We, CYBEX Retail GmbH, with registered office in Bayreuth, thank you very much for your interest in our website and our CYBEX Online Shop. The protection of your personal data is very important to us. We process these data in accordance with the provisions of the European General Data Protection Regulation (GDPR¹), the German Federal Data Protection Act and other applicable laws on data protection.
In the following, we would like to inform you about the type of personal data processed during your use of our web pages, the associated mobile applications, and as part of your orders in the CYBEX Online Shop.
¹Any references to GDPR shall also include the equivalent provisions of the Swiss Data Protection Act and other applicable laws in this context.
Table of Contents
- 1. Data controller
- 2. Terms and definitions
- 3. Categories of data we are processing
- 4. Legal basis for data processing
- 5. Purposes of the data processing
- 6. Web analytics by Google Analytics
- 7. Data transfer to third parties
- 8. Period of data storage; data erasure
- 9. Your data protection rights
- 10. Automatic processing of personal data
- 11. Complaints to supervisory authorities
- 12. Contacting the Data Protection Officer
The controller for data processing is CYBEX Retail GmbH with registered office in Bayreuth. Our contact details are as follows:
CYBEX Retail GmbH
“Personal data” means any information relating to an identified or identifiable natural person or legal entity (where applicable), hereinafter also referred to as “data subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of personal data include your computer’s IP address, your real name, your postal address, your telephone number and your date of birth. Personal data are also referred to as “data” hereinbelow.
In the following we would like to inform you which data we are processing when you visit our web pages, order goods in our CYBEX Online Shop or use other functions of our web pages and associated mobile applications.
3.1. Processing of access data relating to the visit of our web pages
If you only access our web pages without placing an order in our CYBEX Online Shop, we only store access data such as date and time of your visit, the website from which you visit us, your browser’s type and language settings, the web pages you visit on our website, the amount of data transferred and the requesting provider.
3.2. Data provided to us by you
Within the scope of your order in the CYBEX Online Shop, when creating a customer account, when subscribing to our newsletter or contacting us, we process the data provided to us by you. The relevant data input form will usually indicate the type of data involved. In particular, this relates to:
- contact details such as title, your name, email address and postal address, and your telephone number where applicable;
- order data such as the description of the goods you have ordered;
- payment data such as the payment method you have selected and (where applicable, pseudonymised) your credit card details.
3.3. Data that we receive about you from third parties
We use “cookies”, technical information that is stored on a user's computer, to make it more attractive for you to visit our web pages, to enable you to place an order in our CYBEX Online Shop or to use other functions. Cookies allow us in particular to adapt our web pages to user needs by collecting statistical information about user behaviour.
Some of the cookies we use are deleted after the end of the respective browser session, i.e., after the user closes the browser (“session cookies”). Other cookies will remain on the user's device and enable us to recognise the browser upon the user's next site access (“persistent cookies”).
At all times we process your data in accordance with the relevant legislation and only to the extent permitted by an applicable legal provision. Depending on the respective purpose of the data processing, the processing of your data may be based on the following legal principles:
- Consent (Article 6 (1) (a), Article 7 GDPR): We only process certain data if you have given us your express and voluntary consent to do so. You may revoke your consent at any time with effect for the future.
- Performance of a contract or pre-contractual measures (Article 6 (1) (b) GDPR): We process certain data where this is necessary for the performance of a contract (e.g., when you order goods from us) or in order to take steps at your request prior to entering into a contract (e.g., when you make an enquiry about one of our products).
- Compliance with legal obligations (Article 6 (1) (c) GDPR): We need to process some of your data for compliance with our own legal obligations, for example to comply with tax obligations.
- Protection of vital interests (Article 6 (1) (d) GDPR): We process certain data in cases where processing is necessary to protect the vital interests of you or of another natural person.
- Protection of legitimate interests (Article 6 (1) (f) GDPR): We process certain data in cases where processing is necessary to protect legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests which require protection of personal data.
