1. What personal data do we collect from you?
Personal data is any information about a specific or identifiable natural person that you communicate to us and that is generated or collected by us. This includes:
Registration data: You can register your product with us. When you open an online customer account with us, you can permanently store your name, postal address, email address, telephone/mobile number (optional) and country there.
Order data: When you order items from our online shop or by telephone, the content data entered by you and about you is processed (such as the information from your order, delivery and billing address, telephone number, email address, payment methods, delivery arrangements, order information, and in the case of professional consumers also the company name and SAP customer number). In the online shop we also collect information about the time, scope and, if applicable, the location of your order.
Other content data: When you use other services or functions on our website, such as when using forms, competitions or when you register to receive newsletters, content data entered by you and about you is processed, together with the information you provide.
Usage data: We set up usage profiles about your use of our website using a pseudonym, which we use to track how our website is used. In addition, your click behaviour when you receive newsletters is evaluated and stored in user profiles; this data is not combined with the pseudonymised usage profiles described in the sentence above or with your customer account.
Server log data: When you use our websites, data (such as the date and time of your visit, the pages visited and data files requested, the type and version of the web browser you use, the type and operating system of the end device you use as well as your IP address) is temporarily saved in a protocol file.
2. For what purpose, on what legal basis and how long do we process your personal data?
2.1 Product registration / Customer account
If you register the product you have purchased, then we collect and use your data in order to record the benefits granted to you with product registration (e.g. extended guarantee, shipment of spare parts).
When you also register for a personal customer account, we process the registration data to set up and manage your customer account and to process future orders. As a registered customer you have access to your personal online customer account (via your email address and a password chosen by you) in which you can view your order history as well as store and amend your personal settings (e.g. setting for the password, newsletter, billing and delivery).
The legal basis for the processing is our legitimate interest under Art. 6, para. 1 (f) of the GDPR to provide the service “Product registration” described above or “Customer account” for you, or perform a user contract with you (Art. 6, para. 1 (b) of the GDPR).
You can also object to the processing of your data on the basis of Art. 6, para. 1 (f) of the GDPR (under Art. 21, para. 1 of the GDPR). In principle. we may then demonstrate compelling legitimate grounds for the processing in order to continue it. We will not do so for the use of a customer account, however, and the following applies: The customer account must then be deleted and is no longer available to you.
This data is deleted if the registration on our website is cancelled or modified, or if the customer account is terminated. If it is not possible to delete it for legal reasons, the data concerned is then blocked instead. Please note that we may store the data about the orders that can be viewed in your customer account for a longer period (see 2.2).
2.2 Your orders
We process your order data for the processing of your order and for the delivery of the items ordered.
The legal basis for the processing is the conclusion and fulfilment of the purchase contract for the items ordered, Art. 6, para. 1 (b) of the GDPR.
This data is deleted if it is no longer required for performance of the contract (including customer service and warranties), unless we are obliged to store it by law, e.g. due to duties of retention under commercial or tax law.
2.3 Your enquiries
When you contact us with an enquiry using a contact form, by email or a service telephone, we process the information you provided therein to answer you enquiry and, when you use the online contact form the IP address and date/time of the enquiry, to prevent the misuse of the contact form.
The legal basis for processing is our legitimate interest under Art. 6, para. 1 (f) of the GDPR to provide you with the “Enquiries” service described above. If the intention of your enquiry is to initiate or process a contract (including customer service and warranties), the additional legal basis for processing is Art. 6, para. 1 (b) of the GDPR.
You can object to the processing of your data based on Art. 6, para. 1 (f) of the GDPR. If we demonstrate compelling legitimate grounds for the processing, we may then continue it. In this case, this may be required in particular in order to be able to prove past communications and enquiries with you. If there are no such compelling legitimate grounds, then we will cease communication with you and delete any data already collected.
This data is deleted when our communication with you ends, i.e. the relevant facts have been clarified and there are no further legitimate interests for storing the data, or there are no further statutory obligations to store it.
2.4 Live chat
BRITA GmbH uses a live chat service from the company Userlike UG, Probsteigasse 44-46, 50670 Cologne, Germany. Userlike uses “cookies” (text files) that are stored on your computer and enable a personal conversation with our staff in the form of a real-time chat with you on the website. When you start the live chat, we process the information you provide in it (e.g. your first name, surname and email address) to answer your enquiry, together with your IP address, the URL of the website you visited previously and the date/time of access in order to prevent misuse. If you request a chat transcript at the end of the chat or if you ask us to contact you via email in the context of the chat, we will respond to the email address you enter within the chat widget.
