A. General provisions on data processing
1. Subject of this Data Privacy Statement
We, CannaTrust GmbH, are very pleased that you are interested in our internet appearance at cannatrust.eu and our offers on our website.
The protection of your personal data is a very important concern to us. In the following, we would therefore like to inform you in depth about the data that are gathered while you visit on our website and use the offers we present there, and on how the data is processed and used by us afterwards. In addition, we will also inform you about which accompanying protective measures we have taken in technical and organisational respects.
Personal data such as name, address, email address or phone number of a data subject is always processed in accordance with applicable legal data protection regulations. By means of this Data Privacy Statement, we would like to inform you about the kinds, scope and purpose of the personal data gathered, used and processed by us and about the extent to which you are affected by the data processing.
Even though we, as the data controller responsible for the processing of personal data, have implemented numerous technical and organisational measures, a data transmission via the internet can generally have security gaps, so that absolute protection cannot be guaranteed. Please take this into account when using our online offer.
This Data Privacy Statement uses terms that have been prescribed by the legislator in the General Data Protection Regulation (hereinafter also referred to as “GDPR”). You can retrieve the GDPR at the following link:
The purpose of our Data Privacy Statement is to inform you in a simple and understandable manner about the processing of your personal data on our website.
3. Name and address of the data controller
The data controller in the definition of data protection regulations is:
Phone: +49 30 – 403 674 100
4. Deletion and blocking of personal data/storage duration
Unless expressly defined otherwise for the respective processing of the personal data in Section B of this Data Privacy Statement, the data stored by us will be deleted as soon as they are no longer required for its intended purpose and the deletion is not opposed by statutory retention obligations. If the data of the data subject are not deleted because it is required for other and legally permissible purposes, the processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, e.g. to data of the data subject, which must be retained for reasons of commercial or tax law.
Pursuant to the legal requirements, the data is stored for six years in accordance with Sec. 257 (1) HGB [German Commercial Code] (account books, inventories, opening balances, annual financial statements, business letters, posting records, etc.) and for ten years in accordance with Sec. 147 (1) AO (books, records, management reports, posting records, commercial and business letters, etc.)
5. Rights of data subjects
5.1. Right to confirmation
Each person has the right granted by the legislator of European directives and regulations to obtain a confirmation from the data controller as to whether or not the personal data about them are being processed. If a data subject wants to exercise this right to confirmation, he/she can contact us for this purpose at any time.
5.2. Right to obtain information
Each data subject whose personal data is being processed has the right to obtain information free of charge at any time from the data controller as to the personal data that are stored about him or her and to receive a copy of this information. Furthermore, the data subjects have the right to be given the following information:
– the purposes of the processing;
– the categories of personal data that are processed;
– the recipients or categories of recipients to whom personal data has been disclosed or will be disclosed in the future; in particular, in the case of recipients in third countries or international organisations;
– if possible, the planned period in which the personal data is stored or, if this is not possible, the criteria for determining this period;
– the existence of a right to correction or erasure of the personal data or the right to restrict the processing by the data controller or a right to object to this processing;
– the existence of a right to lodge complaint with a supervisory authority;
– if the personal data is not collected from the data subject: all available information on the origin of the data;
– the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The data subject furthermore has a right to be informed as to whether personal data has been transmitted to a third country or an international organisation. If this is the case, the data subject additionally has the right to obtain information about the suitable guarantees relating to the transmission.
If a data subject wants to exercise this right to obtain information, he/she can contact us for this purpose at any time.
5.3 Right to correction
Each data subject whose personal data is being processed has the right to demand the immediate rectification of inaccurate personal data about him/her. Moreover, the data subject has the right, in consideration of the purposes of the processing, to demand the completion of incomplete personal data by means of a supplementary statement.
If a data subject wants to exercise this right to correction, he/she can contact us for this purpose at any time.
