of the Fontwerk GmbH, Prenzlauer Allee 186, 10405 Berlin, Germany (“Fontwerk”)
The legal basis for data processing is for consents Art. 6 para. 1 a) and Art. 7 GDPR, for the performance of services and implementation of contractual obligations Art. 6 para. 1 b) GDPR, for the fulfillment of legal obligations Art. 6 para. 1 c) GDPR and for the protection of legitimate interests Art. 6 para. 1 f) GDPR.
I. Name and Contact Details of the Person in Charge
The person responsible for the processing of personal data within the meaning of Article 4 GDPR is:
Prenzlauer Allee 186
II. Nature of the Data Processed and Legal Basis
1. Server Log Files
Every time the server on which the website fontwerk.com is accessed, data, so-called server log files, are automatically collected. These server log files contain the IP address, the browser type, the date, time and duration of the visit, the URL of the access as well as a coded message as to whether the page view was successful or failed. Additional personal data, such as names or location data, are not recorded.
The legal basis for data processing is Art. 6 para. 1 b) and f) GDPR.
On this website, only those cookies are used that are absolutely necessary for the operation of the website and its functions, i.e. payment processing. These are the following cookies:
- Stripe; Stripe Inc, 510 Townsend Street, San Francisco, CA 94103, USA;
- __stripe_mid; Purpose: used for payment processing, fraud prevention and detection; Expiration after 1 year; Type: first party persistent cookie, essential
- __stripe_sid; payment processing, fraud prevention and detection; 30 minutes; first party persistent cookie, essential
- PayPal; PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg;
- X-PP-SILOVER; payment processing; 30 minutes; third party persistent cookie, essential
- X-PP-L7; payment processing; N/A; third party session cookie, essential
- tsrce; payment processing; 3 ddays; third party persistent cookie, essential
- ts; payment processing; 1 day; third party persistent cookie, essential
- LANG; payment processing, language detection; 8 hours; third party persistent cookie, essential
- _ga, _gcl_au, cookie_check, enforce_policy, ts_c; payment processing; 30 minutes; third party persistent cookies, essential
- nsid, x-pp-s; payment processing; N/A; third party session cookies, essential
If you have chosen to pay via Stripe, the payment details you enter will be passed on to Stripe. If you have chosen to pay via PayPal, the payment details you have entered will be passed on to PayPal.
You can set your browser to inform you when cookies are set and to allow cookies only in individual cases, to exclude the acceptance of cookies for certain cases or in general and to activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of our website may be limited.
The legal basis for data processing is art. 6 par. 1 a), b) and f) GDPR for cookies that are technically necessary for the operation of the website.
3. Contacting Us
If you contact us using the postal or email address provided on our website or via the company profiles in social media that we provide, we will process the personal data you provide - postal or email address, social media contact and your name and any additional contact information, if provided – for the purpose of responding to your request.
The legal basis for data processing is Art. 6 para. 1 a), b) and f) GDPR.
We offer a regular newsletter, which requires your email address to receive. Before the newsletter is sent, you must explicitly confirm that you wish to receive our newsletter in the so-called double opt-in procedure. Afterwards you will receive a confirmation and authorization email with a link. If you click on this link, you confirm that you want to receive the newsletter. This registration will be logged in order to prove the registration process legally.
You can cancel your subscription to the newsletter at any time. You will find the corresponding link in every newsletter sent. Alternatively, you can withdraw your consent by contacting us via email.
In order to be able to prove your registration in our email distribution list and to be able to defend yourself against possible accusations of unsolicited emails, the list provider stores the date of the entry in the list as well as the IP address under which the entry was made. Any use of the IP address beyond this does not take place.
The legal basis for the data processing is Art. 6 para. 1 a) GDPR.
5. Order Process
We collect and store personal data provided by you during the ordering process. This includes your email address and, if applicable, your company, your first and last name, your address/registered office, your EU-VAT-ID as well as the items in your shopping cart.
