Privacy policy

Welcome to the KOSMOS website. Data protection and the protection of your personal rights are very important to us. On this page, we would like to inform you which data KOSMOS processes and for what purposes. If you have any questions or comments regarding this Privacy Notice, please feel free to contact us.

Contents
1. Foreword and Selected Definitions
2. Controller and Data Protection Officer
3. Overview
4. Legal Bases for the Processing of Personal Data
5. Your Rights under the General Data Protection Regulation
6. External Hosting & Shop System
7. Automatic Server Log Files
8. Use of Cookies and Cookie-Like Technologies
9. Consent Management with Usercentrics
10. Forms, E-Mail Communication, Telephone and Fax
11. Zendesk Ticket System and Customer Service
12. Use of the Online Shop
13. Spare Parts Service
14. Personalisation of Content, Customer Interest Analysis and Customer Data Platform (CDP)
15. Analytics Tools, Tracking and Advertising
16. Plugins and Content Delivery Networks
17. Direct Marketing and Newsletter
18. Information for Applicants
19. Online Meetings and Video Conferences with Zoom
20. Webinars and Online Courses
21. Participation in Our Prize Draws
22. Social Media Presences
23. Supplementary Privacy Information for Our Business Partners
24. Privacy Notices for Our Apps

1. Foreword and Selected Definitions

This Privacy Notice informs visitors and users of our online presence about the online processing activities in which personal data are processed. In addition, you will receive information about our processing activities that do not primarily take place online.

GDPR is the abbreviation for the European General Data Protection Regulation.

BDSG is the abbreviation for the German Federal Data Protection Act in its current version.

Personal data means all individual information that allows conclusions to be drawn about a natural person (see the definition in Art. 4(1) GDPR). This includes, for example, names, e-mail addresses and telephone numbers, but also data such as IP addresses or customer numbers.

The processing of personal data includes all operations, for example the collection, storage, transmission, archiving or deletion of personal data (definition in Art. 4(2) GDPR).

The data subject within the meaning of data protection law is any natural person whose personal data are processed.

Further definitions can be taken from the General Data Protection Regulation; these can mainly be found in Art. 4 GDPR (definitions).

2. Controller and Data Protection Officer

Joint Controllers

The website and the KOSMOS online shop are operated under joint controllership within the meaning of Art. 26 GDPR. The joint controllers are:

Franckh-Kosmos Verlags-GmbH & Co. KG
Pfizerstraße 5–7
70184 Stuttgart
Germany
Telephone: +49(0)711/2191-0
E-mail: info@kosmos.de

Responsible for editorial content, management of IT, receipt of game ideas, dispatch of review copies, press distribution list, applicant management, accounting, financial administration and KOMOS Apps.

Kosmos & You GmbH
Pfizerstraße 5–7
D-70184 Stuttgart
Germany
Telephone: +49 (0)711 / 25 29 58 70
E-mail: kontakt@kosmos.de

Responsible for operating the online store, managing user accounts, customer service, processing sales contracts, handling returns, the KOSMOS newsletter, analytics and tracking, and plugins.

Company Data Protection Officer

DSB Externer Datenschutzbeauftragter Stuttgart
Fabian Henkel
Diplom-Betriebswirt (FH)
Certified Data Protection Officer
Telephone: +49(0)176 32744172
E-mail: info@externer-datenschutzbeauftragter-stuttgart.de
Website: https://www.externer-datenschutzbeauftragter-stuttgart.de

3. Overview

The following content gives you a brief overview of the processing of personal data; more detailed information can be found in the respective detailed sections.

Security on Our Website

Data transmission processes to our website are encrypted using a current TLS standard. As a precaution, however, we point out that one hundred percent security in electronic data processing is not possible and that a residual risk always remains.

Data That You Transmit to Us

On this website, we process, among other things, the data that you enter yourself. This is the case, for example, if you create a user account or send us a message via a contact form. Depending on the type of form, the purpose of processing may vary; details can be found in this Privacy Notice.

Automatic Server Log Files

Our server also automatically records all accesses and therefore also IP addresses (log files). This serves to defend against attacks, analyse access figures and ensure smooth operation.

Use of Cookies and Cookie-Like Technologies

We use cookies and comparable technologies on our website (e.g. local storage, pixels, tags and similar technologies) in order to provide our website, improve user-friendliness, enable certain functions and carry out reach measurements and marketing activities. Further information can be found in this Privacy Notice.

Analytics and Tracking Tools

In addition to pure server log files, which also provide us with information on page views, we use analytics tools. These tools give us detailed insights into the content visited on our site, the behavioural flow and, for example, the country from which access took place. In order for such services to function, cookies or cookie-like technologies are used, provided this is permissible or you have given your consent.

Plugins and Content Delivery Networks

We use plugins and content delivery networks. Well-known examples of such technologies are the video service YouTube and the map service Google Maps. If such services are integrated via a website, log files are transmitted to the services. As a rule, this includes your IP address and other metadata, such as the time and date of access. In the context of the use of these technologies, cookies and cookie-like technologies may be used, insofar as this is permissible or you have given us your consent.

Newsletter / Direct Marketing

Direct Marketing to Existing Customers Based on Legitimate Interests

We reserve the right to send our customers newsletters on the basis of Sec. 7(3) UWG in conjunction with Art. 6(1)(f) GDPR. You may of course object at any time to receiving direct marketing information.

Direct Marketing Based on Your Consent

If you give us your consent, we will send you newsletters until you withdraw your consent. You may withdraw your consent to us at any time with effect for the future.

Further Data Recipients

Use of Processors

We use processors in accordance with the requirements of Art. 28 GDPR who process personal data on our behalf and in accordance with our instructions. For example, we use processors to provide the website and the web shop, as well as in the context of customer support. Details can be found in this Privacy Notice.

Use of Third-Party Professional Services

Where necessary (for example for contract performance), we disclose your data, for example, to banks, other payment service providers, shipping service providers, our tax advisor or lawyer.

Legal Obligations

We are subject to legal obligations, such as commercial law or tax law. In this context, we may have to disclose certain data, for example, to tax authorities due to legal obligations.

Investigation of Criminal Offences

If it should be necessary for the investigation of a criminal offence, we disclose data to law enforcement authorities.

General Information on Deletion Periods for Personal Data

We process data for as long as this is necessary for the respective purpose. Where necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and performance of a contract; in addition, we are obliged to comply with statutory retention obligations. If the data processing is based on your consent, we delete your data after you withdraw your consent.

Transfer of Personal Data to a Third Country

We try, wherever possible, to have all service providers and services provided by providers within the European Union. A transfer to a third country may take place if you have given us your consent and/or suitable safeguards pursuant to Art. 44 et seq. GDPR, in particular standard contractual clauses or an adequacy decision, are in place.

Legal or Contractual Obligation to Provide Personal Data

This website can generally be visited without providing personal data. For purchases in our online shop, the provision of personal data is necessary for the conclusion of a purchase contract.

4. Legal Bases for the Processing of Personal Data

The legal bases for the processing of personal data are exceptions that permit the processing of personal data. The main legal bases are set out in particular in Art. 6 GDPR. The legal bases on which we process personal data are described in the individual processing activities in this Privacy Notice.

Consent Given (Art. 6(1)(a) GDPR)

Consent requires that the consenting person gives it in an informed manner and on a voluntary basis. Consent based on Art. 6(1)(a) GDPR can generally be withdrawn at any time without giving reasons.

Contract-Related Data Processing (Art. 6(1)(b) GDPR)

The legal basis for the processing of personal data for the initiation or performance of contractual relationships is Art. 6(1)(b) GDPR.

Legal Obligation (Art. 6(1)(c) GDPR)

In some cases, we process personal data on the basis of a legal obligation pursuant to Art. 6(1)(c) GDPR. Examples of such legal obligations include the obligation to comply with retention periods under commercial and tax law.

Legitimate Interests (Art. 6(1)(f) GDPR)

The processing of personal data on the basis of a balancing of interests pursuant to Art. 6(1)(f) GDPR permits processing after careful balancing of financial or legal interests against the legitimate interests of the data subject. The data subject has the right to object to processing based on legitimate interests.

5. Your Rights under the General Data Protection Regulation

Every natural person has certain rights; these are defined in particular in Articles 15 to 21 and 77 GDPR. You generally have the following rights, which you may assert against us.

Right to Withdraw Consent Given pursuant to Art. 7 GDPR
You may withdraw consent given to us at any time without giving reasons with effect for the future.

Right of Access pursuant to Art. 15 GDPR (Restrictions pursuant to Sec. 34 BDSG may apply)
You have the right at any time to request information about the data processed by us and the purposes of processing.

Right to Rectification pursuant to Art. 16 GDPR
If you find that we process incorrect or incomplete data about you, you have the right to rectification.

Right to Erasure pursuant to Art. 17 GDPR (Restrictions pursuant to Sec. 35 BDSG may apply)
You have the right at any time to request the deletion of your personal data processed by us. If complete deletion is not possible, for example because we have to comply with statutory retention obligations or can assert legitimate interests for another reason, we will restrict your data until these reasons cease to apply.

Right to Restriction of Processing pursuant to Art. 18 GDPR
You have the right to request the restriction of the processing of your personal data. You may contact us at any time at the address stated in the legal notice. The right to restriction of processing exists in the following cases:

  • If you dispute the accuracy of the personal data stored by us, we usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.
  • If the processing of your personal data was or is unlawful, you may request the restriction of data processing instead of deletion.
  • If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request restriction of the processing of your personal data instead of deletion.
  • If you have lodged an objection pursuant to Art. 21(1) GDPR, a balancing of your interests and ours must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request restriction of the processing of your personal data.
  • If you have restricted the processing of your personal data, such data may, apart from being stored, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

Right to Data Portability pursuant to Art. 20 GDPR

You have the right to receive data that we process automatically on the basis of your consent or in performance of a contract, either yourself or to have it transmitted to a third party in a commonly used, machine-readable format. If you request direct transmission of the data to another controller, this will only take place where technically feasible.

Right to Object to Certain Processing Activities and Direct Marketing pursuant to Art. 21 GDPR

Where data processing is carried out on the basis of Art. 6(1)(e) or (f) GDPR, you have the right at any time, on grounds relating to your particular situation, to object to the processing of your personal data; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this Privacy Notice. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims (objection pursuant to Art. 21(1) GDPR).

