MEPHISTO E-COMMERCE GMBH DATA PROTECTION DECLARATION
The MEPHISTO* Group takes the protection of your personal data very seriously. We want you to know when we collect this data and how we use it. From a technical and organisational perspective, we assure you that the regulations relating to the protection of personal data are observed, both by ourselves and our external service providers who act on our behalf.
LEGAL NOTICES / INTRODUCTION
The entities of the MEPHISTO Group act either as data controller or as processor, depending on the purpose for which the personal data is processed.
Route de Sarreguemines BP 50060
Phone: +33(0) 3 87 23 30 00
Fax: +33(0) 3 87 23 30 09
Registered in France (Metz): 364 800 276
Date of entry: 01/01/1966
MEPHISTO E-commerce GmbH
Kehler Str. 22
Phone: +49(0) 1 70 76 74 02
Registered in Germany (Freiburg): Freiburg im Breisgau Administrative Court HRB 709455
Date of entry: 17/01/2013
* MEPHISTO S.A.S., Chaussures CARLTON Sàrl, ALLROUNDER Sàrl, MEPHISTO E-commerce GmbH, MEPHISTO RETAIL ITALIA SRL, MEPHISTO GmbH, MEPHISTO PORTUGUESA FABRICA DE CALCADO LDA, MEPHISTO UK LIMITED et leurs filiales
Data protection officer
Mr Marc Rogler
Phone: +49(0) 7121 6971010
Fax: +49(0) 7121 6971030
Registered in Stuttgart : HRB 354657
Limitation of liability
All current and future components of the http://fr.mephisto.com/ website are protected by current French law on intellectual property and copyright. Reproduction, adaptation, distribution and any form of use beyond the limitations of copyright require the written consent of the author or creator.
Downloads and copies of these pages are only permitted for private, non-commercial use/ Any content on the website that does not originate from Mephisto SAS but from third parties is presented in compliance with property rights.
Applicable law and jurisdiction
Without prejudice to your right to take legal action, in the case of any queries, please contact us immediately using the communications channels indicated above. Please provide the following information so that your queries can be processed as quickly as possible:
• Surname, first name(s)
• Full postal address
• Telephone number(s) and electronic contact details
• Contract or offer number
The competent courts fall within the jurisdiction of the Metz Court of Appeal.
In what capacity do we act?
In the course of their activities, the entities of the MEPHISTO Group directly process personal data concerning their employees and customers. They are therefore considered to be data controllers with regard to European data protection legislation. This processing is necessary for the execution of contracts (e.g. General Terms and Conditions of Sale) or to comply with a legal obligation (civil law, tax law, accounting law).
Furthermore, in the context of its own activities or capacity as service provider (e.g. web shop) to customers, an individual entity of the MEPHISTO group may be considered to be acting as a processor for another entity of the group.
COLLECTING, PROCESSING AND USING PERSONAL DATA
COLLECTING, PROCESSING AND USING PERSONAL DATA
If a contract is agreed, we collect and process the personal data that you provide to us in our system and use it for the purposes set out in this declaration for the duration of the contract, including the fulfilment of our contractual obligations to you, notably the execution of orders and any related invoicing. We may also retain and process personal data for a reasonable period after your order is complete, for example to assist in the processing of future orders by you and for the marketing purposes set out in this declaration. Personal data is defined as any information that could be used to identify a person, whether directly or indirectly, such as, for example: name, address, email address, date of birth, profession, bank details, etc.
For publicity and market research purposes, as well as to tailor our product offer to our customers' requirements, we create and use anonymous user profiles. In addition, we use the postal and email addresses registered to inform you of information regarding products similar to your order. You can ask to opt out of this, free of charge, at any time by sending a declaration of this by email to firstname.lastname@example.org or by ticking the corresponding box on your order or by clicking on the relevant link at the bottom of each of our newsletters.
We will, on request, provide you with all personal information about you registered with us free of charge. You can, at any time, request the correction, removal or deletion of your personal data that is registered with us.
