Privacy Policy
1. Data protection, Controller and Data Protection Officer
In this privacy policy we inform you about the collection of personal data when using our website. Personal data are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.
This privacy policy explains which kind of data we collect and what we use it for. It also explains how and for what purpose this is done.
We would like to point out that data transmission in the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible.
Unless a more specific storage period is specified within this privacy policy, your personal data will remain with us until the purpose for the data processing doesn’t apply anymore. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, the data will be deleted after these reasons cease to apply.
The Controller for the processing of your personal data through this website is the
Rammstein Merchandising oHG (hereinafter referred to as: Rammstein)
Hertzstr.63 b
13158 Berlin
Phone: +49 30 41 72 747 13
E-Mail: info@rammsteinshop.de
You can reach our data protection officer at the e-mail datenschutz@rammsteinshop.de.
2. General notes and mandatory information
a) SSL or TLS encryption
For security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the website operator, this website uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
b) Encrypted payment transactions on this website
If there is an obligation to provide us with your payment details (e.g. account number for direct debit authorization) after the conclusion of a fee-based contract, this data is required for payment processing.
Payment transactions via the usual means of payment (Visa/MasterCard, direct debit) are made exclusively via an encrypted SSL or TLS connection. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
With encrypted communication, your payment data that you transmit to us cannot be read by third parties.
c) External hosting
This website is hosted by an external service provider (hoster). The personal data collected on this website are stored on the hoster's servers. This may include e.g. IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.
The hoster is used for the purpose of fulfilling contracts with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). Our hoster will only process your data to the extent necessary to fulfill its service obligations and follow our instructions regarding this data.
We host the content of our website with the following provider:
Bradler & Krantz GmbH & Co. KG Kurt-Schumacher-Platz 8 44787 BochumDetails can be found in the privacy policy of Bradler & Krantz GmbH & Co. KG: https://www.providerdienste.de/de/unternehmen/datenschutz/.
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that our service provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.
3. Data collection on our website
a) Cookies
Our websites and pages use what the industry refers to as “cookies.” Cookies are small data packages that do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or they are permanently archived on your device (permanent cookies). Session cookies are automatically deleted once you terminate your visit. Permanent cookies remain archived on your device until you actively delete them, or they are automatically eradicated by your web browser.
Cookies can be issued by us (first-party cookies) or by third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services of third-party companies into websites (e.g., cookies for handling payment services).
Cookies have a variety of functions. Many cookies are technically essential since certain website functions would not work in the absence of these cookies (e.g., the shopping cart function or the display of videos). Other cookies may be used to analyze user behavior or for promotional purposes.
Cookies, which are required for the performance of electronic communication transactions, for the provision of certain functions you want to use (e.g., for the shopping cart function) or those that are necessary for the optimization (required cookies) of the website (e.g., cookies that provide measurable insights into the web audience), shall be stored on the basis of Art. 6 para. 1 lit.f GDPR, unless a different legal basis is cited. The operator of the website has a legitimate interest in the storage of required cookies to ensure the technically error-free and optimized provision of the operator’s services. If your consent to the storage of the cookies and similar recognition technologies has been requested, the processing occurs exclusively on the basis of the consent obtained (Art. 6 para. 1 lit.a GDPR and § 25 para. 1 TTDSG); this consent may be revoked at any time.
You have the option to set up your browser in such a manner that you will be notified any time cookies are placed and to permit the acceptance of cookies only in specific cases. You may also exclude the acceptance of cookies in certain cases or in general or activate the delete-function for the automatic eradication of cookies when the browser closes. If cookies are deactivated, the functions of this website may be limited.
Which cookies and services are used on this website can be found in this privacy policy.
b) Consent via Consent-Tool
Our website uses a internal programmed consent technology to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in accordance with data protection regulations.
When you enter our website, a connection is established to the servers of our hoster in order to obtain your consent and other declarations regarding cookie use. The tool stores a cookie in your browser in order to be able to assign the consents you have given or revoke them. The data collected in this way is stored until you ask us to delete it, delete the cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected.
The consent banner is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.
c) Server-Log filesThe provider of this website and its pages automatically collects and stores information in so-called server log files, which your browser communicates to us automatically. The information comprises:
- The type and version of browser used
- The used operating system
- Referrer URL
- The hostname of the accessing computer
- The time of the server inquiry
- The IP address
This data is not merged with other data sources.
This data is recorded on the basis of Art. 6 para. 1 lit.f GDPR. The operator of the website has a legitimate interest in the technically error free depiction and the optimization of the operator’s website. In order to achieve this, server log files must be recorded.
d) Request by e-mail or telephone
If you contact us by email or telephone, we will store and process your request, including all personal data (name, request, email address), for the purpose of processing your request. We will not pass on this data without your consent. This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures (e.g. booking tickets on account). In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.