5.4 Right to erasure
Each data subject whose personal data is being processed has the right to demand that the personal data about him/her be erased immediately if one of the following reasons applies and provided that processing is not required:
– The personal data was collected or otherwise processed for purposes for which it is no longer needed.
– The data subject revokes his/her consent that served as the basis for the processing according to Art. 6 (1) lit. a) GDPR or Art. 9 (2) lit. a) GDPR and there is no other legal basis for the processing.
– The data subject raises an objection according to Art. 21 (1) GDPR against the processing and there are no overriding justified reasons for the processing, or the data subject objects to the processing according to Art. 21 (2) GDPR.
– The personal data has been processed unlawfully.
– The deletion of personal data is required to fulfil a legal obligation according to EU law or the laws of the Member States that apply to the data controller.
– The personal data has been collected with regard to offered services of the information society according to Art. 8 (1) GDPR.
If one of the aforementioned reasons applies and a data subject would like to initiate the erasure of personal data that is stored by CannaTrust GmbH, he/she can contact us for this purpose at any time. We will see to it that the request for erasure will be fulfilled without delay.
If personal data has been made publicly accessible by CannaTrust GmbH and if our company, as the data controller according to Art. 17 (1) GDPR is obligated to erase the personal data, CannaTrust GmbH will take appropriate measures, also such of a technical nature, in consideration of the available technology and implementation costs, to inform other data controllers, who process the published personal data, that the data subject has requested from these other data controllers that all links to this personal data be erased or that he/she has requested copies or replications of this personal data, provided that processing is not required. We will initiate the required steps in the individual case.
5.5 Right to restrict the processing
Each data subject whose personal data is being processed has the right to request the restriction of the processing from the data controller if one of the following conditions is given:
– the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
– the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
– the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the assertion, exercise or defence of legal claims;
– the data subject has objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the aforementioned reasons applies and a data subject would like to demand the restriction of personal data that is stored by CannaTrust GmbH, he/she can contact us for this purpose at any time. We will then see to the restriction of the processing.
5.6 Right to data portability
Each data subject whose personal data is being processed has the right to receive the personal data concerning him or her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format. The data subject furthermore has the right to transmit this data to another controller without hindrance from the data controller to which the personal data has been provided, provided that the processing is based on a consent pursuant to lit. (a) of Art. 6 (1) lit. a) GDPR or Art. 9 (2) lit. a) GDPR or on a contract pursuant to Art. 6 (1) lit. b) GDPR and the processing is carried out by automated means, provided that the processing is not required for the fulfilment of a task that is in the public interest or in exercise of public power that has been delegated to the data controller.
In addition, the data subject has the right in the exercise of his/her right to data portability according to Art. 20 (1) GDPR to effect that the personal data is transmitted by a data controller to another data controller, insofar as this is technically practicable and no rights and freedoms of others are impaired thereby.
To assert the right to data portability, the data subject can contact us at any time.
5.7 Right to object
Each data subject whose personal data is being processed has the right to object at any time, for reasons arising from his/her particular situation, to the processing of their personal data based on Art. 6 (1) lit. e) or lit. f) GDPR. This also applies to profiling based on these provisions.
CannaTrust GmbH will then cease the processing of this personal data in the case of an objection, unless we can prove compelling reasons for the processing, which qualify for protection and which override the interests, rights and freedoms of the data subject, or if the processing serves the purpose of asserting, exercising or defending legal claims.
CannaTrust GmbH processes personal data to engage in direct marketing, the data subject has the right to object at any time to the processing of personal data for such marketing. This also applies to profiling to the extent as is related to such direct marketing. If the data subject declares an objection to CannaTrust GmbH to the processing for direct marketing purposes, CannaTrust GmbH will no longer process the personal data for such purposes.
Furthermore, the data subject has the right, for reasons arising from his/her particular situation, to object to the processing of personal data relating to him/her, which is carried out at CannaTrust GmbH for scientific or historical research purposes or for statistical purposes according to Art. 89 (1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons that are in the public interest.
