Updated: 01.09.2024

Thank you for your interest in our website/our company.

Your trust is important to us! That is why we guarantee the greatest possible security and the protection of all personal data. Our data protection practices comply with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG n.f.) and the Telemedia Act (TMG).

Your contact for data protection

The data controller as defined in the GDPR, the data protection acts, as well as in the provisions of Member States of the European Union is:

Atelier Muff
Patrik & Bele Muff GbR
Am Kosttor 2
80331 München
Deutschland

anfrage@patrikmuff.com

Competent supervisory authority in Bavaria:
Bayerischer Landesbeauftragter für den Datenschutz
Postfach 22 12 19, 80502 Munich
Wagmüllerstraße 18
80538 Munich

Tel.: 089 212672 – 0
Fax: 089 212672 – 50
Email: poststelle@datenschutz-bayern.de

1. Definitions

To ensure simple and comprehensable readability of our privacy policy, we would like to explain the terms according to GDPR Art. 4 in advance.

a) Personal Data

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). Identifiable refers to a person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data Subject

The data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

c) Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.

d) Restriction of Processing

Restriction of processing is the marking of personal data stored in order to limit its future processing.

e) Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

f) Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

g) Controller or person responsible for the processing

The data controller or the person responsible for processing means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union law or by the law of the Member States, provision may be made for the controller to be designated in accordance with Union law or the law of the Member States.

h) Processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) Recipient

The recipient means a natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not. However, authorities which may be entitled to receive personal data under Union law or the law of the Member States within the framework of a particular investigation mandate shall not be regarded as recipients.

j) Third Party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

k) Consent

Consent is any statement of intent voluntarily and unambiguously given by the data subject in an informed and unambiguous manner in the form of a statement or other unambiguous confirming act that indicates to the data subject that they have consented to the processing of their personal data.

2. General Data Collection / Processing

When you access our website, a series of general data and information from data subjects are collected. The data collected includes:

– Browser type and version
– Origin of the user when the page is accessed
– Date and time
– Internet provider
– Operating system
– Internet or service provider
– Other security data

This data and information are stored in the server’s log files. This process is used to provide law enforcement authorities with the information necessary for law enforcement in the event of a cyber-attack and to ensure the permanent functionality of our information technology systems and the technology on our website. To achieve an optimal level of protection, in particular, with regard to ensure the processing personal data, the data of the server log files is stored anonymously. After the communication process has ended, the data is evaluated for statistical purposes. Moreover, personal data (e.g. your name, your email address etc.) will only be transmitted if you expressly and knowingly provide us with such information for specific purposes. It will only be processed, stored and forwarded to the extent necessary for the respective purpose or your consent exists.

3. Cookies

This website uses cookies. Cookies are small text information that are stored as a file in your terminal via your browser. Cookies are not fundamentally disadvantageous but allow the website operator to provide a more user-friendly service. Cookies can be used to clearly recognize and identify users.

Of course, you as the data subject can also view our website without cookies. Internet browsers are normally configured to accept cookies. Alternatively, you can also use software that deletes cookies. You can disable or reject the use of cookies at any time via your browser settings. Please refer to your Internet browser’s help feature to learn how you can change these settings. Please note that some of our website features may not work if you have disabled the use of cookies.

4. Email

If you send us an email, this data will be saved. Insofar as this website affords any user the opportunity to enter personal or business information such as their e-mail address, name, postal address, or the like, such information and its appropriate processing to contact the data subject shall be deemed to have been provided voluntarily by such user. We will not disclose your personal information to third parties.

5. External Links

This website contains so-called “external links” to other websites, upon whose contents and for any data collection the data controller of the website has no influence. For this reason, the data controller cannot accept any liability for the content and data collection of these websites.

6. Data Transfer

Your data will only be passed on to our employees or other service providers who support us with order processing in individual processing steps as part of the order process. This information will naturally not be passed on beyond that.

7. Storage duration of personal data

The storage duration of personal data depends on the respective retention period. After the deadline has expired, the data will be deleted, unless it serves consent, contract fulfilment or contract initiation.

8. Routine deletion and blocking of personal data

Personal data is only processed in the context of the intended use. The data controller processes and stores personal data of the data subject only for this period. The routine deletion or blocking of personal data takes place when the legal requirements regarding the retention period (storage period) and the storage purpose of the data controller no longer exist.