If our business is sold or integrated with another business your details may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business.
We only use your personal data for orders made to our company and related companies, as well as third parties mandated to carry out orders. In all other cases, unless expressly set out in this declaration we will not transmit your data to third parties without your express consent, especially for marketing purposes. Where the law or a legal ruling requires us to do so, we will transmit your data to the authorities authorised to receive them.
We store your information on highly secure servers. These are secured by technical and organisational methods that are intended to prevent the loss, destruction, access, modification or dissemination of your data by any unauthorised person. Only a few authorised persons may access your data. These persons are responsible for the technical, commercial or editorial maintenance of the servers. While we will use all reasonable efforts to safeguard your personal data, and despite all standard controls, you acknowledge that it is not possible to guarantee complete protection against all risks to or losses of any personal data that are transferred from you or to you, in particular via the internet.
Your personal data will be encrypted before being transmitted online. To transmit the data, we use SSL (secure socket layer) encryption.
What data do we collect?
In order to provide the services offered, the MEPHISTO Group needs to collect and process certain information about you. The data that is collected depends on the context of your interactions with the entities in the group, the choices you make and the services you subscribe to.
B. Categories of personal data
The data we collect and process may include the following categories (list inexhaustive):
• Identifying data: we will collect your personal data including your surname, first name(s) and other related data, date of birth, gender (title), country, nationality and language;
• Bank information (for web sales): we will collect your bank data such as the bank account number and the name of the financial institution, BIC and IBAN, in the scope of accounting transactions (billing, credit notes), or for contributions or participation in extra-contractual costs;
Based on the categories of data mentioned above, the MEPHISTO group guarantees that no special categories of data are collected or processed, in accordance with Articles 9 and 10 of the GDPR.
Children and young people under the age of 18 may not send their personal data to us without the consent of their parents or legal representatives; the use of our web shop is prohibited for children and young people under the age of 18. We do not request personal data from children, we do not collect such data and we do not pass it on to third parties.
How do we collect data?
When you log in, information about you is retrieved automatically. For further details, please see our Cookie Statement (lien).
The personal data we collect when you submit the contact form, register online for the newsletter or participate in an event: we only collect and process personal data that is strictly necessary for the business relationship.
ANALYSIS OF IP ADDRESSES AND ANY OTHER INFORMATION
When you access the website, your data, notably IP address, date, time and pages viewed, will be recorded on our servers. It is possible that this data may be used to identify some users.
We do not use IP addresses to identify users. However, we may use the IP addresses collected for (anonymous) statistical analysis. In addition, we use information about your IP address as well as other personal data to prevent any fraudulent use (fraud prevention) or other unlawful use of our website. We may also use information about you to select the version of our online presence corresponding to the country concerned.
PAYMENT OF ORDERS
The payment of orders depends on the payment method selected via a service provider. For payments by credit card or Paypal, it is necessary to transmit your personal information to the service provider or their intermediary so that your order can be processed. We will take reasonable steps to ensure that such service providers adhere to the standards of confidentiality and protection set out in this declaration.
WITHDRAWAL OF CONSENT
By submitting your information to us, you hereby give your express consent to the processing and use of that information in accordance with the terms of this declaration, including the transfer of your information to a location outside of the European Economic Area (EEA) for these purposes, and the processing of your information for email marketing purposes (as noted in the authorisation set out below). However, you may withdraw your consent at any time in the future by notifying us.
AUTHORISATION TO SEND MARKETING EMAILS
By submitting your information to us, you hereby confirm as follows:
“I would like to receive offers by email. I understand that my email address will not be shared with third parties. I understand that I may, at any time, decide to opt out of these marketing emails by declaring as such.”
HOW DO WE PROTECT YOUR DATA?
The MEPHISTO Group thanks you for placing your trust in it; we are committed to protecting the personal data you entrust to us. We guarantee the implementation of appropriate organisational measures as well as physical and technical security measures.