To exercise the right to object, the data subject can contact us directly at any time. The data subject additionally has discretion, notwithstanding Directive 2002/58/EC, to exercise his/her right to object with regard to the use of the services of the information society by means of automated procedures in which technical specifications are used.
5.8 Automated decisions in the individual case including profiling
Each data subject whose personal data is being processed has the right granted by the legislator of European directives and regulations not to be subject to a decision that is based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision
– is required for the conclusion or the fulfilment of a contract concluded between the data subjects and the data controller; or
– is permissible based on the legal regulations of the EU or the Member States that apply to the data controller and these legal regulations contain appropriate measures to protect the rights and freedoms, as well as the justified interests of the data subject; or
– is made with the explicit consent of the data subject; or If the decision
– is required for the conclusion or the fulfilment of a contract between the data subjects and the data controller; or
– if it is made with the explicit consent of the data subject, CannaTrust GmbH will take appropriate measures to protect rights and freedoms, as well as the justified interests of the data subject to present own standpoints and to challenge the decision, including at least the right to effect that a person of the data controller intervenes.
If the data subject wants to exercise rights with regard to automated decision-making, he/she can contact us for this purpose at any time.
5.9 Right to revoke a consent according to data protection regulations
Each data subject whose personal data is being processed has the right to revoke a consent to the processing of personal data at any time.
If the data subject wants to exercise his/her right to revoke a consent, he/she can contact us for this purpose at any time.
Every data subject can contact us directly at any time for all questions and suggestions relating to data privacy.
5.10 Right to lodge complaint with a data protection supervisory authority
Each data subject whose personal data is being processed has the right to lodge complaint with a supervisory authority about our processing of his/her personal data.
6. Legal basis for the processing
Unless the description of the respective data processing activity in the following Section B of this Data Privacy Statement states otherwise, the following provisions apply.
Art. 6 (1) lit. a) GDPR serves as the legal basis for CannaTrust GmbH to implement processing actions for which a consent for a certain purpose of processing must be obtained. If the processing of personal data is required for the performance of a contract to which the data subject is a party, the processing is based on Art. 6 (1) lit. b) GDPR. The same applies to processing actions that are required to conduct pre-contractual measures, for example, in cases of queries about our services or products. If CannaTrust GmbH is subject to a legal obligation requiring the processing of personal data, the processing is based on Art. 6 (1) lit. c) GDPR. In rare cases, the processing of personal data may become necessary to protect vital interests of the data subject or another natural person. In that case, the processing is based on Art. 6 (1) lit. d) GDPR. Ultimately, processing activities could be based on Art. 6 (1) lit. f) GDPR. This legal provision serves as the basis for processing activities, which are not covered by any of the previously mentioned legal basis when the processing is required to protect a justified interest of CannaTrust GmbH or of a third party, provided that there are no overriding interests, fundamental rights and freedoms of the data subject. Such processing activities are permitted to us in particular because they have been mentioned separately by the European legislature (cf. recital 47 sent. 2 GDPR).
7. Consideration of legitimate interests
Unless provided otherwise in the description of the respective data processing activity in Section B of this Data Privacy Statement and provided that the processing of personal data is based on Art. 6 (1) lit. f) GDPR, our legitimate interest is the exercise of our business activity and the related economic interest.
8. Data protection in the use of our contact details
Where contact details are stated on our website (e.g. our email address) for the purposes of contacting us, the personal data transferred by you in the process will be used exclusively for the purpose pursued by contacting us.
If the reason for your contacting us is an interest in our services or products or in the fulfilment of a contract concluded with us, the legal basis is Art. 6 (1) lit. b) GDPR. In all other cases of contact, we have a legitimate interest according to Art. 6 (1) lit. f) GDPR in the data processing based on the communication initiated by you.