The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
e) Contact form
If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass on this data without your consent.
This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.
We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions – in particular retention periods – remain unaffected.
f) Registration on our WebsiteIf you contact us by email or telephone, we will store and process your request, including all personal data (name, request, email address), for the purpose of processing your request. We will not pass on this data without your consent. This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures (e.g. booking tickets on account). In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.
The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
4. Analysis tools
a) Tracking tools
The tracking measures listed below and used by us are carried out on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR. With the tracking measures used, we want to ensure a needs-based design and continuous optimization of our website. On the other hand, we use the analysis measures to statistically record the use of our website and evaluate it for the purpose of optimizing our offer for you.
The respective data processing purposes and data categories can be found in the following explanations of the corresponding tracking tools.
b) Google Tag Manager
We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store any cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transmitted to Google's parent company in the United States.
The Google Tag Manager is used on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the fast and uncomplicated integration and management of various tools on its website. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.
The company "Google" is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.
c) Google Analytics
This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics enables the website operator to analyze the behavior of website visitors. In doing so, the website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data is summarized in a user ID and assigned to the respective end device of the website visitor.
We can also use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modeling approaches to supplement the collected data records and uses machine learning technologies for data analysis.
Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there.
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.
Browser plugin
You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
You can find more information on how Google Analytics handles user data in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=en. We have concluded an order processing contract with Google. This means that Google will only process your personal data on our instructions and not for its own purposes.
d) Google Ads Remarketing
This website uses the functions of Google Ads Remarketing. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
With Google Ads Remarketing, we can assign people who interact with our online offer to specific target groups in order to subsequently display interest-based advertising in the Google advertising network (remarketing or retargeting).
Furthermore, the advertising target groups created with Google Ads Remarketing can be linked to Google's cross-device functions. In this way, interest-based, personalized advertising messages that have been adapted to you depending on your previous usage and surfing behavior on one device (e.g. cell phone) can also be displayed on another of your devices (e.g. tablet or PC).
If you have a Google account, you can object to personalized advertising at the following link: https://www.google.com/settings/ads/onweb/.
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.
Further information and the data protection provisions can be found in Google's privacy policy at https://policies.google.com/privacy.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.
e) Google Conversion-Tracking
This website uses Google Conversion Tracking. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
With the help of Google conversion tracking, Google and we can recognize whether the user has performed certain actions. For example, we can evaluate which buttons on our website were clicked how often and which products were viewed or purchased particularly frequently. This information is used to create conversion statistics. We find out the total number of users who have clicked on our ads and what actions they have taken. We do not receive any information with which we can personally identify the user. Google itself uses cookies or comparable recognition technologies for identification purposes.
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time. You can find more information about Google Conversion Tracking in Google's privacy policy: https://policies.google.com/privacy
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.
f) Meta-Pixel (former Facebook Pixel)
This website uses the Facebook/Meta visitor action pixel to measure conversions. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries.
This allows the behavior of site visitors to be tracked after they have been redirected to the provider's website by clicking on a Facebook ad. This allows the effectiveness of Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.
The data collected is anonymous to us as the operator of this website; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Usage Policy (https://www.facebook.com/privacy/center/). This allows Facebook to place advertisements on Facebook pages and outside of Facebook. This use of the data cannot be influenced by us as the site operator.
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.
Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Facebook. The processing carried out by Facebook after forwarding is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in an agreement on joint processing. You can find the wording of the agreement at https://www.facebook.com/legal/controller_addendum.
According to this agreement, we are responsible for providing data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you contact us, we are obliged to forward these to Facebook.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
You can find further information on protecting your privacy in Facebook's privacy policy: https://www.facebook.com/privacy/policy/.
You can also deactivate the remarketing function "Custom Audiences" in the settings for advertisements at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. You must be logged in for this action.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.
g) Facebook Conversion API
We have integrated Facebook Conversion API on this website. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries.
The Facebook Conversion API enables us to record the website visitor's interactions with our website and pass them on to Facebook in order to improve advertising performance on Facebook.
In particular, the time of the call, the website called up, your IP address and your user agent and, if applicable, other specific data (e.g. products purchased, value of the shopping cart and currency) are recorded. You can find a complete overview of the data that can be collected here: https://developers.facebook.com/docs/marketing-api/conversions-api/parameters.
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.
If personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Facebook. The processing carried out by Facebook after forwarding is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in an agreement on joint processing. You can find the wording of the agreement at https://www.facebook.com/legal/controller_addendum.