We process your data for the following purposes:
5.1. Provision of our websites
Where we process access data as part of your visit of our web pages, this is done to ensure problem-free operation of the web pages and to improve our offerings and services, in particular our CYBEX Online Shop.
The legal basis for this data processing is Article 6 (1) (b) GDPR, as the processing is necessary to ensure the functionality of our web pages and to deliver their contents correctly. In addition, the data serve to optimise our websites and to ensure the security of our IT systems; in this respect, the data processing is based on Article 6 (1) (f) GDPR.
If you contact us by telephone, email or via an online form, we process the data provided by you on the basis of Article 6 (1) (b) GDPR to the extent necessary to process your request and to be able to prove that you have contacted us in accordance with legal requirements.
5.3. Contract-related data processing
Customer account: If you register as a customer in our CYBEX Online Shop, we process the data provided by you on the basis of Article 6 (1) (b) GDPR. This is necessary to establish and manage your customer account and is therefore necessary for the performance of the contract of use or in order to take steps at your request prior to entering into a contract.
Guest order: If you place an order as a guest, you do not need to register as a customer prior to placing an order but you will then have to re-enter your data for each subsequent order. We process the data provided by you as part of a guest order on the basis of Article 6 (1) (b) GDPR for the purpose of performing your order, including the delivery of the ordered goods and your ability to monitor the order and delivery status.
Performance of your order as a registered customer: If you have registered as a customer in our CYBEX Online Shop and place an order for goods, we process the data provided by you as part of the order or available in your customer account on the basis of Article 6 (1) (b) GDPR for the purpose of performing your order, including the delivery of the ordered goods and your ability to monitor the order and delivery status.
Newsletter: If you register to receive our newsletter using the relevant function, we process the data provided by you for this purpose or the data available in your customer account, at a minimum your email address, to send you our newsletters by email from time to time. The legal basis for this data processing is the consent given by you when registering for our newsletter (Article 6 (1) (a), Article 7 GDPR).
5.4. Customer support and customer service
During or after your order in our CYBEX Online Shop we may contact you via the contact data provided by you, where this should be necessary to eliminate any discrepancies in your order, to make suggestions to optimise your order or because of important information in connection with or following your order. The legal basis for this data processing is, as part of the performance of the contract, Article 6 (1) (b) GDPR, otherwise either Article 6 (1) (d) GDPR or Article 6 (1) (f) GDPR, depending on the interests involved.
You may object to the processing of your data for such purposes at any time. We will then refrain from further processing for any such purposes.
5.5. Direct advertising after the purchase of goods
If you have purchased goods in our CYBEX Online Shop, we may send you information about our own similar goods to the e-mail address or to the postal address provided by you. The legal basis for this data processing is Article 6 (1) (f) GDPR, because the advertising of related products by way of direct advertising represents a legitimate interest for us. The basis for direct advertising by e-mail is additionally Section 7 (3) German Unfair Competition Act.
You may at any time object to the processing of your data for the purpose of direct marketing. We will then refrain from further processing for any such purposes.
5.6. Marketing, web analytics and social media
Google Analytics is a web analytics service provided by Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). Google Analytics serves the purpose of analysing the use of the website in order to be able to continuously improve individual functions and offers as well as the user experience. Through the statistical evaluation of user behaviour, it is possible to continuously improve our online services and keep it more attractive for you as a user.
During your visit to the website, the following data, among others, is recorded:
• Webpages accessed by you
• The achievement of so called "website goals" (e.g. contact enquiries and newsletter sign-ups).
• Your behaviour on our webpages (for example clicks, scrolling behaviour and dwell time)
• Your approximate location (country and city)
• Your IP address (in shortened form, so that no clear assignment is possible)
• Your technical information such as browser, internet provider, terminal device and screen resolution
• Source of origin of your visit (i.e. via which website or via which advertising medium you came to us)
The information generated by the cookie about your use of this website is usually transmitted to a Google server in the US and stored there. These cookies contain a randomly generated user ID with which you can be recognised during future website visits. However, due to the activation of IP anonymisation on these websites, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the US and shortened there.
