire and with it the right to participate in the competition. More details can be found in the respective conditions of participation.

If the competition takes place within an online platform or a social network (e.g. Facebook or Instagram, hereinafter referred to as "online platform"), the usage and data protection provisions of the respective platforms also apply. In these cases, we would like to point out that we are responsible for the information provided by the participants in the context of the raffle or competition and that corresponding inquiries with regard to the competition must be directed to us.

The data of the participants will be deleted as soon as the competition is over and the data is no longer required. In principle, the data of the participants will be deleted no later than six months after the end of the competition. The winners' data can be retained for longer, e.g. to answer questions about the prizes or to be able to fulfil the awarding of prizes. In this case, the retention period depends on the type of prize and is, for example, up to three years for items or services in order to be able to process warranty cases. Furthermore, the data of the participants can be stored longer, e.g. in the form of reporting on the competition in online and offline media.

If data was also collected for other purposes of processing within the framework of the competition, its processing and the retention period are based on the data protection notices for this use (e.g. in the case of registering for the newsletter as part of a competition).

The individual conditions of participation and the data protection notices are linked for the respective sweepstakes or competition.

Processed data types: Master data, content data.
Data subjects: Attendees.
Purposes of processing: Implementation of sweepstakes and competitions.
Legal bases: Fulfilment of the contract and pre-contractual activities (art. 6 para. 1 lit. b GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.29 Survey

The questioning and surveys carried out by us (hereinafter "surveys") are evaluated anonymously. Personal data are processed only to the extent that this is necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address in order to display the survey in the user's browser or to enable the questionnaire to be continued by using a temporary cookie (session cookie)) or if users have provided their consent.

Notes on legal bases: If we ask the participants for permission to process their data, the legal basis for processing is the consent. Otherwise, the processing of the participants' data takes place on the basis of our legitimate interests in carrying out an objective survey.

Processed data types: Contact data, content data, usage data, meta / communication data.
Data subjects: Communication partner, user.
Purposes of processing: Processing of contact inquiries and communication, direct marketing, range measurement, conducting surveys and evaluations.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.30 Reach measurement and website tracking

Reach measurement and website tracking are used to evaluate visitor flows to our online offering and can include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of the range analysis we can, for example, recognise at which time our online offer or its functions or content are used most often or invite a reuse. We can also understand which areas need optimisation.

In addition to reach measurement, we can also use test procedures, for example to test and optimise different versions of our online offer or its components.

User profiles can be created and saved in cookies for these purposes of processing. This information may include content viewed, websites visited and elements used there, as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to their location data being collected, this can also be processed, depending on the provider.

The IP addresses of users are also saved. However, we use an IP masking process, i.e. pseudonymisation by shortening the IP address, to protect users. In general, as part of reach measurement, A / B testing and optimisation, no user clear data, such as e-mail addresses or names, are saved, but pseudonyms are instead. Neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles.

Notes on legal bases: If we ask users for their permission to use third-party providers, the legal basis for processing is the consent. Otherwise, user data will be processed on the basis of our legitimate interests in efficient, economical and recipient-friendly services.

Settings / Possibility of objection:

You can change your settings with regard to the permitted cookie categories at any time using the link below.

Processed data types: Usage data, meta / communication data.
Data subjects: Users.
Purposes of processing: Range measurement, server monitoring and error detection, implementation of A / B tests.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.31 Online marketing

We process personal data for online marketing purposes, which can include in particular the presentation of advertising and other content (collectively referred to as "content") based on the potential interests of users and the measurement of their effectiveness.

The IP addresses of users are also saved. However, we use an IP masking process, i.e. pseudonymisation by shortening the IP address, to protect users. In general, no user clear data such as e-mail addresses or names are stored in the context of online marketing, but pseudonyms are instead. Neither we nor the providers of the software that is used know the actual identity of the users, only the information stored in their user profiles.

The user profiles can later generally also be read out on other websites that use the same online marketing process, analysed for the purposes of displaying content and supplemented with further data and stored on the online marketing provider's server.

As an exception, clear data can be assigned to the user profiles if the users are, for example, members of a social network whose online marketing process we use and the network connects the profiles of the users with the aforementioned information. As a rule, users have concluded additional usage agreements with the providers of the social networks, mostly by giving their consent when registering with the social network. In principle, we only have access to summarised statistical information about the success of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing processes have led to a so-called conversion, e.g. to a contract with us. The conversion measurement is used solely to analyse the success of our marketing measures. We have no influence on the procedures for processing personal data at the respective provider and refer accordingly to the respective data protection notices of the provider.

Unless otherwise stated, it should be noted that the cookies used are stored for a period of two years.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for processing data is the consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services).