If you name a third person as a licensee, we will save the company, first name, surname and address/registered office you have given to us. In this case, please make this data protection declaration available to the third person.
The legal basis for data processing is Art. 6 para. 1 a) and 1 b) GDPR.
6. User Account
You have the possibility to create a user account (“Account”). We collect and store personal data provided by you in the course of setting up the user account. This includes your email address and, if applicable, your company, your first and last name and your address/registered office and your EU-VAT-ID.
The legal basis for the data processing is Art. 6 para. 1 a) GDPR.
III. Purpose of the Processing
Personal data is only collected, stored and processed to the extent necessary for the provision of the online offer, communication with the users, the provision of services, the execution of the contractual/business relationship as well as for the optimization of business processes and the design of our services in line with requirements.
We process your personal data only in strict compliance with data protection regulations. In particular, corresponding data will only be processed if a legal permission has been granted.
1. Server Log Files
We process the above-mentioned data in order to establish a smooth connection to our website. The processing is necessary to ensure the security and stability of the system and a comfortable use of our website. In addition, we use the log data for statistical evaluations, for the purpose of optimising processes and the security of the services.
We reserve the right to check the log data retrospectively if, based on concrete evidence, there is a suspicion of illegal use of the service provided.
The use of the necessary cookies mentioned under II. 2. makes it possible to process the payment of the fonts you have purchased through a third party provider, depending on the selected payment method.
3. Contacting Us
If you contact us via the postal or email address we provide or via our company profiles in social media, the processing of the contact data you use is essential in order to be able to answer your request. If data is processed in addition, such as name, address or similar, processing serves to individualize the respective user and thus to be able to respond to his/her request in the best possible way.
The newsletter serves the purpose of informing you about our offers and current developments. The collection of your email address is used to send you the newsletter. The collection of your IP-address and the date of registration on our email distribution list is solely for verification purposes.
5. Order Process
The processing of the data is necessary in order to process the purchase, in particular to enable the licensing of the products as well as for the provision of the order overview, the initiation of the payment processing, the invoicing and contact in case of queries regarding the processing.
6. User Account
The purpose of the user account is to store the data necessary for the fulfilment of the contract, so that these data do not have to be entered again for a new purchase. Already completed purchases and received invoices can be viewed in the user account. The creation of a user account is voluntary and serves to simplify the purchase process.
IV. Duration of Storage
Your data will be stored as long as it is necessary to fulfil the above mentioned purposes. As soon as this is no longer the case, e.g. after complete termination of the contractual/business relationship, they shall be deleted or blocked if and as long as commercial or tax law retention obligations require this (Art. 6 para. 1 p. 1 c) GDPR). From the point in time at which statutory storage obligations no longer conflict with this, the data shall be deleted, unless you have expressly consented to further use (Art. 6 Para. 1 p. 1 a) GDPR).
Server log files are finally deleted after 14 days.
V. Transfer of Data to Third Parties; Transfer to Third Countries
In principle, the data you provide will not be made available to third parties. In individual cases, however, it may be necessary to pass on your personal data to companies that are entrusted by us with the provision of individual services (e.g. web host, programmers, server solutions, cookie service providers, payment service providers) in order to execute the contract.
If, in the course of our processing, we disclose data to third parties, transfer it to them or otherwise grant them access to the data, this is only done on the basis of a legal permit, your consent, a legal obligation or our legitimate interests. If we commission third parties to process data on the basis of a so-called “contract processing agreement”, this is done on the basis of Art. 28 GDPR.
For their part, the third parties are obliged to comply with the statutory provisions when handling and processing this data.
It is possible that the registered office of a third party is located in a third country, i.e. in a country in which the GDPR has no direct legal effect. In this case, data will only be transferred if your consent has been obtained, if an appropriate level of data protection prevails or if another legal permission has been granted. US providers may operate under the Privacy Shield Agreement (EU-US data protection shield), which means that the provisions of the Privacy Shield Agreement are similar to the data protection level of the European Union and that the data will be treated accordingly.