If you do not agree to the collection of data, you can prevent it by installing the browser add-on to deactivate Google Analytics (https://tools.google.com/dlpage/gaoptout?hl=) once or revoke your consent via the Consent Management Tool.
As Google's headquarters are in the US, we cannot preclude that the data will also be processed in the US. We have entered into a Data Processing Agreement (DPA) with Google. The EU Standard Contractual Clauses are part of this DPA. We can provide you with these Standard Contractual Clauses on request.
Your data will only be transferred to our carefully selected service providers and partner companies who are contractually obligated to comply with requirements of data protection laws. Otherwise, your data will only be transmitted in the event of an existing legal obligation. In the following you will find information about the companies to which we transfer data. These selected service providers and partner companies are located in the following countries: Switzerland, Germany, Bulgaria, USA.
7.1. Transfer within affiliated companies
We may transfer your data to our affiliated companies for storage in central databases and for internal group billing and accounting purposes in connection with the conclusion and performance of the contract. The legal basis for this data processing is either Article 6 (1) (b) GDPR or Article 6 (1) (f) GDPR. The affiliated companies are located in Germany.
7.2. Transfer to service companies
Use of service companies: We use several service companies – hereinafter referred to as “service providers” – that are working on our behalf to operate and optimise our websites, to perform contracts and to process payment transactions. This relates, for example, to the hosting of our websites, the placement of advertising, the delivery of ordered goods, the assessment of default risks, the processing of payment transactions, the sending of newsletters as well as customer service and support. We transfer data to these service providers to the extent necessary for the provision of our websites or the performance of contracts or where it serves to protect our legitimate interests. The legal basis for this data processing operations is usually Article 6 (1) (b) GDPR or Article 6 (1) (f) GDPR.
These service providers mainly work for us as “processors” on our behalf and may therefore use the data provided exclusively in accordance with our instructions. We are legally responsible for appropriate data protection policies at the service providers which are processing data on our behalf and have agreed appropriate data protection and data security regimes with the service providers.
In the following cases, we may also transfer data to third parties for independent use as part of the contract performance:
Transport companies: The transport companies we use receive from us the data required for the delivery of the ordered goods to you, i.e., in particular your name and the delivery address provided by you. If necessary, the transport company may also receive your contact details so as to arrange an individual delivery date with you. The legal basis for the respective data processing is Article 6 (1) (b) GDPR.
Payment transactions: The respective payment service provider or bank receives the necessary payment data for the processing of payment transactions. The legal basis for the data processing is Article 6 (1) (b) GDPR. Generally, however, you enter this information directly in the input window of the respective payment service provider or bank. In these cases, we do not receive and store any payment data.
Creditworthiness check: If you choose the “Invoice” payment method, we transfer the necessary data to Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss, Germany, to obtain creditworthiness information on your previous payment history and information for assessing the risk of non-payment based on mathematical-statistical procedures using address data (“scoring”). The legal basis for this data processing is Article 6 (1) (b) GDPR and Article 6 (1) (f) GDPR.
7.3. Transfer to third countries
Data are only transferred to bodies in states outside the European Union or the European Economic Area or Switzerland where
- you have consented thereto,
- this is necessary to perform your orders,
- this is required by law, or
- this occurs as part of order processing.
In the case of order processing, the service providers are contractually bound to our instructions and obligated to guarantee the strict technical and organisational measures. The processors are located both in countries that are the subject of an adequacy decision by the European Commission and in countries that protect personal data to an extent not comparable with the EU. In the latter cases, we ensure a level of data protection comparable to that of the EU by way of contractual agreements and by agreeing the EU standard data protection clauses.
7.4. Transfer to other third parties
Otherwise, we only transfer your data to third parties or to official authorities if we are legally obligated to do so under existing data protection laws, such as due to official or court orders, or if we are entitled to do so, e.g., because it is necessary for the prosecution of criminal offences or for the exercise or enforcement of our rights or claims. The legal basis for the respective data processing in these cases is Article 6 (1) (c) GDPR or Article 6 (1) (f) GDPR.