Settings / Objection option: You can change your settings with regard to the permitted cookie categories at any time.

Processed data types: Usage data, meta / communication data, location data.
Data subjects: Users, interested parties, customers, communication partners.
Purposes of processing: Remarketing, interest-based and behavioural marketing / remarketing, profiling, conversion measurement, reach measurement, target group formation, direct marketing.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Objection option (Opt-out): We refer to the data protection notices of the respective providers and the possibilities of objection given by the providers. Unless an explicit option to object has been specified, there is the option of deactivating cookies in the browser settings. However, this can restrict the functions of our online offer. We therefore also offer the following options for objection, which are offered in summary for the respective regions:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://www.youradchoices.ca/choices.

c) USA: https://www.aboutads.info/choices.

d) Cross-regional: https://optout.aboutads.info.

1.32 Rating platforms

We take part in evaluation processes in order to evaluate, optimise and advertise our services. If users rate us via the rating platforms or processes involved or otherwise provide feedback, the general terms and conditions of business or use and the data protection notices of the providers additionally apply. As a rule, the evaluation also requires registration with the respective provider.

In order to ensure that the evaluating persons have actually made use of our services, with the consent of the customer we transfer the data required for this with regard to the customer and the service used to the respective evaluation platform (including name, e-mail address and order number or article number). These data are used solely to verify the authenticity of the user.

Rating widget: We include so-called "evaluation widgets" in our online offer. A widget is a function and content element that displays changeable information. It can, for example, be displayed in the form of a seal or a comparable element, sometimes also called a "badge". The corresponding content of the widget is displayed within our online offer, but is retrieved from the servers of the respective widget provider at the moment it is displayed. In this way, the current content or the current rating is always displayed. The widget provider receives technical data (access data, including IP address) that is necessary so that the content of the widget can be delivered to the user's browser.

Furthermore, the widgets provider receives information that users have visited our online offer. This information can be stored in a cookie and used by the widgets provider to recognise which online offers taking part in the evaluation process have been visited by the user. The information can be saved in a user profile and used for advertising or market research purposes.

Processed data types: Contract data, usage data, meta / communication data.
Data subjects: Customers, users.
Purposes of processing: Reach measurement, interest-based and behaviour-based marketing / remarketing, profiling.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.33 Presence in social networks (social media)

We maintain an online presence within social networks and process user data in this context in order to communicate with the users active there or to offer information about us, our products or promotions.

For their part, the social networks generally process the personal data of users for the following purposes of processing: Advertising (analysis, delivery of personalised advertising), creation of user profiles and market research. Which data a social network collects and how it is used are described by the respective social networks in their data protection guidelines. There you will also find information about the legal bases for processing the respective social network and how you can exercise your data subject rights vis-à-vis the social network. The respective controller is solely responsible for the processing by a social network. How a social network uses the data from the visit or interaction of a user with the respective Melitta online presence in the social network for its own purposes of processing after the collection, to what extent activities are assigned to individual users, and how long the social network stores this data and whether data is passed on to third parties is not known to us and can only be answered by the social network. We have no influence on this use of the data by a social network and the social network is solely responsible for data processing in this regard.

The data collected about you in this context will be processed by the respective social network and possibly transferred to countries outside the European Union / the European Economic Area. Melitta cannot rule out possible associated risks for users.

The operators of the social networks use cookies for the storage and further processing of this user data, which are stored on the various end devices of the users. If the user has a profile in a social network and is logged in to it, the storage, evaluation and assignment to a user profile also takes place across devices.

If users assert their data subject rights with regard to processing in a social network against us, we will refer them directly to the social network, as we ultimately do not have the technical options and technical permissions to comply with the requests.

Processed data types: Master data, contact data, content data, usage data, meta / communication data.
Data subjects: Users.
Purposes of processing: Processing of contact inquiries and communication, remarketing, range measurement.
Legal bases: Legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.34 Plugins, functions and content embedded in websites

We include functional and content elements in our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). This can be, for example, graphics, videos or social media buttons as well as contributions (hereinafter uniformly referred to as "content").

The integration always presupposes that the third-party providers of this content process the IP address of the user, since without the IP address they cannot send the content to their browser. Third-party providers can also use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The pixel tags can be used to evaluate information such as visitor traffic on the pages of a website. The pseudonymous information can also be stored in cookies on the user's device and contain, among other things, technical information about the browser and operating system, the websites to be referred to, the time of visit and other information about the use of an online offer, and can be linked to information from other sources.

Notes on legal bases: If we ask users for their permission to use third-party providers (e.g. by means of a "cookie banner consent"), the legal basis for processing data is the consent. Otherwise, user data will be processed on the basis of our legitimate interests in efficient, economical and recipient-friendly services.