The data required for the execution of the contract will be stored until expiration of warranty periods under the law and, if applicable, under the contract. We store the data required pursuant to commercial and tax law for the legally prescribed periods, which are regularly ten years (cf. Sec. 257 HGB, Sec. 147 AO). The data processed for the execution of pre-contractual measures will be deleted, as soon as the measures have been carried out and it is expected that no contract will be concluded.
The personal data stored by us based on a legitimate interest will be stored until the purpose pursued by contacting us is reached. You have the right to object at any time, for reasons arising from your particular situation, to the data processing, which takes place on the basis of Art. 6 (1) lit. f) GDPR and does not serve the purpose of direct marketing. In the event of direct marketing, in contrast, you can object to the processing at any time without a statement of reasons.
Recipients of the personal data processed pursuant to this provision are IT service providers (in particular, hosting providers) with which we have concluded a corresponding data processing agreement according to Art. 28 GDPR.
9. Data protection for job applications and application procedures
We gather and process personal data of job applicants for the purpose of carrying out the application procedure and, therefore, for reason of pre-contractual measure in the definition of Art. 6 (1) lit. b) GDPR and, respectively, based on our legitimate interest according to Art. 6 (1) lit. f) GDPR in hiring employees.
The processing can also be implemented electronically, e.g. if an applicant sends us corresponding application documents via electronic channels, e.g. email or our contact form. If we conclude an employment contract with an applicant, the transmitted data will be stored for the purposes of processing the employment contract in observation of the legal regulations. If no employment contract is concluded by the data controller with the applicant, the application documents will be deleted two months after the announcement of the decision to decline, provided that no other legitimate interests of the data controller are opposed to the deletion. Other justified interest in this sense is, for example, the burden of proof in proceedings pursuant to the General Equal Treatment Act (AGG).
Due to the digitalised recording of the received applications, the recipients of the processed data are our IT service providers (in particular, hosting providers), which we have concluded a corresponding data processing agreement according to Art. 28 GDPR.
10. Changes to this Data Privacy Statement
CannaTrust GmbH reserves the right to change this Data Privacy Statement at any time with effect for the future. Its respectively current version is available on the website. Please visit the website regularly and be informed of the applicable Data Privacy Statement.
B. Special provisions on data processing on our website
1. Gathering and use of your data
The scope and kind of the gathering and use of your data differs depending on whether you visit our online appearance solely to retrieve information or if you use services offered by us, e.g. conclude a contract via the website and perhaps register.
2. Use for information/Data gathered/Cookies
(1) When using the website for information only, meaning when you do not, e.g. place orders via our website or otherwise transfer data to us, we will gather only the personal data that your browser transmits to our server. When you want to view our website, we gather the following data, which is required by us for technical reasons, in order to display our website to you and assure stability and security (the legal basis is Art. 6 (1) sent. 1, lit. f) GDPR):
- IP address
- Date and time of the retrieval
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the retrieval (concrete page)
- Access status/HTTP status code
- Respectively transferred data volume
- Referrer website
- Operating system and its interface
- Language and version of the browser software
(2) The data processed pursuant to para. 1 will be stored for the named purposes for the max. period of 30 days and then be deleted.
(3) Besides the aforementioned data, cookies are stored on your computer when you use our website. This is done based on our legitimate interest according to Art. 6 (1) lit. f) GDPR in the optimisation and efficient operation of our online offer. Cookies are small text files that are stored on your hard drive as attributed to the browser you use, and through which the people setting the cookie (in this case, we) receive certain information. Cookies cannot execute any programs or infect your computer with viruses. They instead serve to make the online offer overall more user-friendly and more effective.
a) Our website uses the following kinds of cookies the scope and function of which is described in the following:
– Temporary cookies (see under b))
– Permanent cookies (see under c))
b) Temporary cookies are deleted automatically when you close the browser. This includes in particular, the session cookies. They store a so-called session ID by means of which various requests of your browser can be attributed to the joint session. Your computer can thereby be recognised again when you return to our website. Session cookies are deleted automatically when you log out or close the browser.