We only store your data until the purposes for which they were collected cease to apply (e.g., upon termination of the contractual relationship or by the last activity if there is no continuing obligation, or in the event of a revocation of your consent for the specific data processing). Storage beyond this only takes place insofar as and as long as
- there are legal obligations to retain the data,
- the data is still required for the assertion or exercise of legal claims or for the defense against legal claims, e.g. due to technological and forensic requirements for the defense against possible attacks on our web servers, and their prosecution,
- deletion would be contrary to the legitimate interests of the data subjects, or
- another exception pursuant to Article 17 (3) GDPR applies.
As a visitor of our web pages and as a customer in our CYBEX Online Shop, you are entitled to various rights granted by the GDPR. Please use the information in the Contact section to assert your rights against us and make sure that we are able to clearly identify your person.
In the following we explain your essential rights as a data subject.
9.1. Rights of confirmation, access, to rectification or erasure of data
In accordance with the GDPR, as a data subject you may obtain information in writing upon request and free of charge about which data about your person (e.g., name, address) have been stored. In addition, as a data subject, you have the right to have these data corrected or erased as granted by the GDPR, provided that the legal requirements are met. Excluded from the right to erasure are, for example, stored data relating to business processes that are subject to the legal obligation to retain data.
- Right of confirmation and access: A data subject has the right, granted by the GDPR, to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed; where that is the case, the data subject has a right of access to the personal data and to further information to the extent provided for by law.
- Right to rectification: A data subject has the right, granted by the GDPR, to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In this respect, taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure (“right to be forgotten”): A data subject has the right granted by the GDPR to obtain from the controller the erasure of personal data concerning him or her without undue delay; the controller has the obligation to erase personal data without undue delay where one of the grounds provided for by law applies and where the processing is not necessary.
9.2. Right to restriction of data processing
As a data subject, you have the right, granted by the GDPR, to obtain from the controller restriction of processing where one of the conditions provided by law is met. We must restrict the processing of personal data especially when you deny the accuracy of your personal data, when you need the data being processed without legal basis for your protection, or when your objection is being investigated.
We must restrict the processing of personal data especially when you deny the accuracy of your personal data, when you need the data being processed without legal basis for your protection, or when your objection is being investigated.
9.3. Right to object
As a data subject, you have the right, granted by the GDPR, to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you by us as controller; we will then no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject or for the establishment, exercise or defence of legal claims.
9.4. Right to data portability
As a data subject, you have the right, as granted by the GDPR, to receive the personal data concerning you which you have provided to us as controller in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us as controller to which the personal data have been provided, subject to the conditions provided for by law.
9.5. Revocation of consent
Where you may have given us your consent to process your data within the scope of your use of our web pages or as part of your order in our CYBEX Online Shop, you may withdraw such consent at any time with effect for the future. The lawfulness of the processing of your data before your withdrawal remains unaffected.
After receipt of your withdrawal by us, we will stop the relevant use of the data without delay. Withdrawal of consent will not affect the processing of personal data carried out on other legal bases pursuant to Article 5 above.
Exclusively automatic processing of your data is only performed where necessary for the conclusion or performance of a contract and where such does not have any legal or similar effect on you.
In the event of complaints regarding the processing of your data, you have the right to to lodge a complaint with competent supervisory authorities. You may do so by contacting the data protection authority responsible for your place or state of residence or the data protection authority responsible for us, which is:
The Bavarian Data Protection Commissioner (Bavarian DPC)
PO Box 22 12 19
80502 Munich, Germany
In case of exercising your data protection rights or any questions regarding the processing of your data, suggestions or complaints, please contact our Data Protection Officer. We recommend that you send confidential information exclusively by postal mail.
Contact details of the Data Protection Officer of CYBEX Retail GmbH:
Phone: +49 (0)92178511-0