Depending on the course of the conversation with our staff, additional personal data may occur in the chat, entered by you. The nature of this data is very much dependent on your enquiry or the problem that you describe to us. At the end of the chat, we ask you for your satisfaction with the chat service for statistical reasons.
The legal basis for processing is our legitimate interest under Art. 6 (1) f) GDPR to provide you with the “live chat” service described above. If the intention of your enquiry is to initiate or process a contract (including customer service and warranties), the additional legal basis for processing is Art. 6 (1) b) GDPR.The legal basis for processing the satisfaction survey regarding the chat service is our legitimate interest under Art. 6 para. (1) f) GDPR.
You can object to the processing of your data based on Art. 6 (1) f) GDPR. If there is evidence of compelling reasons for processing, we may then continue to process your data. In this case, this may be required in particular in order to be able to prove past communications and enquiries with you. If there are no such compelling reasons, then we will end the communication with you and delete any data already collected.
Unless you have made different cookie settings in your browser, this data is deleted after one year, providing there are no further legitimate interests in retaining it or there are no further statutory duties of retention. The purpose of the retention period of one year is to save you having to provide extensive details about the history of your enquiry. It also contributes to the continuous quality control for our live chat service and the security of our IT systems. If you do not wish your data to be stored longer than the period of the chat session, you can inform us using the contact details given below. We will then delete any stored live chats immediately.
2.5 Taking part in competitions
If you enter one of our competitions, then we use your details in order to carry out the competition, in particular also to inform entrants about a win and, where applicable, send a prize.
The legal basis for processing is your consent given when entering the competition (Art. 6, para. 1 (a) of the GDPR). Your data is deleted when the respective competition ends and the prizes are distributed. Any further use of your data for other purposes, e.g. advertising only occurs if you have given your explicit consent for this.
2.6 Advertising and product development (usage data, newsletters etc.), right of objection
We would also like to use your personal data and/or any anonymous statistical information created from it in order to inform you about our products and services with regard to water dispensers, water filters and accessories (“BRITA Products and Services”), and to send you offers and special promotions (advertising), or to improve our offers and services (product improvements, customer analyses).
2.6.1 Anonymised usage data
Here we use anonymised or aggregated data obtained using analytical tools to track the surfing behaviour of every visitor and thereby improve the design of our website and our range of products in general. You can find details about these analytical tools in section 4.
2.6.2 Direct marketing
You can subscribe to a free newsletter on our website. Here the data collected at registration is processed (the data shown as compulsory fields is absolutely essential to receive the newsletters; data identified as voluntary is only used to make contact with you more personal and for the selection of the information displayed).
We will contact you by email or messenger service with information, offers and beneficial promotions for BRITA products and services customised to you personally and your interests or use based on your respective express consent, or – if you buy similar items or services from us and store your email address in so doing – also without any separate consent.
We will only contact you by telephone with information, offers and beneficial promotions for BRITA products and services customised to you personally and your interests or use with your explicit consent. We also inform our professional consumers (BRITA professionals) by phone about our BRITA products and services if we can legitimately presume their consent to this.
We will also contact you by written advertising sent by post without consent where necessary in the extent permissible by law for our services.
You can also send us some of your information voluntarily within the scope of lead ads (request forms, such as on Facebook, Instagram or LinkedIn).
You may object in full or in part at any time to the creation of pseudonymised data, the use of your personal data for purposes of advertising and product development, and to being contacted in a specific form as a result, or where applicable, withdraw any consent given. Please use the relevant functions provided for you (e.g. the unsubscribe function in your personal customer account) or send a communication to that effect in writing (keyword: data protection) or by email to the contact addresses stated under section 8.
The legal basis for processing is your consent (Art. 6, para. 1 (a) of the GDPR) and our legitimate interests (Art. 6, para. 1 (f) of the GDPR), where applicable in conjunction with Section 7, para. 3 of the Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb - UWG).
We will delete this data following your objection or the withdrawal of any consents given or otherwise no later than the end of its use, or we will only store it in aggregated, anonymised form. Where necessary, we will store the fact of your objection to prevent you from being contacted again.
2.7 For the provision of the website and performance of the services
The processing of server log data is necessary for the provision of the websites and the performance of services for technical reasons and subsequently to ensure system security.
The legal basis for processing is our legitimate interest in providing the website with our services (Art. 6, para. 1 (f) of the GDPR). Processing is absolutely essential for the use of the website for technical reasons and subsequently to ensure system security; there is therefore no right of objection.
This data is deleted after no more than 30 days.
The server log data is subsequently analysed on an anonymous basis, where necessary for statistical purposes, and to improve the quality of our Internet presence. The server log data is not linked in any way to your personal data or with other sources of personal data.