c) Permanent cookies are deleted automatically after a prescribed period, which can differ depending on the cookie and be several years. You can delete the cookies at any time by means of the security settings of your browser.
d) You can configure your browser settings according to your wishes and e.g. refuse the acceptance of third-party cookies or all cookies. We inform you that, if you do so, you might not be able to use all features of this website.
f) The flash cookies used are not gathered by your browser but by your flash plug-in. Furthermore, we use HTML5 storage objects that are stored on your end device. These objects store the required data, irrespective of the browser you use and they do not have an automatic expiration date. If you do not want that flash cookies to be processed, you have to install a corresponding add-on, e.g. “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash Killer Cookie for Google Chrome. You can prevent the use of HTML5 storage by using your browser in the privacy mode. We also recommend that you regularly delete your cookies and the browser history manually.
(5) Recipients of the personal data processed pursuant to the foregoing paragraphs are IT service providers (in particular, hosting providers) with which we have concluded a corresponding data processing agreement according to Art. 28 GDPR.
3. Google Analytics (with anonymisation feature)
Google is certified under the Privacy Shield Agreement and it thereby offers a guarantee that the European data protection laws are observed (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use the extension “_gat._anonymizeIp” for the web analysis via “Google Analytics”. By means of the extension, the IP address of the data subject’s internet connection is truncated and anonymised by Google if our webpages are accessed from a Member State of the European Union or another signatory state to the Treaty on the European Economic Area.
The purpose of the Google Analytics component is to analyse visitor traffic on our website. Google uses the gathered data and information also to analyse the usage of our website, to compile online reports for us that indicate the activities on our webpages, and to perform further services relating to the use of our website.
Google Analytics uses a cookie on the data subject’s end device. Setting the cookie enables Google to analyse the usage of our website. On each retrieval of one of the individual pages of our website on which a Google Analytics component has been integrated, the web browser on the data subject’s end device is prompted automatically by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. Within the scope of this technical procedure, Google will obtain knowledge of personal data, such as the data subject’s IP address, which is used by Google to determine the origin of the visitors and the clicks, and to issue invoices for commission fees in subsequence.
By means of the cookie, personal data such as the time of the access, the place from which an access was made and the frequency of the data subject’s visits to our website is stored. On each visit to our webpages, this personal data including the IP address of the internet connection used by the data subject is transmitted to Google Inc. in the USA. These personal data will probably be stored permanently by Google Inc. in the USA. Google Inc. might transmit the personal data gathered in this technical procedure to third parties.
The data subject can prevent at any time that cookies are set by our website by means of a corresponding adjustment in settings of the web browser that he/she uses and can thereby object permanently to the setting of cookies. Such a setting in the web browser that is used would also prevent that Google sets a cookie on the data subject’s information technology system. A cookie already set by Google Analytics can be deleted at any time via the web browser or other software programs.
More information and the applicable data privacy policies of Google of Google can be found at https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html.
Google Analytics is explained in more depth at this link https://www.google.com/intl/de_de/analytics/.
4. Use of services on our website
However, if you wish to use the functions offered on our website, it is necessary for you to provide additional personal data. Details can be found in the following regulations.
4.1 Data processing for the purpose of concluding the contract of use
(2) If you use our Internet portal, we store your data required for the performance of the contract on the legal basis of Art. 6 para. 1 lit. b DSGVO, including details of the method of payment, until you finally delete your access. Failure to provide personal data would mean that the contract with you could not be concluded or performed.
(4) Recipients of personal data processed in accordance with this regulation are payment service providers, dispatch service providers and IT service providers (in particular hosting), with whom we have concluded corresponding order processing agreements in accordance with Art. 28 DSGVO.
(5) We store the data required for the execution of the contract until the expiry of the statutory warranty and, if applicable, contractual warranty periods. We store the data required under commercial and tax law for the legally specified periods, regularly ten years (cf. § 257 HGB, § 147 AO). The data processed for the implementation of pre-contractual measures will be deleted as soon as the measures have been carried out and it is evident that the contract will not be concluded. All other personal data can be deleted by you at any time via your customer account.