If your personal data are processed for the purpose of direct marketing, you have the right at any time to object to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object, your personal data will subsequently no longer be used for direct marketing purposes (objection pursuant to Art. 21(2) GDPR).

Right to Lodge a Complaint with a Supervisory Authority pursuant to Art. 77 GDPR in conjunction with Sec. 19 BDSG
In the event of infringements of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

6. External Hosting & Shop System

Use of Shopify
We use the Shopify service for the operation of our website and online shop. The provider for customers in Europe is Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland. Details can be found in Shopify’s Privacy Policy: https://www.shopify.de/legal/datenschutz.

Shopify provides the technical platform for the operation of our online shop and processes personal data in this context on our behalf pursuant to Art. 28 GDPR.

We use Shopify for the purpose of initiating and fulfilling contracts with our potential and existing customers (Art. 6(1)(b) GDPR). We also have legitimate interests in using an established, secure and user-friendly shop system (Art. 6(1)(f) GDPR).

Hosting and Technical Infrastructure
Shopify operates the infrastructure required for the shop. In this context, personal data may be processed on servers within the European Union and in third countries, in particular in Canada and the USA. An adequacy decision of the European Commission pursuant to Art. 45 GDPR exists for Canada. For data transfers to the USA, the transfer takes place on the basis of the EU-U.S. Data Privacy Framework (DPF), provided that the respective recipient is certified accordingly, and additionally on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Type and Scope of Processing

In the context of the use of Shopify, the following personal data in particular are processed:

  • Master data (e.g. name, billing and delivery address)
  • Contact data (e.g. e-mail address, telephone number)
  • Contract data (e.g. ordered products, order history)
  • Payment data (e.g. payment method, payment status, where applicable partial information on payment instruments)
  • Usage data (e.g. visited pages, interactions in the shop)
  • Device and access data (e.g. IP address, browser type, operating system, access times)

The processing is carried out for the purpose of providing the online shop, processing contracts, processing payments and ensuring the IT security and stability of the system.

Security and Protocol Data

To ensure the security and stability of the shop system, Shopify also processes technical protocol data, in particular:

  • IP addresses
  • Access times
  • Error logs
  • Security-relevant events

This processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in the secure and stable provision of our online offering and in the defence against and analysis of attacks.

Use of Cookies and Similar Technologies

As part of operating the shop, Shopify uses technically necessary cookies that are required for the functionality of the shop, for example to store the shopping cart or maintain sessions. The use of these technically necessary cookies is based on Sec. 25(2) No. 2 TDDDG. If tracking or marketing technologies are used beyond this (e.g. through additional apps or integrations), this is done exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

Integration of Third-Party Applications (Shopify Apps)

Our shop can be extended by additional applications (so-called “apps”) that are integrated via the Shopify platform. Depending on their function, these applications may access personal data, in particular to provide additional functions such as:

  • Creation of invoices and delivery notes
  • Display of product reviews
  • Marketing and analytics functions

Processing by these applications is carried out in each case on the basis of separate agreements with the respective providers and, where required, on the basis of your consent.

Support by a Shopify Agency

We are supported by the Shopify agency Brand Boosting GmbH, Bahnhofstraße 32, 72458 Albstadt, Germany, in maintaining and managing our online shops. The Privacy Notice of Brand Boosting GmbH can be found here: https://brand-boosting.de/policies/privacy-policy. We have concluded a data processing agreement (DPA) with Brand Boosting GmbH. Personal data are processed only in accordance with our instructions and in compliance with the GDPR.

 

7. Automatic Server Log Files

Our web server automatically logs all accesses and therefore also the IP addresses of visitors. This serves to defend against attacks, analyse access figures and ensure smooth operation. We have a legitimate interest in this processing (Art. 6(1)(f) GDPR).

In addition to the IP address, the server log generally records further metadata relating to the session. These data are listed below.

  • Date and time of access
  • Information about the browser type and browser version used
  • Information about the operating system used
  • Device (client)
  • Referrer URL (the website from which you reached our website)
  • Accessed hyperlinks

We process these data only for the purposes described above. We delete server log files no later than three months after their collection.

8. Use of Cookies and Cookie-Like Technologies

Our website uses cookies and comparable technologies, in particular local storage, session storage, pixels, tags and scripts. Cookies are small data packages that are stored on your end device. Comparable technologies may also store information on your end device or read information from it.

These technologies may be technically necessary or functional, or they may be used for analytics and marketing technologies.

Technically necessary cookies and technologies are required to ensure that our website functions properly. These include, in particular, page navigation functions, shopping cart and order processing, login sessions, security functions and the storage of your privacy settings. Their use is based on Sec. 25(2) TDDDG. Insofar as personal data are processed in this context, processing is based on Art. 6(1)(f) GDPR, as we have a legitimate interest in the secure and functional provision of our website. Where processing is necessary for contract performance or for pre-contractual measures, it is based on Art. 6(1)(b) GDPR.

We use functional technologies to provide additional functions and external content. These may include, in particular, embedded videos, map and navigation services or other content and services of third-party providers. When such content is loaded, third-party providers may process information about your usage behaviour, your IP address, device information or browser data and may store or read cookies or comparable technologies on your end device. Where these technologies are not technically necessary, they are used exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

We use analytics and marketing technologies to statistically analyse the use of our website, improve our offering, display personalised content or advertising and measure the success of advertising measures. In this context, usage data, device information, pseudonymous identifiers, interactions with our website as well as campaign and conversion data may in particular be processed. Their use is based exclusively on your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

You may withdraw or adjust your consent at any time with effect for the future via the settings of our consent management tool. In addition, you may configure your browser so that cookies are blocked or deleted. If certain technologies are disabled, the functionality of our website may be restricted.

Further information on the specific services used, recipients, storage periods and legal bases can be found in the respective sections of this Privacy Notice.

9. Consent Management with Usercentrics

We use the consent management tool of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, website: https://usercentrics.com/de/ on our website.

Usercentrics is used to obtain, manage and document your consent for the use of cookies and comparable technologies as well as for certain data processing operations in a data protection-compliant manner. This enables us to control which technically non-essential services and technologies may be used on the basis of your consent.

When our website is accessed, Usercentrics processes in particular the following information:

  • Your consents granted and withdrawals,
  • Your IP address,
  • Information about your browser and end device,
  • Timestamp or time of consent,
  • Information about the consent settings accessed,
  • a pseudonymous user identifier (Consent ID).

Usercentrics also stores information in your browser in order to assign the consents or withdrawals you have given to your end device and to take them into account during later page views.

Processing is carried out to fulfil our legal obligations in connection with the use of cookies and comparable technologies and to fulfil data protection documentation and accountability obligations. The legal basis for this is Art. 6(1)(c) GDPR in conjunction with the requirements under Sec. 25 TDDDG. We also have a legitimate interest in using a legally compliant and user-friendly solution (Art. 6(1)(f) GDPR).

The data collected via Usercentrics are generally stored until you withdraw your consent, delete the stored cookies or local storage content yourself, or the purpose for storage ceases to apply. The cookie used to store your preferences has a term of one year, unless you delete it beforehand.

We have concluded a data processing agreement with Usercentrics pursuant to Art. 28 GDPR. This ensures that personal data are processed exclusively in accordance with our instructions and in compliance with the applicable data protection requirements.

10. Forms, E-Mail Communication, Telephone and Fax

Information on Contact Forms and E-Mail Messages to Customer Service
Please note that all messages from contact forms and e-mail messages to our customer service (in particular to bestellung@kosmos.de) are transferred to the “Zendesk” tool and further processed there (for further information, see “Customer Service”). In the processing of customer enquiries, we are supported by the service provider “Majorel”.

Message via Contact Form
You have the option of sending us messages via a contact form. In doing so, we process the data that you enter into the data entry form. Mandatory fields are marked as such and must be completed. The purpose of the data processing is to process your request and, where applicable, to contact you afterwards. If you send us enquiries via a contact form, your information from the enquiry form, including the contact details provided by you there, will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. These data are processed on the basis of Art. 6(1)(b) GDPR if your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of enquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), where this has been requested; consent may be withdrawn at any time. We store the transmitted data until the purpose of data storage has been achieved or you withdraw your consent. Please note that the process may be subject to statutory retention periods. In this case, we restrict your data for further processing until these periods expire.

Communication by E-Mail
If you send us an e-mail, we process your data according to the content and purpose of the message. As a rule, processing is carried out on the basis of pre-contractual measures or in the context of performing a contractual relationship on the basis of Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. It is a legitimate interest to process your enquiry quickly and efficiently. If the message relates to a product or service, we generally process your data on the basis of Art. 6(1)(b) GDPR. Please note that we store all incoming e-mails in accordance with the principles of proper accounting for a period of eight years, beginning on the first day of the year following the year in which the message was received. If you therefore request that we delete the data, we will henceforth restrict your data for processing and store them only for the purpose of complying with retention periods in our legitimate interest.

Communication by Telephone or Fax
If you contact us by telephone or fax, we process your data either for the initiation and performance of contractual relationships (if the content relates to a product or service) and/or in our legitimate interest, analogously to contact by e-mail.

We do not record the contents of calls, but we may take notes in order to process your enquiry. We store these until the purpose of data processing has been achieved and we no longer have any legitimate interests in the processing. Where applicable, contents of the conversation are stored in anonymised form for statistical purposes. You may of course request deletion at any time.

Submission of Game Ideas via Online Form
Via the author form, you may submit information about your game idea to Franckh-Kosmos Verlags-GmbH & Co. KG. In this context, we collect personal data in order to be able to contact you.

The following data are collected in the form:

  • Title
  • Surname
  • First name
  • E-mail address
  • Telephone number
  • Information about the game

Please submit your game ideas only via the form provided for this purpose. Submitting a game idea constitutes a measure for the initiation of a contract; accordingly, processing is carried out on the basis of Art. 6(1)(b) GDPR. Where consent has been requested and given, processing is also carried out on the basis of Art. 6(1)(a) GDPR. Consent given may be withdrawn at any time. We process your data until you withdraw your consent or the purpose of processing no longer applies.

