Skip to content

Imprint

We have carefully checked this Internet presentation and make every effort to continually expand and update it.

However, we cannot accept responsibility for errors, omissions or possible obsolescence.

Published by:

RRNO-Research GmbH
Pfarrstraße 14
37627 Stadtoldendorf
Germany

Telephone: +49(0)5532 5099153
Fax: +49 5532 9834554
E-mail: info(at)rrno-research.de

Represented by
Randolf Nott, CEO
Renate Nott, COO

Registered in the Commercial Register of the District Court of Hildesheim, Germany
Commercial Register Number: HRB 205276

VAT Registration Number: DE-312567027

Privacy Policy

This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter “data”) within our online offering, including the associated websites, functions, and content (hereinafter collectively “online offering”). Terms such as “processing”, “controller”, “processor”, or “consent” are used in the sense of the General Data Protection Regulation (GDPR), in particular Art. 4 GDPR.

Controller

RRNO-Research GmbH Represented by the managing directors: Randolf Nott, Renate Nott Pfarrstrasse 14, 37627 Stadtoldendorf, Germany E-mail: info@rrno-research.de

A data protection officer has not been appointed, as the legal requirements for this are not currently considered to be met.

  1. Definitions

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

  1. Types of Data Processed

Depending on how you use our online offering, we process in particular:

  • Master data (e.g. name, address)
  • Contact data (e.g. e-mail address, telephone number)
  • Contract and order data (e.g. items ordered, delivery/billing address, order-related communications)
  • Payment data (e.g. payment method, payment status; account details/IBAN only where required for SEPA direct debit)
  • Usage and access data (e.g. pages visited, access times)
  • Meta/communication data (e.g. IP address, device/browser information)
  1. Categories of Data Subjects
  • Visitors to our online offering
  • Prospective and existing customers (consumers and businesses)
  • Communication partners (e.g. when making contact)
  1. Purposes of Processing

We process data for the following purposes:

  • Provision of the online offering and ensuring technical security
  • Processing of orders and contracts (including dispatch and payment handling)
  • Responding to contact enquiries and communications
  • Fulfilment of legal obligations (e.g. statutory retention under commercial and tax law)
  • Administration and organisation of business operations

We do not use any newsletter system, social media integration, Google Maps integration, or tracking (e.g. Google Analytics) for analytics or marketing purposes.

  1. Applicable Legal Bases

Unless otherwise stated in the sections below, we process data on the basis of the following legal grounds:

  • Art. 6(1)(b) GDPR: Performance of a contract and pre-contractual measures (e.g. orders, payment/dispatch processing, product enquiries)
  • Art. 6(1)(c) GDPR: Compliance with legal obligations (e.g. retention requirements)
  • Art. 6(1)(f) GDPR: Legitimate interests (e.g. IT security, abuse/fraud prevention, efficient business operations)
  • Art. 6(1)(a) GDPR in conjunction with Art. 7 GDPR: Consent (e.g. for non-essential cookies/technologies)

Additionally, for the storing/reading of information on your device (cookies/similar technologies), Section 25 TTDSG applies:

  • Section 25(2) TTDSG for technically necessary operations
  • Section 25(1) TTDSG for consent-required operations (opt-in via consent tool)
  1. Security Measures

In accordance with Art. 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. These include in particular measures to ensure confidentiality, integrity and availability, access restrictions, authorisation concepts, logging, as well as procedures for exercising data subject rights and responding to security incidents.

  1. Hosting, Website Provision, and Server Log Files

To provide our online offering, we use the services of a hosting provider acting as our processor (Art. 28 GDPR).

When the website is accessed, data that your browser transmits to our server is processed for technical reasons (server log files), in particular:

  • IP address, date and time of access
  • Page/file accessed, referrer URL
  • Browser type/version, operating system
  • Where applicable, status codes/error messages

The data is processed for the purpose of technical provision and to ensure the stability and security of our systems (e.g. defence against attacks) and error analysis. The legal basis is Art. 6(1)(f) GDPR.

Log data is generally stored only for as long as necessary for the stated purposes; typically a few days to a few weeks, and potentially longer where required to investigate security incidents.

  1. Consent Management Tool (Cookie Consent)

We use a consent tool to obtain and document consent for cookies/technologies requiring consent and to manage settings. Data that may be processed includes consent status, timestamp, categories/preferences where applicable, technical identifier (e.g. consent cookie), and technical access data for verification and functional purposes.

Processing serves the purpose of obtaining, managing, and documenting consent. The legal basis is Art. 6(1)(c) GDPR and/or Art. 6(1)(f) GDPR; where non-essential cookies/technologies are used, this is done solely on the basis of your consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG). You may withdraw or modify any consent given at any time with effect for the future via the consent tool settings.

  1. Cookies and Technically Necessary Functions

We use cookies and similar technologies insofar as this is necessary for the operation of our online offering, in particular to provide shopping cart and session functions, to implement security and display settings, and to store consent status (consent cookie). The legal basis for technically necessary cookies is Section 25(2) TTDSG. The associated processing of personal data is based on Art. 6(1)(f) GDPR or – where processing serves the performance of a contract or pre-contractual measures (e.g. shopping cart/checkout) – on Art. 6(1)(b) GDPR. You may delete or block cookies via your browser settings. If completely disabled, certain shop functions may be limited. As we do not use tracking, we do not use any analytics or marketing cookies without your consent.