Transmission to authorities and state institutions entitled to receive information is also possible, but will only take place within the scope of the statutory duties to provide information and in the event of a court ruling that makes this mandatory. In such cases, Fontwerk may provide the information, e.g., to assert, exercise and defend legal claims, enforce existing contracts, in connection with allegations of fraud, security measures or generally applicable legal regulations.
Personal data will not be passed on outside the scope described here without express consent.
Under no circumstances will Fontwerk sell or rent personal data to third parties.
VI. Third Party Services in the Operation of This Website
We would like to point out the following third-party providers whose services we use in the operation of our website:
- Stripe Inc, 510 Townsend Street, San Francisco, ca 94103, USA (“Stripe”)
- PayPal (Europe) S.a.r.l. et Cie, s.c.a., 22-24 Boulevard Royal, L-2449 Luxembourg (“PayPal”)
- BunnyCDN, Bunny Way d.o.o., Skofjeloska Cesta 13, 1215 Medvoe, Slovenia (“BunnyCDN”)
- Newsletter2Go GmbH, Köpenicker Str. 126, 10179 Berlin, Germany (“Newsletter2Go”)
- DigitalOcean ll.c, 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA (“Digital Ocean”)
- MSISP, Malterstraße 28, 01159 Dresden, Germany (“MSISP”)
We expressly point out that we ourselves have no influence on the scope of the data that these companies collect. Therefore, with regard to data protection, we must rely on the data use guidelines of the respective companies, on which the following explanation is based.
If necessary, please inform yourself further about the purpose and scope of data collection as well as your rights and settings options to protect your privacy. The links to the data protection declarations have been provided here.
Digital Ocean and Stripe operate under the Privacy Shield Agreement (EU-US data protection shield), which means that the requirements of the Privacy Shield Agreement are similar to the data protection level of the European Union and that the data is treated accordingly.
In the following you will find information on the possible data protection implications of cooperation with the third party providers and further links.
Stripe is a software platform for online payment processing. We use Stripe to handle the payment processes when you purchase fonts via our webshop, if you have selected this option.
We have concluded an order processing contract with Stripe and fully implement the strict requirements of the German data protection authorities when using Stripe.
We use Paypal to process the payment transactions when you purchase fonts via our webshop, if you have selected this option.
We have concluded a contract with PayPal and fully implement the strict requirements of the German data protection authorities when using PayPal.
BunnyCDN is a content delivery network, i.e. a network of servers that helps us to make the delivery of image files faster and more secure.
We have concluded a contract with BunnyCDN and fully implement the strict requirements of the German data protection authorities when using BunnyCDN.
Newsletter2Go is an email marketing provider, which we use for sending the newsletter and other email communication.
We have concluded a contract with Newsletter2Go and fully implement the strict requirements of the German data protection authorities when using Newsletter2Go.
DigitalOcean is a cloud infrastructure provider that hosts our website.
We have concluded a contract with DigitalOcean and fully implement the strict requirements of the German data protection authorities when using DigitalOcean.
MSISP is our domain service provider. We use the MSISP server for our emails and for creating automatic backups of the website.
We have concluded a contract with MSISP and fully implement the strict requirements of the German data protection authorities when using MSISP.
VII. Online Presences; Company Profile in Social Media
Our company has online presences on various social media and platforms, namely Twitter, Instagram and LinkedIn. This makes it easier for interested parties to find our services, current developments and offers an additional channel of communication.
The purpose of the processing of user data by the respective social media and platforms is usually user-specific advertising, i.e. individualized advertising can be placed which corresponds to the presumed interests of the user or results from the user’s previous usage behavior. For this purpose, cookies are stored on the users’ end devices. These cookies can store the user behaviour and thus map the areas of interest.
It is possible that the headquarters of a social medium or platform is located in a third country, i.e. in a country in which GDPR has no direct legal effect. In this case, data will only be transferred if your consent has been obtained, if an appropriate level of data protection prevails or if another legal permission has been granted.