Requesting Review Copies

As a journalist or blogger, you may use a form to request review copies of books, games and experiment kits from Franckh-Kosmos Verlags-GmbH & Co. KG. Please note that we provide complimentary copies on the basis of the rules of the Börsenverein des Deutschen Buchhandels e.V. regarding the use of book reviews.

If you request review copies, the following personal data are collected:

  • E-mail address (mandatory field)
  • Title
  • First name (mandatory field)
  • Last name (mandatory field)
  • Company / publisher
  • Editorial department / section
  • freelance work for
  • Street and house number (mandatory fields)
  • Postcode and city (mandatory fields)
  • Country
  • Telephone
  • Information about the review copy
  • Information about topics on which you wish to be informed regularly
  • Comment

If you would like to receive a review copy and, where applicable, have also consented to being sent information on certain topics, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and agree to receive the newsletter. We use your data exclusively to send review copies and, where applicable, the requested information on topics on which you would like to be informed regularly. For the dispatch of review copies, we pass on your data to a shipping service provider (such as DHL). The data entered in the request form are processed on the basis of Art. 6(1)(b) GDPR; the provision of review copies constitutes a gratuitous contractual relationship. Where we have requested and received your consent, processing is also carried out on the basis of Art. 6(1)(a) GDPR. Consent given for the processing of your data remains valid until withdrawn. You may withdraw your consent at any time by sending us an e-mail to presse@kosmos.de. Deletion is subject to statutory retention periods. The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal.

Registration for the Press Distribution List

If you are interested in receiving press releases and communications electronically, you may be included in the press distribution list of Franckh-Kosmos Verlags-GmbH & Co. KG. Registration is carried out by means of a confirmation procedure (double opt-in), in which your name and e-mail address are transmitted to us in encrypted form.

The following information is collected:

  • E-mail address (mandatory field)
  • Title
  • First name
  • Last name
  • Street and house number
  • Postcode and city
  • Country
  • Topics in which you are interested (mandatory field)

The data entered in the registration form are processed on the basis of your consent (Art. 6(1)(a) GDPR). You may withdraw the consent given for the storage of the data, the e-mail address and its use for sending the press distribution list at any time, for example via the “unsubscribe” link in the newsletter or by e-mail to presse@kosmos.de. The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal. The data stored by us for the purpose of receiving press information will be stored by us until you unsubscribe from the newsletter and deleted after you unsubscribe from the press distribution list. Data stored by us for other purposes remain unaffected by this.

If you no longer wish to receive regular information, you can unsubscribe from the press distribution list. In this case, you will find an unsubscribe link in every newsletter; alternatively, you may send a message to presse@kosmos.de. Data stored by us for other purposes remain unaffected by this. The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal.

11. Zendesk Ticket System and Customer Service

Zendesk
We use the Zendesk ticket system to process customer enquiries. The provider is Zendesk, Inc., 181 Fremont Street, San Francisco, CA 94105, USA, with its European branch Zendesk International Ltd., 55 Charlemont Place, Saint Kevin’s, Dublin D02 F985, Ireland.

When you contact us, the personal data transmitted by you are processed in the Zendesk system. This concerns in particular:

  • Name,
  • Contact details (e.g. e-mail address, telephone number),
  • Content of your enquiry,
  • Communication and support histories,
  • Technical metadata,
  • where applicable, contract- or order-related information.

Processing is carried out for the purpose of handling and managing customer enquiries, providing technical support and documenting support processes.

Where your enquiry is related to an existing or future contractual relationship, processing is carried out on the basis of Art. 6(1)(b) GDPR. In all other cases, processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in efficient and structured handling of customer enquiries.

Zendesk may also process personal data outside the European Union or the European Economic Area, in particular in the USA. The data transfer is carried out on the basis of suitable safeguards pursuant to Art. 44 et seq. GDPR. In this regard, Zendesk has in particular approved Binding Corporate Rules (BCR) pursuant to Art. 47 GDPR. Where required, the data transfer is additionally carried out on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

We have concluded a data processing agreement with Zendesk pursuant to Art. 28 GDPR.

Further information on data processing by Zendesk can be found at:
https://www.zendesk.de/company/agreements-and-terms/privacy-notice/

Customer Service

You may contact our customer support at any time if you have a concern. As a rule, this process serves to clarify questions relating to a purchase already made or a future purchase. In these cases, we process your data on the basis of Art. 6(1)(b) GDPR. In all other cases, we process your data in our legitimate interest in providing smooth service and a customer-friendly offering. The legal basis is Art. 6(1)(f) GDPR.

We are supported in customer service by the service provider Majorel Deutschland GmbH, Reinhard-Mohn-Straße 500, 33333 Gütersloh – a company of the Majorel Group Luxembourg S.A., 18, boulevard de Kockelscheuer, L-1821 Luxembourg. Majorel’s Privacy Notice can be found here: https://de.majorel.com/privacy-policy/. We have concluded a data processing agreement with Majorel pursuant to Art. 28 GDPR.

 

12. Use of the Online Shop

Creation of a User Account

Shared User Account for the KOSMOS Online Shop and the KOSMOS Plus App.

Franckh-Kosmos Verlags-GmbH & Co. KG and Kosmos & You GmbH operate a shared user account for the KOSMOS Online Shop and the KOSMOS Plus App.

When you register a KOSMOS account, a unified user account is created that can be used for both the KOSMOS Online Shop and the KOSMOS Plus App. This allows you to log in to and use both services with the same credentials.

If you already have a user account in the KOSMOS Plus App and register an additional shop account on this website, the two accounts will be linked.

For this purpose, the following personal data may be processed in particular:

  • Email address
  • User ID
  • Registration and account information
  • Technical authentication data
  • Account settings
  • Information about the status of your user account

The processing is carried out for the purpose of providing and managing a unified user account across KOSMOS's digital services. This enables users to access various services with a single account and allows user accounts to be managed centrally.

The legal basis for this processing is Article 6(1)(b) of the GDPR, insofar as the processing is necessary for the creation, provision, and administration of the shared user account and the services you use.

Franckh-Kosmos Verlags-GmbH & Co. KG and Kosmos & You GmbH have entered into an agreement on joint controllership in accordance with Article 26 GDPR with regard to the shared user account.

Within the framework of this joint controllership, Franckh-Kosmos Verlags-GmbH & Co. KG is primarily responsible for providing and managing the user account within the KOSMOS Plus App. Kosmos & You GmbH is primarily responsible for providing and managing the customer account within the KOSMOS Online Shop.

Regardless of these internal responsibilities, you may exercise your data protection rights against either company.

Creating a user account is generally not required in order to visit the Online Shop. However, certain functions and services are available only to registered users.

Deletion of a User Account / Customer Account

Your data will be stored for as long as you maintain your user account on our website. You may request the deletion of your customer account at any time, or—if this functionality is currently available in our shop—delete your account yourself.

Please note that deleting your customer account does not necessarily result in the deletion of all personal data. For example, if you have made a purchase in our shop, we must comply with statutory retention requirements. In such cases, the retention period is generally 8 years (Section 147 of the German Fiscal Code (AO) / Section 257 of the German Commercial Code (HGB)).

Product Reviews
For the comment function on this website, in addition to your comment, information on the time the comment was created and, if you do not post anonymously, the username selected by you are stored. The comments and the associated data (e.g. IP address) are stored and remain on our website until the commented content has been completely deleted or the comments must be deleted for legal reasons (e.g. offensive comments). Comments are stored on the basis of your consent (Art. 6(1)(a) GDPR). You may withdraw consent you have given at any time. An informal notification by e-mail to us is sufficient for this purpose. The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal. You may rate products and write reviews on our website; personal data from you are required for this process. In addition to a rating from one to five stars, you may write a text about it.

Data Processing When Purchasing in Our Shop
The contractual partner and operator of the online shop is Kosmos & You GmbH, Pfizerstraße 5–7, D-70184 Stuttgart, Germany. We collect your personal data for the purpose of processing the purchase contract; as a rule, these are:

  • Your name
  • Your address
  • Your e-mail address
  • Where applicable, telephone number
  • Address and, where applicable, delivery address
  • Customer number
  • Order number
  • Order date
  • Purchased products
  • Amount in euros
  • Payment method
  • Payment data

The collection is carried out on the basis of Art. 6(1)(b) GDPR for the performance of a contract or pre-contractual measures. We collect, process and use personal data regarding the use of this website (usage data) only insofar as this is necessary to enable the user to make use of the service or to bill for it.

We are obliged to comply with statutory retention periods (legal basis: legal obligation pursuant to Art. 6(1)(c) GDPR); these amount to 8 years pursuant to Sec. 257 HGB and Sec. 147 AO.

You do not necessarily have to register a user account to make a purchase in our shop and may place an order as a guest.

Processing of Existing Customer Data for Direct Marketing Purposes
In addition, we reserve the right to use your personal data for direct advertising by e-mail or post, provided that you have not objected or have not already objected to such use. The legal basis is Art. 6(1)(f) GDPR in conjunction with Sec. 7(3) UWG. Further information can be found under “Direct Marketing”.

Transfer to Further Data Recipients for Purchase Processing
We transfer your personal data to third parties only where this is necessary in the context of contract processing. The legal basis is Art. 6(1)(b) GDPR.

Disposition and Shipping Preparation

For the purpose of disposition and shipping preparation, we work with a service provider on the basis of data processing agreements (Art. 28 GDPR). This is done to optimise our logistics processes within the scope of our legitimate interests (Art. 6(1)(f) GDPR) and for order processing (Art. 6(1)(b) GDPR). The service provider involved is d-log GmbH, Schacht Neu-Cöln 14, 16, 18, D-45355 Essen.

Shipping Service Providers

As a rule, orders are shipped via the following shipping services:

  • DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany, as well as
  • Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany

In individual cases, orders are also shipped via the following shipping services:

  • Hermes Germany GmbH, Essener Straße 89, 22419 Hamburg, Germany
  • General Logistics Systems Germany GmbH & Co. OHG, GLS Germany-Straße 1–7, 36286 Neuenstein, Germany
  • DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany

Payment Providers
For the processing of payments in our online shop, we use the “Shopify Payments” service from Shopify to integrate various payment methods. The provider for customers in Europe is Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland. Further information on data processing by Shopify can be found at
https://www.shopify.com/legal/privacy.