9. Rights of the data subject

Data subjects have the right to request confirmation from the data controller as to whether personal data relating to you is processed.

a) Right to information

According to the General Data Protection Regulation and the Federal Data Protection Act, you have the right to free information about your stored data.

• The purpose of the processing
• The categories of personal data that are processed
• The recipients or categories of recipients to whom the personal data has been or will be disclosed,in particular recipients in third countries or international organisations
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
• The existence of a right to correction or deletion of the personal data concerning you or of a restriction of the processing by the data controller or of a right to object to such processing
• The right to lodge a complaint with a supervisory authority if the personal data is not collected from the data subject: any available information about the origin of the data
• The existence of any automated decision-making processes, including profiling, as defined in Art. 22 para.1 and 4, GDPR and — at least in these cases — meaningful information on the logic involved and the scope and intended effects of such processing for the data subject

b) Right to rectification

The data subject has the right to request that the data controller correct any incorrect personal data. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

c) Right to erasure (‘Right to be forgotten’)

The data subject has the right to ask the data controller to immediately delete the personal data concerned if:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
• The data subject shall withdraw the consent on which the processing referred to in Article 6 para. 1 letter a or Article 9 para. 2 letter a was based and there is no other legal basis for processing.
• The data subject shall oppose processing in accordance with Article 21 para. 1 and there are no overriding legitimate grounds for processing or the data subject shall oppose processing in accordance with Article 21 para 2.
• The personal data has been unlawfully processed.
• The personal data must be deleted in compliance with the obligations under European Union or Member State law to which the data controller is subject.
• The personal data has been collected in relation to information society services provided in accordance with Article 8 para 1 GDPR.

If the reasons given above apply, one of our employees will comply with the request to delete the personal data. The data controller will take appropriate measures (also of a technical nature) within the scope and taking into account the available technical measures. Other data controllers (data processing by third parties) will also be informed of the deletion.

d) Right to restriction of processing

The data subject shall have the right to require the data controller to restrict processing if one of the following conditions is met:

• the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data,
• the processing is unlawful, and the data subject refuses to delete the personal data and instead requests a restriction on the use of the personal data;
• the data controller no longer needs the personal data for the purposes of processing, but it is required by the data subject for the establishment, exercise or defence of legal claims, or
• the data subject has lodged an objection to the processing referred to in Article 21 para. 1, pending determination of whether the legitimate grounds of the data controller prevail over those of the data subject.

If the above conditions are met, an employee may then restrict the processing restricted.

e) The right to data portability

The data subject has the right to receive the personal data concerning him/her which he/she has provided to a data controller in a structured, current and machine-readable format and to transmit this data to another data controller without interference by the data controller to whom the personal data has been provided, provided that:

• the processing is based on consent pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a or on the basis of a contract pursuant to Article 6 paragraph 1 letter b and
• the processing is carried out using automated procedures.

In exercising his/her right to data transferability, the data subject shall have the right to have the personal data transferred directly by a data controller to another data controller, where technically feasible. The data subject can contact one of our employees regarding data portability.

f) Right to object

The data subject shall have the right to object at any time to the processing of personal data relating to him/her on the basis of Article 6 para. 1 letters e or f for reasons arising from his/her particular situation, including profiling based on those provisions.

The data controller will no longer process the personal data unless it can demonstrate compelling legitimate grounds for processing which outweigh the interests, rights and freedoms of the data subject, or the processing is for the purpose of enforcing, pursuing or defending legal claims.

Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him/her for the purposes of such advertising, including profiling in so far as it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

The data subject must be expressly informed of the aforementioned right at the latest at the time of the first communication with him/her; this information must be provided in an intelligible form separate from other information.

In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his right of opposition by means of automated procedures using technical specifications.

The data subject shall have the right to object to the processing of personal data relating to him/her for scientific or historical research purposes or for statistical purposes in accordance with Article 89 para. 1 for reasons arising from his/her particular situation, unless such processing is necessary for the performance of a task in the public interest.

g) Automated decisions on a case-by-case basis, including profiling

Every data subject has the right not to be subjected to a decision based solely on automated processing – including profiling – that has legal bearing on him/her or that significantly affects him/her in a similar manner. This does not apply if the decision:

• is necessary for entering into, or for the performance of, a contract between the data subject and a data controller,
• is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the rights and freedoms of the data subject and legitimate interests or
• is made with the express consent of the data subject.