  1. Order Processing

When you place or initiate/enquire about an order, we process the personal data required for this purpose, in particular master and contact data as well as contract and order data. Processing serves the purpose of handling and fulfilling the order, delivery, customer service, and responding to queries, as well as complying with legal obligations, in particular statutory retention requirements under commercial and tax law. The legal basis is Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures) and Art. 6(1)(c) GDPR (compliance with legal obligations). Without the provision of this information, we are generally unable to enter into a contract or execute the order.

  1. Payment Processing (PayPal, SEPA Direct Debit)

When you select one of the offered payment methods, we process the payment and transaction data required for this purpose in order to process the payment and perform the contract. Where external payment service providers or credit institutions are involved, we transmit the required data to these recipients.

PayPal: If you choose PayPal as your payment method, we transmit the data required for payment processing to PayPal. This includes in particular name, e-mail address, billing and delivery details, as well as shopping cart, transaction, and payment status data; PayPal may also process additional data required for processing. Processing serves the purpose of payment execution and, where applicable, fraud prevention and authentication. The legal basis is Art. 6(1)(b) GDPR. The recipient is PayPal (Europe) S.a r.l. et Cie, S.C.A. and, where applicable, service providers or sub-processors engaged by PayPal. Depending on the configuration of PayPal services, processing in third countries (e.g. the USA) cannot be excluded; any such transfer is made in accordance with Art. 44 et seq. GDPR, for example on the basis of an adequacy decision (e.g. EU-US Data Privacy Framework, where applicable) or by means of standard contractual clauses.

SEPA Direct Debit: If you choose SEPA direct debit, we process your banking details (in particular IBAN) and mandate information in order to execute the direct debit collection. Data processed includes in particular name, address, IBAN, mandate reference where applicable, amount, due date, payment status, and data relating to the handling of any returned debits. The purpose is to collect the outstanding amount by direct debit including the processing of returned debits. The legal basis is Art. 6(1)(b) GDPR. Recipients are the credit institutions or payment service providers involved (banks) and, where applicable, technical processing service providers within the payment infrastructure.

  1. Dispatch and Delivery

To deliver ordered goods, we transmit the required shipping data to delivery service providers. This includes in particular name and delivery address, and – where required for delivery notifications or smooth delivery – also e-mail address and/or telephone number, as well as shipment data. Processing serves the purpose of dispatch, delivery, and where applicable delivery notification and shipment tracking. The legal basis is Art. 6(1)(b) GDPR. Recipients are delivery service providers (e.g. DHL, DPD, Hermes) and, where applicable, their sub-contractors.

  1. Contact

When you contact us (e.g. by e-mail or contact form), we process the data you provide, in particular name, e-mail address, and the content of your message, in order to handle your enquiry and communicate with you. Depending on the content of the enquiry, processing is carried out for the performance of pre-contractual measures or for contract performance (Art. 6(1)(b) GDPR), and otherwise on the basis of our legitimate interest in efficient processing and communication (Art. 6(1)(f) GDPR). Enquiries are deleted once resolved and where no statutory retention obligations apply.

  1. Blog/Advice Section

In the blog/advice section, we process the access data referred to in Section 7 (server log files) when pages are retrieved. A comment function is not offered.

  1. Engagement of Processors and Third Parties

We only disclose data where a legal basis exists. Where applicable, we engage processors (e.g. hosting, technical service providers) on the basis of Art. 28 GDPR. Other recipients (e.g. delivery service providers, payment service providers, banks) receive data as independent controllers, where this is necessary for the performance of the contract (Art. 6(1)(b) GDPR).

  1. Transfers to Third Countries

Where we or service providers engaged by us process or transfer data to countries outside the EU/EEA, this is done exclusively under the conditions of Art. 44 et seq. GDPR (e.g. adequacy decision, standard contractual clauses, and where applicable additional measures). Details depend on the respective service.

  1. Erasure and Retention

We erase personal data as a matter of principle once it is no longer required for the purposes for which it was collected, provided no statutory retention obligations apply.

Statutory retention obligations may arise in particular from commercial and tax law (e.g. German Commercial Code (HGB), Fiscal Code (AO)). In such cases, data is stored for the duration of the statutory periods and then erased.

  1. Rights of Data Subjects

Within the framework of the applicable legal requirements, you have the following rights with regard to the processing of your personal data. To exercise your rights, you may contact us at any time using the contact details provided in Section 1; we may request appropriate proof of identity.

Access (Art. 15 GDPR): You may request information as to whether and which personal data we process about you, and receive a copy of that data.

Rectification (Art. 16 GDPR): You may request the correction of inaccurate data and the completion of incomplete data.

Erasure (Art. 17 GDPR): You may request the erasure of your personal data where the legal requirements are met and no retention obligations or overriding grounds apply.

Restriction (Art. 18 GDPR): You may request that the processing of your data be restricted, for example while the accuracy is being verified or where restriction is preferred over erasure.

Data portability (Art. 20 GDPR): You may request to receive data you have provided to us in a commonly used, machine-readable format, or – where technically feasible – to have it transmitted to another controller, provided that processing is based on consent or a contract.

Withdrawal of consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with effect for the future; the lawfulness of processing carried out prior to the withdrawal remains unaffected.

  1. Right to Object (Art. 21 GDPR)

Where we process data on the basis of Art. 6(1)(f) GDPR, you may object at any time on grounds relating to your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds, or the processing serves the establishment, exercise, or defence of legal claims.

  1. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority is generally that of our company’s registered office:

The State Commissioner for Data Protection of Lower Saxony (LfD Niedersachsen) Prinzenstrasse 5, 30159 Hannover, Germany

  1. Automated Decision-Making / Profiling

No automated individual decision-making including profiling within the meaning of Art. 22 GDPR takes place.