As part of the payment process, the personal data required for payment processing are processed. This concerns in particular:

  • Name,
  • Billing and delivery address,
  • E-mail address,
  • Payment information,
  • Order and transaction data,
  • IP address,
  • Device and connection information,
  • Information for fraud prevention and authentication.

Depending on the payment method selected, payment processing is additionally carried out via the respective payment service providers and financial service providers. Personal data may be transmitted directly to these providers where this is necessary for carrying out the payment.

Processing is carried out for the purpose of payment processing, carrying out transactions, fraud prevention and fulfilling legal obligations in connection with payment services and financial transactions.

Where processing is necessary for carrying out payments and fulfilling a contract, it is carried out on the basis of Art. 6(1)(b) GDPR. In addition, processing may be carried out to fulfil legal obligations, in particular under tax, commercial, anti-money laundering and payment services law, on the basis of Art. 6(1)(c) GDPR.

As part of payment processing, risk, creditworthiness and fraud checks may be carried out. Automated assessments may also be carried out to identify abusive or suspicious transactions. In this respect, processing is carried out on the basis of the legitimate interest in preventing fraud and payment defaults pursuant to Art. 6(1)(f) GDPR.

Shopify, Stripe and the integrated payment service providers process personal data partly as independent controllers within the meaning of the GDPR. Processing exclusively in accordance with instructions within the meaning of data processing pursuant to Art. 28 GDPR generally does not take place with regard to payment processing.

In the context of using Shopify Payments, data may be transferred to affiliated companies as well as payment and financial service providers outside the European Union or the European Economic Area, in particular in Canada and the USA. Data transfers are carried out — where required — on the basis of adequacy decisions pursuant to Art. 45 GDPR, in particular for Canada, and where applicable on the basis of suitable safeguards pursuant to Art. 46 GDPR.

Supplementary Information on the Payment Methods

Shopify Payments Credit Card Payment (Visa, Mastercard, American Express)

The provider of this payment service is Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland (hereinafter “Shopify Payments”). Technical payment processing is partly carried out with the involvement of Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland, and Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, California 94080, USA. Data transfers to third countries are carried out on the basis of adequacy decisions pursuant to Art. 45 GDPR and additionally on the basis of standard contractual clauses of the EU Commission pursuant to Art. 46 GDPR. Details can be found in the privacy notices of Shopify: https://www.shopify.com/legal/privacy and Stripe: https://stripe.com/de/privacy.

The actual authorisation and processing of the card payment is carried out with the involvement of the respective credit card organisation:

Visa
The provider is Visa Europe Management Services Limited, 1 Sheldon Square, London W2 6TT, United Kingdom. Further information can be found at: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html

Mastercard
The provider is Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium. Further information can be found at: https://www.mastercard.de/de-de/datenschutz.html

American Express (Amex)
The provider is American Express Europe S.A. (Germany branch), Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany. Further information can be found at: https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html

Klarna Checkout via Shopify Payments
The provider of this payment service is Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter “Klarna”). Various payment methods, for example purchase on account, may be offered via Klarna. When Klarna is used, personal data may be transmitted to Klarna. Klarna may independently carry out creditworthiness and risk checks. Details can be found in Klarna’s privacy policy: https://www.klarna.com/de/datenschutz/

PayPal
The provider of this payment service is PayPal, PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”). The data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full. Details can be found in PayPal’s privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Data Transfer to Debt Collection Companies
For contract performance pursuant to Art. 6(1)(b) GDPR, your data will be transferred, where necessary, to a commissioned debt collection company if the payment claim has not been settled despite a prior reminder. In this case, the claim will be collected directly by the debt collection company. In addition, the transfer serves to safeguard legitimate interests in the effective assertion or enforcement of the payment claim pursuant to Art. 6(1)(f) GDPR.

Creation of Invoices and Delivery Notes via Order Printer Pro

We use the Shopify app “Order Printer Pro” from the provider Shop Circle to create and provide invoices, delivery notes and other transaction-related documents. The provider is Shop Circle Ltd., One Kingdom Street, Paddington Central, London W2 6BD, United Kingdom. Further information on data processing by Shop Circle can be found at:
https://shopcircle.co/privacy-policy/

When using Order Printer Pro, personal data may be processed, in particular:

  • Name,
  • Billing and delivery address,
  • Order information,
  • Product and transaction data,
  • Payment status,
  • Contact details.

Processing is carried out for the purpose of creating, providing and managing invoices, delivery notes and other transaction-related documents in connection with orders in our online shop. The legal basis for processing is Art. 6(1)(b) GDPR where processing is necessary for the performance of the contract or for pre-contractual measures.

The United Kingdom is currently considered a third country with an adequate level of data protection under data protection law on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR. We have concluded a data processing agreement with the provider pursuant to Art. 28 GDPR.

13. Spare Parts Service

You have the option of contacting our spare parts service with a concern. In this case, we process your request exclusively for the purpose of handling your enquiry; the legal basis is Art. 6(1)(b) GDPR. The spare parts service is managed by a service provider with whom we have concluded a data processing agreement. Our spare parts service is managed by intego gGmbH, Daimlerstraße 1/1, 72793 Pfullingen, Germany. We process your data until your request has been handled and statutory retention periods have expired (Sec. 147 AO / Sec. 257 HGB). Since the delivery of spare parts constitutes an accounting-relevant process for us, we must retain the data in this context for eight years, beginning with the calendar year following the process.

 

14. Personalisation of Content, Customer Interest Analysis and Customer Data Platform (CDP)

To improve our online offering, we use functionalities for analyzing customer interests, creating customer segments and personalizing content.

For this purpose, information from various interactions within our online shop and connected systems is technically consolidated and evaluated through a Customer Data Platform (CDP) or comparable systems.

The analytics, tracking, marketing and customer management systems used for these purposes are described in more detail in the respective sections of this Privacy Policy. Depending on how you use our services, data from the systems and services described therein may be processed and combined.

As part of this processing, the following personal or personal-related data may in particular be processed:

  • Order and purchase histories
  • Shopping cart and product data
  • Product interactions
  • Search queries within the online shop
  • Page views and navigation paths
  • Click and interaction data
  • Newsletter and marketing interactions
  • Customer and user identifiers
  • First and last name
  • Email address
  • Device and browser information
  • IP address
  • Pseudonymous identifiers
  • Technical connection data

The processing is carried out in particular for the following purposes:

  • Analysis of product and customer interests
  • Creation of customer segments
  • Improvement of our product portfolio
  • Optimization of our online offering
  • Enhancement of the user experience
  • Personalization of content and product recommendations
  • Display of interest-based content within our online offering
  • Measurement and optimization of our own services and offerings
  • Management and assignment of customer contacts
  • Provision of centralized customer data structures
  • Management of a unified customer profile
  • Management of the shared user account for the KOSMOS Online Shop and the KOSMOS Plus App

Where data is processed exclusively within existing contractual, customer or user relationships and such processing serves internal customer management, administration of the shared user account, customer segmentation, analysis of customer and product interests, statistical evaluation, improvement of our services, or personalization of content and product recommendations within existing customer relationships, the processing is based on our legitimate interests pursuant to Art. 6 (1) lit. f GDPR in maintaining an efficient, user-friendly and needs-based design of our digital services as well as effective customer relationship management.

Such processing activities may include in particular:

  • Analysis of product and customer interests
  • Creation of customer segments
  • Management of a unified customer profile
  • Consolidation of data from the KOSMOS Online Shop, the shared user account, newsletter systems and other connected KOSMOS services
  • Personalization of content and product recommendations within existing customer relationships
  • Improvement of our product portfolio and services
  • Measurement and optimization of our own services and offerings

Where information is stored on or accessed from your device through cookies or comparable technologies, where user behavior is processed for analytics, tracking or marketing purposes, or where applicable law requires consent, the respective processing is carried out exclusively on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR and Section 25 (1) German Telecommunications Digital Services Data Protection Act (TDDDG).

This may include in particular:

  • Analysis of click and usage behavior through cookies or comparable technologies
  • Marketing and advertising tracking
  • Retargeting and remarketing activities
  • Cross-channel marketing activities
  • Individual performance measurement of marketing campaigns
  • Individual analysis of newsletter interactions
  • Profiling based on tracking and marketing data

The procedures described above are used to adapt, improve and further develop our online offering. No solely automated decision-making within the meaning of Art. 22 GDPR is carried out that produces legal effects concerning you or similarly significantly affects you.

Hosting of the Customer Data Platform by Hetzner
For the hosting of the database and infrastructure components of our Customer Data Platform, we use services of Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany. Further information on data processing by Hetzner can be found at https://www.hetzner.com/de/legal/privacy-policy/.

Hetzner provides the technical hosting and server infrastructure for the storage and processing of data within the Customer Data Platform.

In the context of hosting, in particular the following personal data may be processed:

  • Customer and user data
  • Order and transaction data
  • Usage and analytics data
  • Technical log data
  • IP addresses
  • Database contents and backup copies

Processing is carried out exclusively in the context of data centre and hosting services for the provision of the technical infrastructure.

We have concluded a data processing agreement with Hetzner pursuant to Art. 28 GDPR. Processing generally takes place within the European Union or the European Economic Area.

 

15. Analytics Tools, Tracking and Advertising

 

Google Tag Manager
We use Google Tag Manager. The provider for users in the European Economic Area and Switzerland is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information on Google Tag Manager can be found at https://support.google.com/tagmanager/. Google’s Privacy Notice can be found at https://policies.google.com/privacy?hl=de.

Google Tag Manager is a tag management system that enables us to centrally manage and technically integrate codes and services on our website. Google Tag Manager is used to manage and deploy tags and comparable technologies.

To our knowledge, Google Tag Manager itself does not store cookies on your end device and does not create independent user profiles. However, the processing of technical connection data, in particular the IP address, cannot be excluded in the context of technical provision.

The use of Google Tag Manager is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR in the efficient, flexible and technically optimised management and integration of services on our website.

Where services are integrated via Google Tag Manager which themselves use cookies or comparable technologies or process personal data, such processing is carried out on the basis of the respective required consents pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR. Information on this can be found in the respective privacy notices for the services used.

In the context of using Google Tag Manager, a transfer of personal data to Google servers in the USA cannot be excluded. Data transfer to the USA is carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Google Analytics
We use Google Analytics, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on our website. The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics enables us to analyse the use of our website and to statistically evaluate user behaviour. In this context, information about pages visited, interactions, time spent, technical information on the end device and browser used, origin of visitors and usage data may in particular be processed.