We would like to make it clear that users should contact the respective third party providers directly in the event of requests for information and/or the assertion of other rights of affected persons. These third parties have access and rights of access to the user data stored and processed there and can provide information and/or take measures accordingly. Should you contact us directly, we will try to support your request in the best possible way. However, since we have no access to the data stored by third parties, our options for action are limited.
Please inform yourself about the data processing principles of the respective companies by referring to the corresponding data protection declarations.
VIII. Rights of Data Subjects
As a person affected by the processing of personal data, you are entitled to the rights listed below. These rights result from the provisions of the basic data protection regulation and are reproduced here, in some cases in simplified form.
1. Right to Withdraw Consent
In accordance with Art. 7 Para. 3 GDPR, you have the right to revoke your consent to processing at any time. The lawfulness of the processing carried out on the basis of the consent until revocation shall not be affected. The right of revocation can be exercised by means of an informal declaration. A written declaration or, alternatively, an email to the above-mentioned contact address shall be sufficient.
2. Right of Information
In accordance with Art. 15 GDPR, you have the right to request confirmation from us as to whether personal data relating to you is being processed. If this is the case, you have the right to be informed about this personal data and the information mentioned in Art. 15 para. 1 GDPR. This includes, in particular, the purpose of the processing, the categories of data processed, the recipients to whom data have been or will be disclosed, as far as possible the planned duration of storage or the criteria for the duration of storage.
3. Right of Rectification
In accordance with Art. 16 GDPR, you have the right to demand that we immediately correct any incorrect personal data relating to you. In consideration of the purposes of the processing, you have the right to request the completion of incomplete personal data – also by means of a supplementary declaration.
4. Right of Cancellation
In accordance with Art. 17 GDPR, you have the right to demand that personal data relating to you be deleted immediately. We shall be obliged to delete personal data immediately if one of the provisions of Art. 17 para. 1 GDPR applies. Such reasons include, for example, that the data is no longer necessary for the purposes for which it was collected or otherwise processed.
5. Right to Restrict Processing
In accordance with Art. 18 GDPR, you have the right to demand that we restrict processing if one of the conditions specified in Art. 18 GDPR applies. This includes, for example, that you dispute the accuracy of the personal data. In this case, we may only process the data to a limited extent for as long as it takes to verify the accuracy of the personal data.
6. Right to Data Transferability
In accordance with Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided us with in a structured, common and machine-readable format. You have the right to transfer this data to another responsible party, i.e. another body which processes data, without hindrance, provided that the original processing was based on consent or was necessary for the performance of a contract.
7. Right of Objection
In accordance with Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you, if such data is processed on the basis of Art. 6 Par. 1 e) or f) GDPR and there are reasons arising from your personal situation. An objection may be lodged at any time against the processing of data for the purpose of direct marketing. Personal data will then no longer be processed for this purpose. The right of objection can be exercised by means of an informal declaration. A written declaration or, alternatively, an email to the above-mentioned contact address is sufficient.
8. Automated Decision in Individual Cases Including Profiling
In accordance with Art. 22 GDPR, you have the right not to be subjected to a decision based solely on automated processing - including profiling – which has legal effect on you or significantly affects you in a similar manner. Art. 22 Para. 1 GDPR provides for exceptions to this, whereby Art. 22 Para. 4 GDPR again provides for partial exceptions.
9. Right to Appeal to a Supervisory Authority
In accordance with Art. 77 GDPR and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place where the alleged infringement is committed, if you consider that the processing of personal data relating to you is in breach of this Regulation.
In this case, the competent supervisory authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Phone: +49 30 13 889-0
Fax: +49 30 215-5050
IX. Technical and Organizational Measures
We take technical and organizational measures to ensure that the security and protection requirements of GDPR are fulfilled and that personal data is protected against loss, destruction, manipulation or access by unauthorized persons. The measures are always adapted to the current state of the art.
Status May 2020