4.2. Use of single sign-on procedures
(1) Facebook Connect
Auf unserer Website können Sie sich zur Erstellung eines Kundenkontos bzw. zur Registrierung mittels des Social Plugins „Facebook Connect“ des sozialen Netzwerkes Facebook, das von der Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA („Facebook“), betrieben wird, im Rahmen der sog. Single Sign On-Technik anmelden, falls Sie über ein Facebook-Profil verfügen. Die Social Plugins von “Facebook Connect” auf unserer Internetseite erkennen Sie am blauen Button mit dem Facebook-Logo und der Aufschrift “Mit Facebook anmelden” bzw. “Connect with Facebook” bzw. “Log in with Facebook” bzw. “Sign in with Facebook”.
When you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the Facebook servers. The content of the plugin is transmitted by Facebook directly to your browser and integrated into the page. Through this integration, Facebook receives the information that your browser has called up the corresponding page of our website, even if you do not have a Facebook profile or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there. These data processing operations are carried out in accordance with Art. 6 para. 1 lit. f DSGVO on the basis of Facebook’s legitimate interest in the display of personalised advertising based on surfing behaviour.
By using this “Facebook Connect” button on our website, you also have the possibility to log in or register on our website using your Facebook user data. Only if you give your express consent in accordance with Art. 6 Para. 1 letter a DSGVO prior to the registration process on the basis of a corresponding note on the exchange of data with Facebook, will we receive the general and publicly accessible information stored in your profile when you use the “Facebook Connect” button from Facebook, depending on your personal data protection settings on Facebook. This information includes the user ID, name, profile picture, age and gender.
The consent given can be revoked at any time by sending a message to the person responsible named at the beginning of this declaration.
Facebook Inc. with headquarters in the USA is certified for the us-European data protection agreement “Privacy Shield”, which guarantees compliance with the data protection level applicable in the EU.
For the purpose and scope of data collection and the further processing and use of the data by Facebook, as well as your rights and setting options for protecting your privacy, please refer to the Facebook data protection information: http://www.facebook.com/policy.php
If you do not want Facebook to assign the data collected via our website directly to your Facebook profile, you must log out of Facebook before visiting our website. You can also completely prevent the loading of the Facebook plugins with add-ons for your browser, e.g. with “Adblock Plus” (https://adblockplus.org/de/).
4.3 Contact Form
(1) When voluntarily using our contact forms, you will be asked to provide your first name, surname, e-mail address and the reason for your enquiry/contact (message). Mandatory information for your inquiry is your e-mail address. The information is collected and stored exclusively for the purpose of answering your inquiry.
(2) When you register, we store the IP address you use and the time of registration. The purpose of this procedure is to be able to prove your request and, if necessary, to clarify a possible misuse of your personal data.
(3) The legal basis for the processing of your personal data is the consent expressly granted by you in accordance with Art. 6 para. 1 lit. a DSGVO as well as our legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO in answering your enquiry about our services or offers and proof of possible misuse of the e-mail address used for this purpose.
(4) After your confirmation, we will store the information provided by you via the contact form until the purpose of your inquiry has been fulfilled. We will store any further personal data stored in accordance with paragraph 2 for a maximum of one month after receipt of the confirmation.
(5) Recipients of the data processed according to this regulation are IT service providers (in particular hosters) with whom we have concluded corresponding order processing agreements in accordance with Art. 28 DSGVO.
No “social plugins” are used on our website. We only provide links to such services. Please refer to the relevant data protection information of the respective service for information on the processing of your personal data.
6. Security measures
We take organisational, contractual and technical security measures in accordance with the state of the art to ensure that data protection regulations are observed and to protect the data processed by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security measures include in particular the encrypted transmission of data between your browser and our server using SSL encryption.