In the context of the use of Google Analytics, the following personal or personally identifiable data in particular may be processed:

  • IP address
  • pseudonymous user identifiers
  • device and browser information
  • operating system
  • referrer URL
  • pages accessed and interactions
  • date and time of page views
  • technical connection data
  • approximate location information

We use Google Analytics with IP anonymisation activated. This means that your IP address is shortened by Google within the European Union or the European Economic Area before further processing. Only in exceptional cases is the full IP address transmitted to Google servers in the USA and shortened there.

The use of Google Analytics is based on your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.

Google generally processes the personal data collected in the context of Google Analytics on the basis of the Google Ads Data Processing Terms. However, where additional advertising and marketing functions are activated, in particular Google Signals, Google Ads links or cross-device analyses, Google also processes personal data partly for its own purposes. This concerns in particular the provision, improvement, personalisation and performance measurement of advertising services within the Google network. Processing in accordance with instructions within the meaning of complete commissioned processing pursuant to Art. 28 GDPR therefore does not take place in all cases with regard to such processing.

In the context of using Google Analytics, a transfer of personal data to Google servers in the USA cannot be excluded. Data transfer to the USA is carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

The data collected by Google Analytics are generally stored by us for a maximum period of 14 months and then deleted or anonymised, unless statutory retention obligations prevent this.

Further information on Google Analytics can be found at:
https://support.google.com/analytics/

Google’s Privacy Notice can be found at:
https://policies.google.com/privacy?hl=de

Enhanced E-Commerce Measurement

Within Google Analytics, we use the “Enhanced E-Commerce Measurement” function. This enables interactions with products and order processes within our online shop to be statistically evaluated.

In particular, the following information may be processed:

  • products viewed
  • product categories
  • shopping cart processes
  • purchases completed
  • revenues
  • transaction data
  • shipping costs
  • vouchers and discount codes
  • returns information
  • interactions with advertising and marketing measures

The use of enhanced e-commerce measurement is based on your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

Google Signals
Within Google Analytics, we use the “Google Signals” function. Google Signals enables cross-device analyses and reports, provided that users have activated personalised advertising and are logged into their Google account.

This may in particular involve the processing of cross-device usage and interaction data and the creation of statistical information about the use of different end devices.

The data provided to us by Google Signals are generally made available to us only in aggregated form. However, Google may link the data with information from logged-in Google accounts and use it to personalise advertising and provide its own advertising services.

The use of Google Signals is based on your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

Google Ads
We use the Google Ads service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on our website. The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Ads enables us to place advertisements within the Google advertising network and to analyse and optimise our advertising measures. In this context, information about the use of our website, interactions with advertisements, accessed content as well as conversion and campaign data may in particular be processed.

In the context of using Google Ads, the following personal or personally identifiable data in particular may be processed:

  • IP address
  • device and browser information
  • referrer URL
  • interaction data
  • campaign data
  • conversion data
  • pseudonymous identifiers
  • information about usage and browsing behaviour

Where users are logged into their Google account, Google may combine the processed information across devices and link it with other Google services.

The use of Google Ads is carried out exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

Google processes personal data in connection with Google Ads partly as an independent controller. This concerns in particular advertising, remarketing, personalisation, analytics and cross-device functions within the Google advertising network. Processing exclusively in accordance with instructions within the meaning of complete commissioned processing pursuant to Art. 28 GDPR therefore does not take place in all cases.

The Google Ads Data Processing Terms and, additionally, the Google Ads Controller-Controller Data Protection Terms apply with Google.

In the context of using Google Ads, a transfer of personal data to Google servers in the USA cannot be excluded. Data transfer to the USA is carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Further information on Google Ads can be found at:
https://support.google.com/google-ads/

Google’s Privacy Notice can be found at:
https://policies.google.com/privacy?hl=de

Google Ads Conversion Tracking

We use Google Ads Conversion Tracking of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on our website.

With the help of Google Ads Conversion Tracking, we can determine whether users perform certain actions on our website after interacting with a Google advertisement. This allows in particular conversions, completed purchases, contact enquiries or other defined user actions to be statistically evaluated.

In particular, the following data may be processed:

  • IP address
  • device and browser information
  • referrer URL
  • conversion data
  • interaction data
  • campaign data
  • pseudonymous identifiers

The use of Google Ads Conversion Tracking is carried out exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

Google processes personal data in connection with Google Ads Conversion Tracking partly also as an independent controller. Processing exclusively in accordance with instructions within the meaning of complete commissioned processing pursuant to Art. 28 GDPR therefore does not take place in all cases.

The Google Ads Data Processing Terms and, additionally, the Google Ads Controller-Controller Data Protection Terms apply with Google.

In the context of using Google Ads Conversion Tracking, a transfer of personal data to Google servers in the USA cannot be excluded. Data transfer to the USA is carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Google Ads Remarketing
We use Google Ads Remarketing of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on our website.

Google Ads Remarketing enables us to display interest-based advertising to users of our website within the Google advertising network. In this context, users may be recognised, target groups may be created and personalised advertisements may be displayed.

Where users are logged into their Google account, Google may combine the processed information across devices and link it with other Google services.

In the context of remarketing, cookies, pseudonymous identifiers, device information, usage data, interaction data and information about browsing and purchasing behaviour may in particular be processed. Technologies of the Google Marketing Platform or formerly DoubleClick may also be used in this context.

The use of Google Ads Remarketing is carried out exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

Google processes personal data in connection with Google Ads Remarketing partly as an independent controller. This concerns in particular advertising, remarketing, personalisation, analytics and cross-device functions within the Google advertising network. Processing exclusively in accordance with instructions within the meaning of complete commissioned processing pursuant to Art. 28 GDPR therefore does not take place in all cases.

The Google Ads Data Processing Terms and, additionally, the Google Ads Controller-Controller Data Protection Terms apply with Google.

In the context of using Google Ads Remarketing, a transfer of personal data to Google servers in the USA cannot be excluded. Data transfer to the USA is carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Further information on Google’s Privacy Notice can be found at:
https://policies.google.com/privacy?hl=de

Meta Conversion API
We use the Meta Conversion API on our website. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The parent company is Meta Platforms, Inc., 1 Meta Way, Menlo Park, California 94025, USA.

The Meta Conversion API enables us to record user interactions on our website on the server side and transmit them to Meta in order to analyse and optimise the performance of our advertisements and marketing measures within the Meta services (e.g. Facebook and Instagram).

In this context, the following personal or personally identifiable data in particular may be processed:

  • IP address
  • user agent
  • timestamp
  • device and browser information
  • conversion and event data
  • pages accessed
  • interaction data
  • transaction data
  • shopping cart and order values
  • currency
  • pseudonymous identifiers
  • hashed contact information, where transmitted

An overview of the data categories supported by the Meta Conversion API can be found at:
https://developers.facebook.com/docs/marketing-api/conversions-api/parameters

The use of the Meta Conversion API is carried out exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.

Where personal data are collected on our website and transmitted to Meta in the context of the Meta Conversion API, we and Meta Platforms Ireland Limited are joint controllers pursuant to Art. 26 GDPR with regard to the collection and transmission of these data. The joint controllership is limited exclusively to the collection and transmission of the data to Meta. The subsequent processing by Meta is carried out under Meta’s own responsibility under data protection law.

The agreement on joint controllership can be found at:
https://www.facebook.com/legal/controller_addendum

Meta processes personal data in connection with advertising, analytics and marketing functions partly also for its own purposes. Processing exclusively in accordance with instructions within the meaning of complete commissioned processing pursuant to Art. 28 GDPR therefore does not take place in all cases.

In the context of using the Meta Conversion API, a transfer of personal data to Meta servers in the USA and other third countries cannot be excluded. Data transfer to third countries is carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Further information on data processing by Meta can be found at:
https://www.facebook.com/privacy/policy/

Further information on data transfers to third countries can be found at:
https://www.facebook.com/legal/EU_data_transfer_addendum

Hotjar

We use the web analytics and feedback service Hotjar on our website. The provider is Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St. Julian’s STJ 3141, Malta.

Hotjar enables us to analyse user behaviour on our website and to evaluate interactions with individual pages and functions. In particular, usage movements, click behaviour, scroll behaviour and feedback on our website may thereby be analysed.

In the context of the use of Hotjar, the following personal or personally identifiable data in particular may be processed:

  • IP address (shortened or pseudonymised)
  • device and browser information
  • screen size and device type
  • operating system
  • referrer URL
  • pages accessed
  • click, mouse and scroll behaviour
  • date and time of page views
  • technical connection data
  • pseudonymous user identifiers

In addition, feedback and survey functions may be used. Participation in these is voluntary.

The use of Hotjar is carried out exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.

We have concluded a data processing agreement with Hotjar pursuant to Art. 28 GDPR.

In the context of using Hotjar, a transfer of personal data to third countries cannot be excluded. Data transfers are carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Further information on data processing by Hotjar can be found at:
https://www.hotjar.com/legal/policies/privacy/

TikTok Pixel
We use the TikTok Pixel of TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, One London Wall, London EC2Y 5EB, United Kingdom, on our website.

The TikTok Pixel enables us to track the behaviour of users after they have been redirected to our website by a TikTok advertisement. This enables, in particular, the effectiveness of TikTok advertisements to be analysed and optimised.

In the context of using the TikTok Pixel, the following personal or personally identifiable data in particular may be processed:

  • IP address
  • device and browser information
  • referrer URL
  • pages and content accessed
  • interaction data
  • conversion data
  • timestamp
  • pseudonymous identifiers
  • information about usage and browsing behaviour

Where users are logged into TikTok, TikTok may link the processed information with existing user accounts and use it for personalised advertising purposes.

The use of the TikTok Pixel is carried out exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.

TikTok processes personal data in connection with advertising, analytics and marketing functions partly also as an independent controller. Processing exclusively in accordance with instructions within the meaning of complete commissioned processing pursuant to Art. 28 GDPR therefore does not take place in all cases.