According to this agreement, we are responsible for providing data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook with Facebook. If you contact us in this regard, we are obliged to forward these to Facebook.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.
h) Facebook Custom Audiences
We use Facebook Custom Audiences. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
When you visit or use our websites and apps, take advantage of our free or paid offers, transmit data to us or interact with our company's Facebook content, we collect your personal data. If you give us your consent to use Facebook Custom Audiences, we will transmit the data to Facebook, which Facebook can use to display suitable advertising to you. Your data can also be used to define target groups (lookalike audiences).
Facebook processes this data as our processor. Details can be found in the Facebook user agreement: https://www.facebook.com/legal/terms/customaudience.
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.facebook.com/legal/terms/customaudience and https://www.facebook.com/legal/terms/dataprocessing.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
5. Plugins und Tools
a) YouTube with extended data protection
This website embeds videos from the website YouTube. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. Thus, YouTube - regardless of whether you watch a video - establishes a connection to the Google DoubleClick network.
As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, after starting a video, YouTube may store various cookies on your end device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience, and prevent fraud attempts.
If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no control.
YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.
You can find more information about data protection at YouTube in their privacy policy at: https://policies.google.com/privacy?hl=en.
b) Vimeo without tracking (Do-Not-Track)
This website uses plugins of the video portal Vimeo. The provider is Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA.
When you visit one of our pages equipped with Vimeo videos, a connection to the Vimeo servers is established. This tells the Vimeo server which of our pages you have visited. In addition, Vimeo obtains your IP address. However, we have set Vimeo in such a way that Vimeo will not track your user activities and will not set any cookies.
The use of Vimeo is in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR. Insofar as a corresponding consent was requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.
Data transfer to the U.S. is based on the EU-U.S. Data Privacy Framework and/or the standard contractual clauses of the EU Commission, as well as, according to Vimeo, on "legitimate business interests".
For more information on the handling of user data, please see Vimeo's privacy policy at: https://vimeo.com/privacy.
6. Newsletter
If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. No further data is collected, or only on a voluntary basis. We use the Amazon Simple Email Service (SES) from the provider Amazon Web Services to send the newsletter.
Amazon SES
The newsletter is sent via the Amazon Simple Email Service (SES) of the provider Amazon Web Services, Inc. (hereinafter "AWS"), 410 Terry Avenue North, Seattle WA 98109, USA.
In the course of sending the newsletter, we transmit the necessary data (email address) to AWS. We have specified the Europe region (Frankfurt) as the server location.
AWS serves as a platform for organising, sending and receiving emails. We have concluded an order processing agreement (Data Processing Addendum) with AWS, in which we oblige AWS to protect our customers' data and not to pass it on to third parties, https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf.
We have also deactivated performance measurement so that your behaviour is not evaluated when you open our newsletter. However, links (URLs) in our newsletters contain corresponding parameters that allow us to identify the newsletter as the origin of the visit when you visit our website using Google Analytics (see 4.c).
If you do not want your data to be transferred to AWS, you can unsubscribe from the newsletter. We provide a corresponding link in every newsletter for this purpose. Alternatively, you can also unsubscribe from the newsletter directly on the website or send your unsubscribe request to newsletter@rammsteinshop.de by email.
The data processing takes place on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can withdraw this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation.
The data you provide us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this.
Further information on data protection at Amazon Web Services (AWS) can be found at: https://aws.amazon.com/compliance/data-privacy/.
If data is nevertheless transferred to the USA in individual cases, this will be based on the standard contractual clauses of the EU Commission to protect your data. You can find details here: https://d1.awsstatic.com/Controller_to_Processor_SCCs.pdf and https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.
7. eCommerce and Payment provider
a) General information
We collect, process and use personal customer and contract data to establish, structure the content of and amend our contractual relationships. We only use personal data about the use of this website (usage data) insofar as this is necessary to enable the user to use the service or to bill the user. The legal basis for this is Art. 6 para. 1 lit. b GDPR.
The customer data collected will be deleted after completion of the order or termination of the business relationship and expiry of any existing statutory retention periods. Statutory retention periods remain unaffected.
b) Data transmission upon conclusion of contract for online stores, retailers and shipping of goods
In case you order goods from us, we pass on your personal data to the transport company entrusted with the delivery and to the payment service provider commissioned to process the payment. Only the data required by the respective service provider to fulfill its task will be disclosed. The legal basis for this is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures. If you have given your consent in accordance with Art. 6 para. 1 lit. a GDPR, we will pass on your e-mail address to the transport company entrusted with the delivery so that it can inform you by e-mail about the shipping status of your order; you can revoke your consent at any time.
We only transfer personal data to third parties if this is necessary in the context of contract processing, for example to the credit institution responsible for processing payments.
Any further transmission of the data will not take place or will only take place if you have expressly consented to the transmission. Your data will not be passed on to third parties without your express consent, for example for advertising purposes.