Taking into account appropriate security measures, the processing of personal data constitutes a legitimate interest for the controller. Therefore, the MEPHISTO Group guarantees that the processing of your personal data will be carried out in complete confidentiality, with integrity and respect for fundamental rights and freedoms.
At the MEPHISTO online store, your security is our priority. You can browse our website and our offers completely anonymously. However, if you would like to make an order or if you send us your data by other means (by subscribing to newsletters, for example), we will record your data with your agreement.
• All data indicated through the order process are encrypted before leaving your PC and being transmitted online. To do so, we use a secure encryption method "Secure Socket Layer" (SSL) with a 128 bit encryption key, in order to prevent anyone from reading your data.
• The MEPHISTO online store works with various advertisers. It is therefore possible that the SSL symbol will not appear at the bottom of the browser window or your browser may not tell you that there is a connection with an SSL server through a dialogue box. You can, however, view the encrypted transmission of the data you have provided (https mode) by clicking on the right mouse button at the Checkout and by selecting the "Properties" and Certificates options.
We store all personal data on particularly secure servers. Technical and organisational measures are in place to secure against the loss, destruction, access, manipulation or dissemination of your data by any unauthorised person. Only a few authorised persons can access your data.
What are your rights as a data subject?
The MEPHISTO Group assures you the possibility of exercising your rights at any time and will respond to you in the most appropriate manner.
You have the following rights:
• Right to information about and access to your personal data
• Right to rectification
• Right to erasure (‘right to be forgotten’)
• Right to restriction of processing
• Right to portability
• Right to object
• Right to lodge a complaint with a supervisory authority
If you wish to assert your rights, please email the following address: email@example.com
Please note that in order to respond to your request in the most appropriate way, we may ask you for proof of your identity; any proof that is sent to us will be destroyed as soon as the processing of your request is completed.
The deadlines by which we are obliged to respond to your request are listed in the table below:
Right to information (direct collection) pursuant to Article 13: when the data is collected directly (from the data subject)
Right to information (indirect collection) pursuant to Article 14: one month
Right of access pursuant to Article 15: within a reasonable period of time
Right to rectification pursuant to Article 16: as soon as possible
Right to erasure (‘right to be forgotten’) pursuant to Article 17: as soon as possible
Right to restriction of processing pursuant to Article 18: within a reasonable period of time
Right of data portability pursuant to Article 20: within a reasonable period of time
Right to object pursuant to Article 21: with effect from the first communication
Rights relating to automated decision-making and profiling pursuant to Article 22: when the data is collected
What are the purposes of processing?
In order for the processing to be lawful under the GDPR, a lawful basis must be identified and established before the processing of personal data is carried out.
We use your personal data for the following purposes in accordance with the GDPR:
• Service provision:
o Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
o Payment online: payment for orders depends on the chosen method of payment, which may include payment via an intermediary payment service provider. If you pay by credit card or Paypal, your personal data must be sent to the service provider or via its intermediary in order for your order to be processed.
• Sending communications related to marketing activities;
o the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
o Sending targeted messages by direct mail such as promotional offers or participation in events organised by MEPHISTO Group or in partnership with other data controllers, including the collection of consent: the processing is necessary for the purposes of the legitimate interests pursued by the data controller.
o We reserve the right to contact you by email, telephone, fax, video-conference or other communication channels in order to notify you of events, new features or other information that may be relevant to your interaction with Mephisto SAS. In the cases expressly provided for by the laws and regulations in force, your consent will be requested before sending any communication for direct marketing purposes so that you are able to object or agree to receive such communication: when personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data, including profiling insofar as it is related to the direct marketing.
• Management and administration of infrastructure and operations to develop the information system: the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
• Compliance with internal policies and procedures: The processing is necessary for the purposes of the legitimate interests pursued by the controller.
• Compliance with any laws and regulations in force, code of conduct or guidelines issued by a supervisory authority or with a request from a public authority
The MEPHISTO Group does not sell, disseminate or provide information to third parties without your prior consent.