In the context of using the TikTok Pixel, a transfer of personal data to third countries, in particular to Singapore, China and the USA, cannot be excluded. Data transfers are carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Further information on data processing by TikTok can be found at:
https://www.tiktok.com/legal/privacy-policy-eea

Reddit Pixel
We use the Reddit Pixel on our website. The provider is Reddit Netherlands B.V., Euro Business Center, Keizersgracht 62, 1015 CS Amsterdam, Netherlands. The parent company is Reddit, Inc., 303 2nd Street, Suite 500 South, San Francisco, California 94107, USA.

The Reddit Pixel enables us to track the behaviour of users after they have been redirected to our website by a Reddit advertisement. This enables, in particular, the effectiveness of advertisements to be analysed and optimised.

In the context of using the Reddit Pixel, the following personal or personally identifiable data in particular may be processed:

  • IP address
  • device and browser information
  • referrer URL
  • pages and content accessed
  • interaction data
  • conversion data
  • timestamp
  • pseudonymous identifiers
  • information about usage and browsing behaviour

Where users are logged into Reddit, Reddit may link the processed information with existing user accounts and use it for personalised advertising purposes.

The use of the Reddit Pixel is carried out exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.

Reddit processes personal data in connection with advertising, analytics and marketing functions partly also as an independent controller. Processing exclusively in accordance with instructions within the meaning of complete commissioned processing pursuant to Art. 28 GDPR therefore does not take place in all cases.

In the context of using the Reddit Pixel, a transfer of personal data to Reddit servers in the USA cannot be excluded. Data transfer to the USA is carried out in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Further information on data processing by Reddit can be found at:
https://www.redditinc.com/policies/privacy-policy

 

16. Plugins and Content Delivery Networks

 

YouTube
This website embeds videos from the YouTube website. The operator of the website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. When you visit one of our web pages on which YouTube is embedded, a connection to YouTube servers is established. In doing so, the YouTube server is informed which of our pages you have visited. In addition, YouTube may store various cookies on your end device or use comparable technologies for recognition (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to record video statistics, improve user-friendliness and prevent attempts at fraud. If you are logged into your YouTube account, you enable YouTube to assign your browsing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.

The use of YouTube is based on your consent pursuant to Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG. Consent may be withdrawn at any time.

Further information on the handling of user data can be found in YouTube’s Privacy Policy at:
https://policies.google.com/privacy?hl=de.

SproutVideo
Videos may be embedded within this offering which have been stored by us on the Sproutvideo.com platform (SproutVideo, 33 Nassau Ave #90, Brooklyn, NY 112222). SproutVideo uses browser settings, for example, to optimise the presentation and functionality of the embedded videos.

The use of SproutVideo is based on your consent pursuant to Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG. Consent may be withdrawn at any time.

Further information on the handling of user data can be found in SproutVideo’s Privacy Policy at: sproutvideo.com/privacy.

Advertising spaces are displayed in some videos. The display and any access to the advertising spaces are recorded anonymously and made available to the advertiser. By clicking on an advertising space in the video, you agree to be redirected to the advertiser’s website.

Reading Samples via BIC Media Widget-Plus
On our website, we offer reading samples from our range. These reading samples are integrated via the BIC Media Widget-Plus of VVA - Arvato SCM Solutions (Arvato Media GmbH, An der Autobahn 100, 33333 Gütersloh).

When reading samples are accessed, server log files, including your IP address, are transmitted to BIC Media.

The use of BIC Media reading samples is based on our legitimate interests within the meaning of Art. 6(1)(f) GDPR. We have a legitimate interest in providing our customers with an interactive offering and the opportunity to preview our products. Where corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG. Consent may be withdrawn at any time.

BIC Media’s Privacy Policy can be accessed at https://bic-reader.com/datenschutz.

Judge.me
We use the review service Judge.me Ltd. Judge.me on our website. The provider is Judge.me Ltd., c/o Buckworths, 1–3 Worship Street, London EC2A 2AB, United Kingdom.

Judge.me enables us to provide and evaluate product reviews and customer reviews within our online shop. After a purchase, users may submit reviews of products, orders or usage experiences and view published reviews from other users.

In the context of the use of Judge.me, the following personal data in particular may be processed:

First name and last name or display name

  • E-mail address
  • Order information
  • Product and review data
  • Content of reviews and comments
  • Star ratings and feedback information
  • Date and time of the review
  • Device and browser information
  • IP address
  • technical connection data

Where reviews are published, the information provided in this context may be visible to other users of our online shop.

Processing is carried out for the purpose of providing and displaying product reviews, quality assurance, improving our offering and analysing customer feedback.

Where processing is necessary for the implementation of pre-contractual measures or for the performance of a contract, it is carried out on the basis of Art. 6(1)(b) GDPR.

In all other cases, processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in the transparent presentation of customer reviews, optimisation of our offering and analysis of customer satisfaction.

Where technically non-essential cookies or comparable technologies are used, or reviews are processed for marketing or analytics purposes, processing is carried out exclusively on the basis of your consent pursuant to Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR.

The United Kingdom is currently regarded as a third country with an adequate level of data protection on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR.

Judge.me processes personal data in connection with review, analytics and platform functions partly also as an independent controller. Processing exclusively in accordance with instructions within the meaning of complete commissioned processing pursuant to Art. 28 GDPR therefore does not take place in all cases.

Further information on data processing by Judge.me can be found at:
https://judge.me/privacy

Sharing Content via Social Media (Facebook, Twitter, etc.)

A “share” function is used on our website to allow content to be used, for example, in social networks. To increase the protection of your data when visiting our website, the plugins are not unrestrictedly integrated into the page, but only via an HTML link.

As soon as you access the page of a service provider via the share button, the respective provider receives the information that you have visited our page with your IP address. If you are logged into your respective social media account at the same time, the provider may assign the visit to your user account.

Please refer to the privacy notices of the providers on their pages for the purpose and scope of data collection and the further processing and use of the data by the providers as well as your rights in this regard and settings options for protecting your privacy.

17. Direct Marketing and Newsletter

Direct Marketing to Existing Customers Based on Legitimate Interests
Kosmos & You GmbH reserves the right to use data collected in connection with a purchase or service agreement for direct marketing via email or post in accordance with Section 7 Paragraph 3 of the German Unfair Competition Act (UWG), unless the customer objects or has objected to such use. Direct marketing will only include offers for products or services similar to those already purchased from us. We will use your data for direct marketing purposes for up to five years after your last purchase, based on our legitimate interest.

We have a legitimate economic interest (Art. 6(1)(f) GDPR) in informing our customers about new products and improving our services. You can, of course, object to receiving direct marketing at any time. Please send your objection to the data controller named above. Each newsletter also contains information on how to exercise your right to object. You will find a link in each newsletter that allows you to unsubscribe. Alternatively, please send your objection to Kosmos & You GmbH, Pfizerstraße 5-7, D-70184 Stuttgart, or by E-Mail: widerruf@kosmos.de.

Direct Marketing Based on Your Consent

If you subscribe to our newsletter, you will receive information about products, news, promotions, or customer surveys via email. The legal basis for this is your consent (Art. 6(1)(a) GDPR) given to KOSMOS & You GmbH. To verify the accuracy of the email address you have provided, we use the "double opt-in" procedure. Should the double opt-in procedure be unavailable due to temporary technical issues, we will send you an email to which you can reply without adding any text in order to confirm your identity. You may withdraw your consent at any time. You will find an unsubscribe link in the newsletter footer for this purpose. Alternatively, please send your withdrawal to Kosmos & You GmbH, Pfizerstraße 5-7, D-70184 Stuttgart, or by E-Mail: widerruf@kosmos.de. We process your data for the purpose of sending our e-mail newsletters until you withdraw your consent.

Newsletter Dispatch via Shopify
For sending our newsletter and managing newsletter subscriptions, we use functions of Shopify Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland. The parent company is Shopify Inc., 151 O’Connor Street, Ground Floor, Ottawa, ON K2P 2L8, Canada.

In the context of registration for and use of our newsletter, the following personal data in particular may be processed:

  • First name
  • Last name
  • E-Mail-address
  • Information on newsletter registration and confirmation (double opt-in data)
  • IP address
  • Date and time of registration
  • Information on newsletter interactions
  • Open rates
  • Click behaviour
  • Device and browser information
  • technical connection data

Processing is carried out for the purpose of providing and carrying out newsletter dispatch, managing subscriptions, documenting consents given, analysing newsletter interactions and optimising and personalising newsletter content.

We have concluded the required contractual agreements on data processing with Shopify.

In the context of using Shopify, a transfer of personal data to Canada, the USA and other third countries cannot be excluded. Data transfers are carried out in particular on the basis of adequacy decisions pursuant to Art. 45 GDPR and, where required, on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Further information on data processing by Shopify can be found at https://www.shopify.com/legal/privacy.

18. Information for Applicants

Applications are processed within the group of companies under the framework of joint controllership by Franckh-Kosmos Verlags-GmbH & Co. KG. This also applies to applications submitted to Kosmos & You GmbH.

If you apply to us, whether for an advertised position or on your own initiative, we process your data for the purpose of carrying out the selection process. It is irrelevant to us whether you apply by post, by e-mail or, where available for the respective position, via an online form. In principle, in the context of an application procedure, we process only the data that you have transmitted to us yourself. Additional sources will only be consulted after informing you and consulting with you. For example, this may include whether we may contact a former employer. The legal basis for carrying out an application procedure is Section 26 BDSG in conjunction with Art. 6(1)(b) GDPR (steps prior to entering into an employment contract). If you give us your consent to store your data for a longer period, this processing is carried out on the legal basis of Art. 6(1)(a) GDPR.

Retention Periods for Applicant Data

We delete applicant data no later than four months after completion of the application procedure (once a candidate has been selected and all applicants have been informed of the outcome). The purpose of the data processing generally no longer exists once the selection procedure has ended; however, we have a legitimate interest (Art. 6(1)(f) GDPR) in being able to defend ourselves against any claims asserted by rejected applicants. If you believe that your interests in immediate deletion outweigh our interests, you may ask us to delete the data. We will then review your request and provide you with feedback.

After the expiry of the above period, your data will be deleted unless we need to defend ourselves, for example in ongoing proceedings, such as in the event of a claim under the German General Equal Treatment Act. In that case, we will delete your data after conclusion of the proceedings, provided that no statutory retention periods apply.