2.8 Your product review
If you rate our products on the platform of our external service provider Bazaarvoice Inc., we process the information you provide there (e-mail address, name) for evaluation of the reviews as well as the IP address and date / time of the evaluation to avoid abuse of the review service.
The legal basis for the processing is your consent given in the submission of the review, Art. 6, para. 1 (f) of the GDPR.
Your data will be deleted when it is no longer required or when you revoke your consent to your data being stored.
3. Sharing of data
3.1 Sharing of data with data processing companies
We sometimes use service providers, subject to compliance with the statutory requirements, by means of commissioned processing, i.e. based on a contract on our behalf, according to our instructions and under our control.
In particular, data processing companies are
- technical service providers that we use to provide the website, e.g. service providers for software maintenance, data centre operations and hosting;
- technical service providers that we use to provide functionalities, e.g. technically essential cookies;
- service providers that carry out order processing for us;
- service providers for the practical implementation of advertising and marketing, e.g. call centres for telephone contact, printers and letter shops for shipment by post (also including the shipment of analytical test-strips for water hardness), service providers for sending emails.
In such cases, we remain responsible for the data processing; the sharing and processing of personal data to and from our data processing companies is based on the relevant legal basis that permits us to process data. A separate legal basis is not required.
3.2 Data transmission to third parties
3.2.1 Payment service providers
In order to process your orders, we share payment information with payment service providers that carry out the payments processes associated with the orders. These particularly include PayPal, PayOn and Elavon. The legal basis for sharing the data is performance of the contract with you, Art. 6, para. 1 (b) of the GDPR.
3.2.2 Other service providers within the BRITA Group
Some accounts are managed for accounting purposes by companies affiliated to BRITA GmbH (BRITA Group companies) as defined in Section 15 of the German Stock Corporation Act (Aktiengesetz - AktG). The legal basis for sharing data is our legitimate interest in sharing customer data within a corporate group for administrative purposes, Art. 6, para. 1 (f) of the GDPR.
3.2.3 Local sales companies
When you send us an enquiry, we may transfer your contact data to a BRITA Group company based in your country or a distributor appointed to sell our products for us if they are better able to help you with your concerns based on the actual circumstances (e.g. language knowledge, specialisation in a specific product). The legal basis for the data transfer is our legitimate interest in making our sales process as efficient as possible for the benefit of the customer, Art. 6 (1) f) GDPR.
3.2.4 Logistics companies
We share your address with logistics service providers for shipment purposes. The legal basis for processing is the conclusion and fulfilment of the purchase contract for the items ordered, Art. 6, para. 1 (b) of the GDPR.
4. Cookies and web analysis
4.1 What are cookies?
To make our website as user-friendly as possible and to increase the relevance of our advertising for visitors to our website, we and our partners use so-called “cookies”. Cookies are small data files that are placed on the visitor's device. They allow us to provide information over a certain period and identify the visitor's computer. This also takes place in part by using so-called tracking pixels that are not placed on a visitor's hard drive, but may be helpful in identifying the computer in the same way as with a cookie. The term “cookie” below includes both cookies in the technical sense as well as tracking pixels and similar technical methods.
4.2 What cookies do we use?
On this website we use different categories of cookies: Technically essential cookies, without which the functionality of our website would be limited, and additionally optional analytical, functional or marketing cookies that generally originate from third-party providers:
- Technically essential cookies
The legal basis for the use of the technically necessary cookies and the processing of your data by these cookies is our legitimate interest in displaying the functions of our website and making them available to you for use, Art. 6 (1) lit. f GDPR.
- Analytical cookies
Analytical cookies collect information about how visitors use a website overall, for example which pages they access most often and whether they receive error messages from websites. These cookies do not collect data that could identify their visitors. Data collected with these cookies is not combined with other information about our visitors. All information collected with the help of these cookies is used exclusively to understand and improve the functionality and service on the website.
The legal basis for the use of analysis cookies and the processing of your data by the providers of these cookies is your prior consent (Art. 6 (1) lit. a GDPR). You can revoke your consent at any time in the cookie settings, which you can access using the link at the bottom of the website.
- Functional cookies
We use functional cookies to improve the performance on the website for you. Furthermore, in order to carefully ensure data security when transferring forms, in certain cases we use security cookies as the reCAPTCHA service from the company Google Ireland Limited, Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
This serves primarily to differentiate between human entries, or improper usage by machines and automated processing - so-called bots.
The legal basis for the use of functional cookies and the processing of your data by the providers of these cookies is your prior consent (Art. 6 (1) lit. a GDPR). You can revoke your consent at any time in the cookie settings, which you can access using the link at the bottom of the website.
