AGB / DATENSCHUTZ

With this privacy policy, we inform you about our processing of your personal data. We process personal data in accordance with the European General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”).

Who is responsible for data processing and who can be contacted?
Controller within the meaning of Art. 4 (7) GDPR is:
Jens Zijlstra
Studio Zijlstra UG (haftungsbeschränkt) 
In den Haferwiesen 28-30
D-55299 Nackenheim
info@zijlstra.studio
+49 176 21 500 501

For what purpose and on what legal basis is personal data processed?
Your details are only used to contact you about your order or contract.

a) Fulfilment of contractual and pre-contractual obligations (Art. 6 (1) (b) GDPR)
The processing of personal data (Art. 4 No. 2 GDPR) is carried out to provide this website and to provide our services, in particular to conclude and process contracts, to invoice, to carry out pre-contractual measures, to answer enquiries in connection with our business relationship and for all activities necessary for the operation and administration of our company.
The purposes of the data processing depend primarily on the concrete product. Further details on the purpose of data processing within the framework of contracts can be found in the respective contract documents and terms and conditions.
b) In the context of balancing interests (Art. (1) (f) GDPR)
In addition, we process your data to protect legitimate interests of us or of third parties such as, in particular, in the following cases:
• replying to your inquiries outside of a contract or pre-contractual measures; 
• assertion of legal claims and defence in legal disputes;
• guaranteeing our IT security and IT operations;
• measures for business management and further development of products.
c) Based on your consent (Art. 6 (1) (a) GDPR)
If you have given us permission to process personal data for certain purposes, the law-fulness of this processing is given on the basis of your consent. A given consent can be revoked at any time. Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this.
d) On the basis of legal requirements (Art. 6 (1) (c) GDPR)
In addition, we are subject to various legal obligations, i.e. legal requirements (e.g. tax laws), which require the processing of data.

Website
When you visit our website, information is automatically sent to the server of our website by your browser. This information is temporarily stored in a socalled log file. The following information is collected without your intervention and stored until it is automatically deleted: IP address of the inquiring computer, date and time of the access, name and URL of the retrieved file, website from which the access follows ("referrer URL"), if applicable the search engine used by you, browser used and if applicable the operating system of your computer as well as the name of your access provider.
The legal basis for this type of data processing is Art. 6 (1) (f) GDPR. The legitimate interests pursued by us are in particular:
• ensuring a smooth connection of the website,
• ensuring comfortable use of our website,
• evaluation of system safety and stability,
• for other administrative purposes.
We use technically necessary cookies on our website. The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest for doing so is enabling you to use our website. The data will not be combined with other personal data. We do not use cookies for advertising or analysis purposes.

Who receives my data?
Within the company, individuals that need your data in order to fulfil a contractual and legal obligation will have access to it.
We pass on data to the following categories of recipients if this is necessary to fulfil an existing contractual relationship between you and us or to implement pre-contractual measures (Art. 6 (1) (b) GDPR) or to safeguard legitimate interests (Art. 6 (1) (f) GDPR). 
• IT service provider
• logistics service provider
• financial institutions for payment purposes
Insofar as processing is necessary to safeguard legitimate interests, for example when using logistics and IT services, it is our legitimate interest to outsource functions.
In addition, your personal data will be forwarded or transmitted if this is required by law (Art. 6 (1) (c) GDPR) or if you have consented (Art. 6 (1) (a) GDPR). We never sell your personal information to any third party.

How long will my data be stored?
If necessary, we process and store your personal data for the duration of our contractual relationship, including, for example, the initiation and execution of a contract. It should be noted here that our contractual relationship may, depending on the individual case, be a continuing obligation for a number of years. 
For contractual relationships, but also for other civil law claims, the storage period also depends on the statutory limitation periods, which, for example, according to § 195 et seq. of the German Civil Code (BGB) are generally three years long, but can, in certain cases, also be up to thirty years.
In addition, we are subject to various storage and documentation obligations, including those arising from the German Commercia Code (Handelsgesetzbuch – HGB) and the Tax Code (Abgabenordnung - AO). The periods for storage or documentation specified there are 6 years for correspondence in connection with the conclusion of a contract and 10 years for accounting documents and business letters (§§ 238, 257 paras. 1 and 4 HGB, § 147 paras. 1 and 3 AO). 
Log and cookies files are generally deleted after the end of the respective browser session, at the latest after seven days, unless their further storage is exceptionally necessary and lawful. 

Which data protection rights do I have?
You have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to limitation of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). The restrictions according to § 34 and § 35 BDSG apply to the right of access and the right of cancellation. You also have the right to object to data processing by us (Art. 21 GDPR). If our processing of your personal data is based on consent (Art. 6 (1) (a) GDPR), you can withdraw this at any time; the legality of data processing based on the consent until withdrawal remains unaffected by this.
Regardless of this, you have the right to file a complaint with a supervisory authority – in particular in the EU Member State where you are staying, working or allegedly infringed – if you believe that the processing of personal data concerning you violates the GDPR or other applicable data protection laws (Art. 77 GDPR, § 19 BDSG).

Is data transferred to a third country or to international organisations?
In general, no. If, in exceptional cases, data is transferred to third countries (countries outside the European Economic Area - EEA), this is only done on the basis of an adequate decision of the commission or on the basis of standard contractual clauses of the commission (available at https://eur-lex.europa.eu) or binding corporate rules.