Integration of third-party software, scripts or frameworks (e.g. jQuery): We include software in our online offer that is accessed from the servers of the respective provider, such as function libraries that we use for the purpose of displaying or user-friendliness of our online offer. The respective providers collect the user's IP address and can process it for the purposes of transmitting the software to the user's browser and for security purposes as well as for evaluating and optimising their offer.

Processed data types: Usage data, meta / communication data, location data, contact data, content data, master data.
Data subjects: User, communication partner.
Purposes of processing: Provision of our online offer, provision and provision of agreed services, processing of contact inquiries and communication, direct marketing, range measurement, interest-based and behaviour-related marketing / remarketing, implementation of security measures.
Legal bases: Legitimate interests (art. 6 para. 1 lit. f GDPR), consent (art. 6 para. 1 lit. a GDPR), contract fulfilment and pre-contractual activities (art. 6 para. 1 lit. b GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.35 Geo-location redirect (QR codes)

If you use a QR code from our products or advertising materials, your IP address will be used to direct you to the correct landing page and language version. The website provider automatically collects and stores data in server log files, which your browser automatically transmits.

This data will not be merged with other data sources. We reserve the right to check this data retrospectively if we become aware of specific indications of illegal use or for error analysis.

· Processed data types: Meta / communication data.

· Data subjects: Users.

· Purposes of processing: Forwarding to the target website in the corresponding language version; Implementation of security measures, server monitoring and error detection.

· Legal bases: Legitimate interests (art. 6 para. 1 lit. f. GDPR).

Data recipients: providers of digital services, service providers, associated Melitta companies.

1.36 Planning, organisation and support tools

We use services, platforms and software from other providers (hereinafter referred to as a "third party providers") for the purposes of organising, managing, planning and providing our services.

In this context, personal data can be processed and stored on the servers of third-party providers. This data can in particular include master data and contact data of users, data on transactions, contracts, other processes and their content.

If users are referred to the third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers can process usage data and meta data for security purposes, for service optimisation or for marketing purposes. We therefore ask you to observe the data protection notices of the respective third party provider.

Notes on legal bases: If we ask users for their permission to use third-party providers, the legal basis for processing data is the consent. Furthermore, their use can be part of our pre-contractual or contractual services, provided that the use of third-party providers has been agreed in this context. Otherwise, user data will be processed on the basis of our legitimate interests in efficient, economical and recipient-friendly services.

Processed data types: Master data, contact data, content data, usage data, meta / communication data.
Data subjects: Communication partners, users, interested parties.
Purposes of processing: Reach measurement, profile formation, design of internal process organisation, processing of contact inquiries and communication, remarketing, interest-based and behaviour-based marketing / remarketing, conversion measurement.
Legal bases: Consent (art. 6 para. 1 lit. a GDPR), contract fulfilment and pre-contractual activities (art. 6 para. 1 lit. b GDPR), legitimate interests (art. 6 para. 1 lit. f GDPR).
Data recipients: providers of digital services, service providers, associated Melitta companies.

1.37 Erasure or anonymisation of data

The data processed by us will be deleted or anonymised in accordance with the legal requirements as soon as your consent for processing is withdrawn or other legal bases no longer apply (e.g. if the purpose of processing this data is no longer applicable or statutory retention periods have expired).

If the data is not deleted or anonymised because it is required for other and legally permissible purposes of processing, its processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes of processing. This applies, for example, to data that must be stored for commercial or tax law reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

1.38 Change and update of the privacy policy

We ask you to keep regularly informed about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary.

If we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses can change over time and we ask you to check the information before making contact.

1.39 Rights of data subjects

As far as the conditions described in the respective regulations are met, each person concerned has the following rights in particular according to art. 7 and art. 13 ff. GDPR:

The right of access to stored personal data for your own person as well as to rectify, block or erase this data.

The right to data portability. If the responsible body processes personal data automatically on the basis of consent or in fulfilment of a contract, the person concerned can have their own data handed over in a common, machine-readable format. If the person concerned requests the direct transfer of the data to another controller, this will only be done if this is technically feasible

The right to withdraw consent granted. If the responsible body processes the personal data of the person concerned on the basis of consent, this consent can be withdrawn in text form at any time with effect for the future. The lawfulness of the data processing operations carried out before the withdrawal remains unaffected by the withdrawal.

The right to object to data processing. The responsible body will then no longer process the personal data of the person concerned, unless it can prove compelling legitimate reasons for the processing that outweigh the interests, rights and freedoms of the person concerned, or the processing serves to assert, exercise or defend legal claims .

The right to lodge a complaint to a data protection supervisory authority. If a person concerned is of the opinion that the processing of their personal data by the responsible body contradicts the applicable laws, they can submit a complaint to any data protection supervisory authority.