If we are permitted to store your data for a longer period on the basis of your consent, we will delete your data if you ask us to do so and withdraw your consent. We may also delete your data before you withdraw your consent if it becomes apparent that no position will be available.

Inclusion in Our Applicant Pool

If we are unable to offer you a position at the present time, we may ask for your consent to continue storing your data. This serves the purpose of offering you a suitable position at a later date. The legal basis for processing your data in our applicant pool is your consent (Art. 6(1)(a) GDPR). You may of course withdraw your consent at any time with effect for the future. If you do not withdraw your consent yourself within a period of two years, we will delete your data from our applicant pool no later than at the end of that period.

19. Online Meetings and Video Conferences with Zoom

For the purpose of conducting online meetings, video conferences and digital meetings, we use the Zoom Communications Inc. (“Zoom”) service. The provider is Zoom Communications, Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. For customers in the European Economic Area, the service is provided in part through Zoom Video Communications B.V., Gustav Mahlerlaan 16, 1082 PP Amsterdam, Netherlands. Further information on data processing by Zoom can be found at https://explore.zoom.us/de/privacy/.

In connection with the use of Zoom, personal data may be processed. This includes in particular:

First name and last name,

  • E-mail address,
  • Meeting and participant data,
  • IP address,
  • Device and connection information,
  • Audio, video and chat content,
  • Content of screen shares,
  • Communication and interaction data,
  • Date, time and duration of participation.

The processing is carried out for the purpose of conducting online meetings, video conferences and digital communication.

Where processing is necessary in order to take steps prior to entering into a contract or to perform a contract, it is carried out on the basis of Art. 6(1)(b) GDPR. In all other cases, the processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in efficient, location-independent communication and the conduct of digital meetings.

We have concluded a data processing agreement with Zoom pursuant to Art. 28 GDPR. However, Zoom does not process personal data exclusively on our behalf. Where you independently use the Zoom website, Zoom applications or other Zoom services, Zoom processes personal data in this respect also as an independent controller within the meaning of the GDPR. This applies in particular to the technical provision of the platform, security and diagnostic functions, and certain processing operations carried out by Zoom for its own purposes.

Personal data processed in connection with the use of Zoom is generally stored only for as long as this is necessary for carrying out and following up on the respective meeting and, where applicable in an individual case, for compliance with legal obligations. If meetings are recorded, storage takes place only for the stated purpose and for the communicated duration. Technical log and diagnostic data may be stored by Zoom in accordance with its own privacy policy.

The use of Zoom may also involve the processing of personal data outside the European Union or the European Economic Area, in particular in the USA. Data transfers are carried out, where required, in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

20. Webinars and Online Courses

Webinars and Online Courses with Zoom
For the purpose of conducting webinars, online meetings and digital events, we use the Zoom Communications Inc. (“Zoom”) service. The provider is Zoom Communications, Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. For customers in the European Economic Area, the service is provided in part through Zoom Video Communications B.V., Gustav Mahlerlaan 16, 1082 PP Amsterdam, Netherlands. Further information on data processing by Zoom can be found at
https://explore.zoom.us/de/privacy/.

Purposes of Processing
Personal data is processed for the purpose of conducting webinars, online meetings and digital communication formats as well as for participant management, technical provision, communication with participants and, where applicable, follow-up to the events.

Categories of Data Processed
In connection with the use of Zoom, the following personal data in particular may be processed:

  • Participant and Registration Data
  • First name,
  • Last name,
  • E-mail address,
  • individual participation or access links,
  • company details, where applicable,
  • voluntarily provided profile information.
  • Webinar and Meeting Metadata
  • Topic and description of the event,
  • Date and time,
  • Duration of participation,
  • IP address,
  • Device and hardware information,
  • Operating system,
  • Browser information,
  • Technical connection data,
  • Meeting or webinar ID.

Communication Data

If functions are used, the following may also be processed:

  • Audio and video data,
  • Chat content,
  • Screen shares,
  • Questions and answers,
  • Reactions and interactions within the webinar.

Activation of the camera or microphone is carried out exclusively by the participants themselves. Participants can deactivate or mute their camera and microphone at any time.

Chat, Question and Interaction Functions
If chat, question or interaction functions are used within a webinar, the content entered in this context is processed in order to enable the webinar to be carried out and moderated and to handle participant enquiries. Where this is necessary, chat content, questions or feedback may be stored for documentation, follow-up or optimisation purposes. Personal evaluations are generally not carried out in this context unless this is necessary in an individual case.

Polls and Feedback Functions
Polls or feedback functions may be used in the context of webinars in order to evaluate and improve content and event formats. Participation in such polls is voluntary.

E-mail Communication and Reminders
In connection with registration for and participation in webinars, participants may receive e-mails containing participation information, access links, organisational information or reminders about the webinar.

Recording of Webinars
Webinars or online meetings are recorded only if this has been transparently announced in advance and, where required under data protection law, corresponding consent has been obtained from the participants.

Participants are informed about this before a recording begins. During an active recording, a corresponding notice is also displayed within the Zoom application.

Use of the Zoom Website and Application

Participation in a webinar may require the use of the Zoom application or the browser-based web version. To the extent that you use Zoom’s website or applications directly, data processing in this respect is carried out under Zoom’s responsibility.

Legal Bases for Processing

Where processing is necessary in order to take steps prior to entering into a contract or to perform a contract, it is carried out on the basis of Art. 6(1)(b) GDPR.

In all other cases, the processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in the efficient conduct of webinars, online meetings and digital communication.

Where consent is obtained, in particular for recordings or optional functions, the processing is carried out on the basis of Art. 6(1)(a) GDPR. Consent that has been given may be withdrawn at any time with effect for the future.

Where personal data of employees is processed, the processing is carried out on the basis of Section 26 BDSG, insofar as this is necessary for the performance or organisation of the employment relationship.

Third-Country Transfer
In connection with the use of Zoom, it cannot be ruled out that personal data will also be processed in third countries, in particular in the USA. Data transfers are carried out, where required, in particular on the basis of standard contractual clauses pursuant to Art. 46 GDPR.

Data Processing Agreement
We have concluded a data processing agreement with Zoom pursuant to Art. 28 GDPR. This ensures that personal data is processed exclusively in accordance with our instructions and in compliance with the applicable data protection requirements.

Online Courses via Teachable
For the provision and management of our online courses, we use the Teachable platform. The provider is Teachable, Inc., 470 Park Avenue South, 6th Floor, New York, NY 10016, USA. Teachable’s Privacy Notice can be found at
https://teachable.com/privacy-policy.

Via Teachable, we provide digital course content, learning materials and course-related functions and manage access and participant accounts.

Categories of Data Processed
In connection with the use of Teachable, the following personal data in particular may be processed:

  • First name,
  • Last name,
  • E-mail address,
  • Access data and user account,
  • Information on booked courses,
  • Learning and usage data,
  • Progress and completion information,
  • Communication data,
  • Payment and order information,
  • Technical usage data and log files.

When the platform is accessed, Teachable also processes technical access data, in particular:

  • IP address,
  • Date and time of access,
  • Browser type and browser version,
  • Device information,
  • Operating system,
  • Referrer URL,
  • Screen resolution,
  • Usage and interaction data.

Purposes of Processing
The processing is carried out for the purpose of providing and conducting our online courses, managing user accounts and course access, technically providing the platform, communicating with participants and analysing and optimising our course offering.

Legal Bases
Where processing is necessary in order to take steps prior to entering into a contract or to perform a contract, it is carried out on the basis of Art. 6(1)(b) GDPR.

In addition, processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in the secure, efficient and user-friendly provision of a professional online course platform.

Third-Country Transfer
Teachable also processes personal data in the USA. We point out that the USA does not guarantee a level of data protection comparable to that of the European Union in all areas. To safeguard data transfers to third countries, we have concluded a data processing agreement with Teachable including the European Commission’s standard contractual clauses pursuant to Art. 46 GDPR. Further information can be found in Teachable’s Data Processing Addendum at:
https://teachable.com/dpa

Storage Period
Your personal data is generally stored only for as long as this is necessary for the provision of the booked courses, the management of your user account and compliance with statutory retention obligations. Course-related access data and user accounts generally remain stored as long as active course access exists or further provision of the user account is required.

 

21. Participation in Our Prize Draws

Processing based on Terms and Conditions of Participation
If you participate in one of our prize draws, we process the data you provide in the context of the prize draw in order to carry out the prize draw on the basis of the respective terms and conditions of participation. The categories of data required for participation in the prize draw are generally indicated on the prize draw form and in the terms and conditions of participation.

The legal basis is generally Art. 6(1)(b) GDPR.

The processing includes checking whether a participant is eligible to participate, determining and notifying the winners, and delivering the prize.

The winner will be notified by the means specified in the context of the prize draw. Winners are generally contacted by e-mail, although this may vary depending on the type and design of the prize draw.

Processing on the Basis of Your Consent
If you have consented to further processing purposes in the context of the prize draw, we process your personal data for these purposes on the basis of your consent (Art. 6(1)(a) GDPR).

Some of our prize draws require your consent to the processing of your data for advertising purposes. This is clearly highlighted and transparently communicated on the respective prize draw form. The types of advertising measures covered by the consent are also indicated on the prize draw form. Processing for advertising purposes is carried out on the basis of your consent (Art. 6(1)(a) GDPR). Please also note the privacy information on the subject of newsletters for this purpose.

You may withdraw your consent at any time by addressing your withdrawal to the controller (the prize draw organiser). The lawfulness of the data processing operations already carried out remains unaffected by the withdrawal, as the withdrawal only has effect for the future.

Further Recipients of Your Data
We never disclose your data to unauthorised third parties. Disclosure takes place only if this is necessary for handling the prize draw or if you have explicitly consented to the disclosure.

Processors
For the delivery of physical prizes, we work with our logistics partner (Arvato Distribution GmbH, An der Autobahn 22, 33333 Gütersloh). In some cases, other processors support us on an event-specific basis in carrying out the prize draw and process personal data in accordance with our instructions.

Shipping Service Providers
For the delivery of a prize, we disclose your data to a shipping service provider where this is necessary. In individual cases, these may include Deutsche Post, DHL, TNT, Hermes, UPS or GLS, for example.