- Marketing cookies
Marketing cookies are used to tailor advertising to you and your interests in a more targeted manner. They are used to limit how often you get to see the same advert, to measure the efficacy of an advertising campaign and to understand people's behaviour after they have seen an advert. These cookies are generally placed on their pages by advertising networks with the consent of the website operator (i.e. in this case ours). They recognise that a user has visited a website and pass this information on to others, e.g. advertising companies, or adapt their advertising themselves accordingly. They are often linked to a website function provided by that company. We therefore use these cookies to create a link to social networks. These can then reuse the information about your visit to customise the advertising on other websites specifically to you and provide the information about your visit to the advertising networks we use, so that the advertising that potentially really interests you can be presented to you later precisely based on your browsing behaviour. Even in these cases, we do not combine the data collected using these cookies with other information about our visitors.
Furthermore, we use phone call conversion tracking to identify and measure calls from our website (including the mobile website) and from our call-only ads or call extensions used in our ads. In this context, the telephone numbers provided on our (mobile) website or in our ads may be so-called call tracking numbers. When such a call tracking number is called, information about the start time, end time, status (missed or received), duration, caller area code and call type is collected. In no case the storage of call contents takes place. Also, we do not combine the data with other information about the caller. We use the data exclusively for the purpose of determining the number of calls per online marketing channel to measure the efficacy of an advertising campaign. They will not be used for any other purpose and will not be passed on to third parties.
The legal basis for the use of marketing cookies and the processing of your data by the providers of these cookies is your prior consent (Art. 6 (1) lit. a GDPR). You can revoke your consent at any time in the cookie settings, which you can access using the link at the bottom of the website.
List of the analysis, functional and marketing cookies
You can access the list of cookies we use and the providers who receive personal data from you using the cookies here. There you will find further information on the individual providers and cookies.
If you would like to receive further information about these cookies from us instead, please contact us by email at: firstname.lastname@example.org.
4.3 How can I give or withdraw my consent to cookies?
If you are visiting our website for the first time, the data protection notice with the consent text in optional cookies will be displayed on the initial page. By clicking on the individual categories (analysis, security and targeting and advertising cookies) and then confirming by clicking "Accept", you agree to the setting of these cookies. You can adjust and change these settings at any time in the cookie settings, which you can access by clicking on the link at the bottom of the website.
We use links to our other Internet presences on third-party websites and services, e.g. on social media channels such as Facebook, Twitter or YouTube. These third parties are solely responsible for data processing by such other service providers on their websites; their respective privacy policies apply.
We and our service providers take technical and organisational security precautions in order to safeguard your personal data managed by us against accidental or intentional manipulation, loss and destruction, or against access by unauthorised persons. Our data processing systems and security measures are constantly being improved to meet the latest technical developments.
When your personal data is transmitted to us, encryption takes place via a Secure Socket Layer (SSL). Personal data that is exchanged between you and us or another company of the BRITA Group is transmitted via encrypted connections that conform to the current state of technology.
Of course, our employees and the service providers that we engage are committed to confidentiality.
7. Your rights to information, rectification, blocking or deletion
In principle, every natural person whose personal data we process has the following rights in relation to us (i.e. depending on the relevant conditions):
- If you have any questions on the processing of your personal data by BRITA GmbH, we will be happy to provide you with information about personal data stored about you at any time free of charge (Art. 15 of the GDPR).
- You have a right to the rectification of incorrect data and to have incomplete data completed (Art. 16 of the GDPR).
- You have a right to the blocking / restriction of processing or to the deletion of your personal data that is no longer required or that is stored based on legal obligations (Art. 17, 18 of the GDPR).
- You have a right to the portability of your data in a structured, commonly used and machine-readable format, if you have provided the data to us based on a consent or a contract between you and us (Art. 20 GDPR).
- You have a right to object to the processing of your data for direct marketing at any time (cf. also section 2.5, Art. 21 para. 2 and 3 of the GDPR).
- You have a right to object due to processing based on a legitimate interest; in this case, we may demonstrate our compelling legitimate grounds (Art. 21, para. 1 of the GDPR). We have referred above to when this right exists (see section 2).
- If you have given your consent to data processing, then you can withdraw this at any time with future effect, i.e. the lawfulness of the data processing remains unaffected up to the time of withdrawal. Once you have withdrawn your consent, you may not be able to use our services any longer.
Please contact the address stated under section 8 with your concerns. We reserve the right to verify your identity in order to prevent your personal data from being disclosed to unauthorised persons.
You also have the right to submit a complaint to a supervisory authority for data protection.
8. Data Protection Officer
You can reach our Data Protection Officer at the address below:
Version dated May 2020