HOW WILL WE DEAL WITH A BREACH OF PERSONAL DATA?
Pursuant to Article 33 of the GDPR, in the case of a personal data breach, the entities of the MEPHISTO Group are required without undue delay and, where feasible, not later than 72 hours after having become aware of it, to notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The processor is required to notify the controller without undue delay after becoming aware of a personal data breach.
Pursuant to Article 34 of the GDPR, the MEPHISTO Group will notify its customers and any person affected (e.g. prospects) of any breach of their personal data if said breach is likely to result in a high risk to the rights and freedoms of a natural person, i.e. of the customer and/or any other person concerned.
WHAT ARE THE RETENTION PERIODS FOR YOUR DATA?
The Mephisto Group keeps your personal data:
• For the period necessary for the purposes of the processing
• For the period defined by the laws and regulations in force
The majority of cookies that we use are "session" cookies, which are deleted once your session has ended. There are also longer duration cookies that allow us to recognize visitors to our site.
You can delete the cookies that we have created at any time.
Most browsers are configured to accept cookies automatically. You can, however, deactivate cookies or configure your browser so that it tells you when cookies are being sent. Please be aware that if you deactivate cookies you may lose some functionality of our site.
USE OF GOOGLE ANALYTICS
This site uses Google Analytics, a website analysis service provided by Google Inc. ("Google"). Google Analytics uses analytic cookies, which are placed on your computer in order to analyze your use of the site. The information generated by the cookie about your use of the site are generally sent and stored on a Google server in the United States. Where IP anonymization is used on this site, your IP address will only be processed in its abbreviated form in the member states of the European Union or European Economic Area. The complete IP address will only be sent in exceptional circumstances to a Google server in the United States, where it is abbreviated. Google uses this information to evaluate your use of the site, to compile activity reports for its publisher, and to provide the latter with other services relating to the activity of the site and the use of the internet. The IP address sent by your browser as part of the Google Analytics service is not collected with other data held by Google. You can deactivate cookies by configuring your browser. However, deactivating cookies may mean that you will not enjoy optimal use of all the site's functions. In addition, you can also prevent the collection and processing by Google of all data generated by the cookie concerning your use of the site (including your IP address) by downloading and installing the plugin available at the following address (http://tools.google.com/dlpage/gaoptout?hl=de).
You can find further information at tools.google.com/dlpage/gaoptout or on www.google.com/intl/de/analytics/privacyoverview.html (general information about Google Analytics and data protection). Please note that, on this site, Google Analytics is followed by the code "gat._anonymizeIp();" in order to guarantee the anonymous entry of IP addresses (IP-Masking).
USE OF FACEBOOK SOCIAL PLUGINS
Our online presence uses the social plugins ("plugins") of social network, facebook.com, operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). Plugins are accompanied by a Facebook logo or followed by "Facebook Social Plugin".
If you view a site with our online presence or one that uses this kind of plugin, your browser will establish a direct connection with Facebook servers. The content of the plugin will be directly transmitted to your browser by Facebook and as such integrated into the website.
By integrating plugins, Facebook receives information about your access to and use of the site in question. If you are logged into Facebook, Facebook may associate your visit with your Facebook account. If you interact with plugins, by clicking the "like" button or leaving a comment, for example, the corresponding information will be directly transmitted by your browser to Facebook, where it will be recorded.
To find out the purpose and volume of the data collected, as well as to find out more about the processing and collection of data by Facebook, your rights and the possibility of amendments to protect your private life, please refer to the "Facebook Data Policy", as publicised by Facebook from time to time.
If you would not like Facebook to collect information about you via our site, you must log out of Facebook before visiting our site.
REVISION OF THIS NOTICE
Created on: 25/03/2019
Last updated on: 03/02/2020
HOW TO CONTACT US
If you have any questions or require any information about how we use of data or about this notice, please contact us
- via our email: firstname.lastname@example.org
- via post:
Mephisto SAS B.P 50060, 57401 SARREBOURG France