The basis for data processing is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.
c) Payment provider
We integrate payment services from third-party companies on our website. When you purchase anything from us, your payment details (e.g. name, payment amount, account details, credit card number) are processed by the payment service provider for the purpose of payment processing. The respective contractual and data protection provisions of the respective providers apply to these transactions. The payment service providers are used on the basis of Art. 6 para. 1 lit. b GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (Art. 6 para. 1 lit. f GDPR). Insofar as your consent is requested for certain actions, Art. 6 para. 1 lit. a GDPR is the legal basis for data processing; consent can be revoked at any time for the future.
(1) PayPal
The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal"). Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full.
You can find details of PayPal's privacy policy here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
(3) Unzer
The provider of this payment service is the Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg (hereinafter referred to as “Unzer”).
For details, please consult Unzer’s data privacy policy at: https://www.unzer.com/en/data-protection/.
(4) Mastercard
The provider of this payment service is the Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (hereinafter “Mastercard”).
Mastercard may transfer data to its parent company in the US. The data transfer to the US is based on Mastercard's Binding Corporate Rules. Details can be found here: https://www.mastercard.com/global/en/vision/corp-responsibility/commitment-to-privacy/privacy.html and https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.
(5) VISA
The provider of this payment service is the Visa Europe Services Inc, London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom (hereinafter “VISA”).
Great Britain is considered a secure non-EU country as far as data protection legislation is concerned. This means that the data protection level in Great Britain is equivalent to the data protection level of the European Union.
VISA may transfer data to its parent company in the US. The data transfer to the US is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zu-zustandigkeitsfragen-fur-den-ewr.html.
For more information, please refer to VISA’s privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.
8. Transfer of personal data
a) Legal basis
We will only pass on your personal data to third parties if this is necessary to achieve our purposes and at least one of the following legal bases exists:
- you have expressly given your consent to this in accordance with Art. 6 Para. 1 lit. a GDPR,
- this is legally permissible and necessary for the processing of contractual relationships according to Art. 6 Para. 1 lit. b GDPR,
- in the event that a legal obligation exists for the disclosure pursuant to Art. 6 para. 1 lit. c GDPR, as well as
- the transfer according to Art. 6 para. 1 lit. f GDPR is necessary to protect our legitimate interests, unless your interests, fundamental rights and freedoms, which require the protection of your personal data, prevail.
b) Data transfer to the USA
We largely, but not exclusively, rely on service providers located within the EU/EEA or a third country for which the European Commission has adopted an adequacy decision within the meaning of Art. 45 of the GDPR. Even in the case of service providers based within the EU/EEA, however, we cannot guarantee in individual cases that they will store or process your data exclusively on servers in countries where a level of protection comparable to that in the EU/EEA prevails.
Among other things, we use tools from companies based in the USA. If these tools are active, your personal data may be transferred to these third countries and processed there. We note that the European Commission has adopted an adequacy decision for the EU-U.S. Data Privacy Framework (successor to the "Privacy Shield"). The decision states that the United States will ensure an adequate level of protection - comparable to that of the European Union - for personal data transferred from the EU to U.S. companies within the new framework. Based on this sectoral adequacy decision, personal data can be transferred securely from the EU to U.S. companies participating in the framework ("Data Privacy Framework") without having to implement additional data protection safeguards. To participate, companies must have certified themselves with the U.S. Department of Commerce. If they have not done so, the adequacy decision does not serve as a basis for secure data transmission. In these cases, we enter into Standard Contractual Clauses (SCC) with the service providers. By concluding standard contractual clauses within the meaning of Art. 46 para. 1 lit. c GDPR, we provide guarantees for the protection of your data.
In addition, we encrypt or pseudonymize personal data before transferring it to a service provider in a third country if this is technically possible and appropriate.
9. Data subject rights
You have the right to,
- to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details;
- in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or completion of your personal data stored by us;
- pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
- in accordance with Art. 18 GDPR to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
- pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller;
- in accordance with Art. 7 para.3 GDPR, to revoke your consent given to us at any time. This has the consequence that we may no longer continue the data processing based on this consent in the future; and
- complain to a supervisory authority in accordance with Art. 77 GDPR. Usually you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.
10. Right of objection
If your personal data are processed on the basis of legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.
If you wish to exercise your right to object, an email to info@rammsteinshop.de will suffice.
11. Data security
We use the widespread SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser when visiting the website. Usually this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted by the closed key or lock symbol in the lower status bar of your browser.
We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
12. Actuality and change of this privacy policy
This privacy policy is currently valid and has the status of November 2023.
Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed at any time on our website at https://shop.rammstein.de/en/catalog/privacy.html.