If you wish to assert rights relating to automated decisions, you can contact one of our employees.

10. Lawfulness of data processing

For us, the legal basis for the lawful processing of personal data may arise from the consent of the data subject.

This may also be based on the fact that the processing is necessary for the fulfilment of a contract to which the data subject is party or in order to fulfil contractual requirements at the request of the data subject prior to entering into a contract.

In rare cases, legality may arise if the processing is necessary to fulfil a legal obligation to which the controller is subject.

Moreover, the processing is permitted to protect the vital interests of the data subject or another natural person.

Personal data may also be processed if it is necessary to safeguard the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh them.

11. Changes to our privacy policies

We reserve the right to modify this privacy policy so that it always meets the current legal requirements or to include changes to our services in the privacy policy, such as the introduction of new services. Any subsequent website access will then be subject to the terms of the new privacy policy.

12. Data protection for the use of Instagram

To advertise our products and services as well as to communicate with interested parties or customers, we have a presence on the Instagram platform.

On this social media platform, we are jointly responsible with Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland.

The data protection officer of Instagram can be reached via this contact form:

https://www.facebook.com/help/contact/540977946302970

We have defined the joint responsibility in an agreement regarding the respective obligations within the meaning of the GDPR. This agreement, which sets out the reciprocal obligations, is available at the following link:

https://www.facebook.com/legal/terms/page_controller_addendum

The legal basis for the processing of the resulting and subsequently disclosed personal data is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis, communication, sales, and promotion of our products and services.

The legal basis may also be your consent per Art. 6 para. 1 lit. a) GDPR granted to the platform operator. Per Art. 7 para. 3 GDPR, you may revoke this consent with the platform operator at any time with future effect.

When accessing our online presence on the Instagram platform, Facebook Ireland Ltd. as the operator of the platform in the EU will process your data (e.g. personal information, IP address, etc.).

This data of the user is used for statistical information on the use of our company presence on Instagram. Meta Platforms Ireland Ltd. uses this data for market research and advertising purposes as well as for the creation of user profiles. Based on these profiles, Meta Platforms Ireland Ltd. can provide advertising both within and outside of Instagram based on your interests. If you are logged into Instagram at the time you access our site, Meta Platforms Ireland Ltd. will also link this data to your user account.

If you contact us via Instagram, the personal data your provide at that time will be used to process the request. We will delete this data once we have completely responded to your query, unless there are legal obligations to retain the data, such as for subsequent fulfilment of contracts.

Meta Platforms Ireland Ltd. might also set cookies when processing your data.

If you do not agree to this processing, you have the option of preventing the installation of cookies by making the appropriate settings in your browser. Cookies that have already been saved can also be deleted at any time. The instructions to do this depend on the browser and system being used. For Flash cookies, the processing cannot be prevented by the settings in your browser, but instead by making the appropriate settings in your Flash player. If you prevent or restrict the installation of cookies, not all of the functions of Facebook may be fully usable.

Details on the processing activities, their suppression, and the deletion of the data processed by Instagram can be found in its privacy policy:

https://help.instagram.com/519522125107875

It cannot be excluded that the processing by Meta Platforms Ireland Ltd. will also take place in the United States by Meta Platforms Ireland Ltd., 1601 Willow Road, Menlo Park, California 94025.

Meta Platforms Ireland Ltd. has submitted to the EU-US Privacy Shield, thereby complying with the data protection requirements of the EU when processing data in the USA.

https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active

13. Newsletter

If you register for our free newsletter, the data requested from you for this purpose, i.e. your email address and, optionally, your name and address, will be sent to us. We also store the IP address of your computer and the date and time of your registration. During the registration process, we will obtain your consent to receive this newsletter and the type of content it will offer, with reference made to this privacy policy. The data collected will be used exclusively to send the newsletter and will not be passed on to third parties.

The legal basis is Art. 6 para. 1 lit. a) GDPR.

You may revoke your prior consent to receive this newsletter under Art. 7 para. 3 GDPR with future effect. All you have to do is inform us that you are revoking your consent or click on the unsubscribe link contained in each newsletter.