Cooperation Partners
In some cases, we work with cooperation partners in the context of prize draws; this is clearly indicated in the respective prize draw. In some cases, a cooperation partner dispatches the prize; this is carried out either on the basis of a data processing agreement or your consent.

Affiliated Companies
Disclosure within the group of companies may be necessary. If Franckh-Kosmos Verlags-GmbH is the organiser of the prize draw, your data will generally be disclosed to Kosmos & You GmbH for delivery. If Kosmos & You GmbH is the organiser, your data will be disclosed to Franckh-Kosmos GmbH in the context of administrative activities.

Provision of Personal Data
Please note that participation in the prize draw, in particular delivery of the prize, is generally possible only if you provide us with the data required for participation in the respective prize draw.

Transfer to Unsafe Third Countries
We generally process your personal data within Germany, the European Union and safe third countries.

Storage Period
We delete the data collected in the prize draw no later than four weeks after completion (determination of the winner) of the prize draw, unless expressly stated otherwise for the respective prize draw. Depending on the type of prize, the data of winners may be retained for eight years due to statutory retention periods pursuant to Section 257 HGB and Section 147 AO. If you have given us your consent for further purposes, we process your personal data until you withdraw your consent.

Supplement for Prize Draws on Social Media

On our social media presences, we occasionally conduct prize draws in which commenting on a post or another type of interaction with one of our social media presences is required for participation. If we conduct a prize draw on a social network, we generally process the following data (unless expressly stated otherwise in the prize draw):

  • Public profile information including user name
  • Comment submitted (text & image) or other type of interaction

The legal basis is generally Art. 6(1)(b) GDPR. The processing is carried out on the basis of the terms and conditions of participation and includes checking whether eligibility to participate exists, determining and notifying the winners, and delivering the prize. The winner will be notified by the means specified in the context of the prize draw. Winners are generally contacted by direct message or by e-mail, although this may vary depending on the type and design of the prize draw.

Please note that we have no or only very limited influence on the actual deletion of data in social networks. To exercise your rights vis-à-vis a provider of social networks, please contact the provider’s data protection contact.

22. Social Media Presences

We maintain publicly accessible profiles on social networks. The individual social networks used by us are listed below.

Social networks such as Facebook, Twitter, etc. can generally analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal may assign this visit to your user account. Under certain circumstances, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, such data collection is carried out, for example, by means of cookies stored on your end device or by collecting your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising may be displayed to you within and outside the respective social media presence. If you have an account with the respective social network, interest-based advertising may be displayed on all devices on which you are or were logged in.

Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policies of the respective social media portals.

Legal Basis
Our social media presences are intended to ensure the broadest possible presence on the internet. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6(1)(a) GDPR).

Controller and Exercise of Rights
If you visit one of our social media presences (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered by this visit. You may generally exercise your rights (access, rectification, erasure, restriction of processing, data portability and complaint) both vis-à-vis us and vis-à-vis the operator of the respective social media portal (e.g. Facebook).

Please note that, despite joint controllership with the social media portal operators, we do not have full influence over the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage Period
The data collected directly by us via the social media presence is deleted from our systems as soon as you request deletion, withdraw your consent to storage or the purpose for storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions, in particular retention periods, remain unaffected.

We have no influence over the storage period of your data that is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

Individual Social Networks

Facebook
We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Meta”). According to Meta, the data collected is also transferred to the USA and other third countries. We have concluded an agreement with Meta on joint processing (Controller Addendum). This agreement determines which data processing operations we or Meta are responsible for when you visit our Facebook page. You can view this agreement at the following link:
https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings yourself in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads.

The transfer of data to the USA is based on the European Commission’s standard contractual clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381. Details can be found in Facebook’s Privacy Policy: https://www.facebook.com/about/privacy/.

Instagram
We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The transfer of data to the USA is based on the European Commission’s standard contractual clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381. Details on how they handle your personal data can be found in Instagram’s Privacy Policy: https://help.instagram.com/519522125107875.

X

We use the short message service X. The provider is  X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2. You can adjust your Twitter privacy settings yourself in your user account. To do so, click on the following link and log in: https://twitter.com/personalization. Details can be found in Twitter’s Privacy Policy: https://twitter.com/de/privacy.

Pinterest
The operator is Pinterest Inc., 1008 Brannan Street, San Francisco, CA 94103-490, USA (“Pinterest”). Details on how it handles your personal data can be found in Pinterest’s Privacy Policy: https://policy.pinterest.com/de/privacy-policy.

Google / YouTube
The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You can adjust your advertising settings yourself in your user account. To do so, click on the following link and log in: https://adssettings.google.com/authenticated. Details can be found in Google’s Privacy Policy: https://policies.google.com/privacy.

SproutVideo
The operator is SproutVideo, 33 Nassau Ave #90, Brooklyn, NY 112222 (“SproutVideo”). Details on how it handles your personal data can be found in SproutVideo’s Privacy Policy: https://sproutvideo.com/privacy.

XING
We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. Details on how it handles your personal data can be found in XING’s Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

LinkedIn
We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.
If you wish to deactivate LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Details on how it handles your personal data can be found in LinkedIn’s Privacy Policy: https://www.linkedin.com/legal/privacy-policy.

23. Supplementary Privacy Information for Our Business Partners

Categories of Data and Purposes of Processing

We process personal data of our service providers and partners that we receive directly in the context of our business relationship. If we have received data from you, we generally process it only for the purposes for which we received or collected it.

As a rule, we process the following categories of data relating to you

  • Last name, first name
  • Address and/or business address
  • Telecommunications data
  • E-mail address
  • Company
  • Professional function and/or position
  • Bank details / other payment information
  • Data relating to the history of the business relationship

During the business initiation phase and during the business relationship, in particular through personal, telephone or written contacts initiated by you or by one of our employees, further personal data is generated, e.g. information on contact channel, date, occasion and result; (electronic) copies of correspondence and information on participation in direct marketing measures.

In addition, we process personal data that we have lawfully obtained and are permitted to process from publicly accessible sources (e.g. commercial and association registers, press, media, internet).

Data processing for other purposes will only be considered if the legal requirements pursuant to Art. 6(4) GDPR that are necessary in this respect are met. We will of course observe any information obligations pursuant to Art. 13(3) GDPR and Art. 14(4) GDPR in such cases.

Legal Bases on Which We Process Your Data

On the basis of your consent (Art. 6(1)(a) GDPR)
We process personal data for one or more specific purposes if you have given us your consent to do so. If personal data is processed on the basis of consent given by you, you have the right to withdraw your consent from us at any time with effect for the future.

Data processing for the performance of contracts (Art. 6(1)(b) GDPR)
We process personal data for the performance of contracts. The performance of contracts includes, for example, the conclusion, execution and reversal of a contract. In addition, we process personal data that is necessary for taking steps prior to entering into a contract, for example for the initiation of a contract, and that is carried out at your request.

Data processing due to a legal obligation (Art. 6(1)(c) GDPR)
Like every company, we must comply with retention obligations and other documentation obligations; this may also involve documents containing personal information. Insofar as we process data for these purposes, the processing is carried out due to a legal obligation.

Data processing on the basis of a balancing of interests (Art. 6(1)(f) GDPR)
If we process data on the basis of a balancing of interests, you as the data subject have the right to object to the processing of personal data in accordance with the requirements of Art. 21 GDPR. Where the specific purpose permits, we process your data in pseudonymised or anonymised form.

Further Recipients of Your Data

Disclosure to Processors within the Framework of Art. 28 GDPR

Processors used by us (Art. 28 GDPR), in particular in the area of IT services and, for example, printing services, process your data on our behalf and in accordance with our instructions. If we commission service providers to fulfil our tasks, we always observe the data protection requirements; in particular, disclosure takes place only after conclusion of data processing agreements. We will be happy to inform you which processors we use.

For the Performance of a Contractual Relationship
If this is necessary for the performance of the contract with you, we disclose your data, for example, to our bank for processing payments or to shipping service providers, such as Deutsche Post, DHL, UPS, GLS, DPD or other providers engaged on an event-specific basis.

Disclosure Due to a Legal Obligation
Where a statutory or official obligation exists, we disclose your data to public bodies or institutions (authorities, for example in the context of criminal prosecution).

Other Bodies, if You Have Given Us Your Consent
Where explicit consent exists, we also disclose your data to other bodies. However, this is carried out within the limits of demonstrable consent given by you.

Information on Retention Periods for Personal Data

Principle of Purpose Limitation and Compliance with Statutory Retention Periods
We process the data for as long as this is necessary for the respective purpose. Where necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract.

In addition, like every company, we are obliged to comply with statutory retention periods, for example the periods arising from commercial and tax law. Where statutory retention obligations exist, the relevant personal data is stored for the duration of the retention obligation. The storage period is also determined by statutory limitation periods, which, for example, pursuant to Sections 195 et seq. of the German Civil Code (BGB), are generally three years but may in certain cases be up to thirty years. After expiry of the retention obligation, it is checked whether further processing is still necessary. If there is no longer any necessity, the data is deleted.

As a rule, such retention periods in the context of legal transactions (pursuant to Section 147 AO / Section 257 HGB / Section 14b UStG) are ten years, beginning with the year following the legal transaction.

Withdrawal of your consent

If we process your data on the basis of your consent (Art. 6(1)(a) GDPR), we delete it after your withdrawal. This does not apply where legitimate interests prevent complete deletion. For example, we generally retain declarations of consent for up to three years after receipt of your withdrawal in our legitimate interest (Art. 6(1)(f) GDPR). We retain the consent exclusively under restriction of processing in order to be able to defend ourselves in the event of a dispute.

Statutory or Contractual Obligation to Provide Personal Data
The provision of personal data is regularly necessary for the initiation, conclusion, execution and reversal of a contract. If you do not provide the required personal data, we will not be able to conclude and perform a contract with you.

Transfer to a Third Country
Your personal data is generally processed by us in data centres in the Federal Republic of Germany or the European Union. A transfer to a third country will only be considered if you have given us your consent or if we have concluded a data processing agreement pursuant to Art. 28 GDPR, taking into account suitable safeguards or other appropriate safeguards pursuant to Art. 44 et seq. GDPR.

 

24. Privacy Notices for Our Apps

The Privacy Notices for our KOSMOS apps can be found in the respective app. As a rule, you can access them in the relevant store before downloading the app.

June 2026