Updated: 12 May 2020
Thank you for your interest in our website/our company.
Your trust is important to us! That is why we guarantee the greatest possible security and the protection of all personal data. Our data protection practices comply with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG n.f.) and the Telemedia Act (TMG).
Your contact for data protection
The data controller as defined in the GDPR, the data protection acts, as well as in the provisions of Member States of the European Union is:
Patrik & Bele Muff GbR
Competent supervisory authority in Bavaria:
Bayerischer Landesbeauftragter für den Datenschutz
Postfach 22 12 19, 80502 Munich
Tel.: 089 212672 – 0
Fax: 089 212672 – 50
a) Personal Data
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). Identifiable refers to a person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data Subject
The data subject is any identified or identifiable natural person whose personal data is processed by the data controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
d) Restriction of Processing
Restriction of processing is the marking of personal data stored in order to limit its future processing.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
g) Controller or person responsible for the processing
The data controller or the person responsible for processing means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union law or by the law of the Member States, provision may be made for the controller to be designated in accordance with Union law or the law of the Member States.
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The recipient means a natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not. However, authorities which may be entitled to receive personal data under Union law or the law of the Member States within the framework of a particular investigation mandate shall not be regarded as recipients.
j) Third Party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent is any statement of intent voluntarily and unambiguously given by the data subject in an informed and unambiguous manner in the form of a statement or other unambiguous confirming act that indicates to the data subject that they have consented to the processing of their personal data.
2. General Data Collection / Processing
When you access our website, a series of general data and information from data subjects are collected. The data collected includes:
– Browser type and version
– Origin of the user when the page is accessed
– Date and time
– Internet provider
– Operating system
– Internet or service provider
– Other security data
This data and information are stored in the server’s log files. This process is used to provide law enforcement authorities with the information necessary for law enforcement in the event of a cyber-attack and to ensure the permanent functionality of our information technology systems and the technology on our website. To achieve an optimal level of protection, in particular, with regard to ensure the processing personal data, the data of the server log files is stored anonymously. After the communication process has ended, the data is evaluated for statistical purposes. Moreover, personal data (e.g. your name, your email address etc.) will only be transmitted if you expressly and knowingly provide us with such information for specific purposes. It will only be processed, stored and forwarded to the extent necessary for the respective purpose or your consent exists.
4. Use of our Online Shop
If you would like to order from our online shop, it is necessary to enter your personal data or apply it from the existing customer account. We require the data you provide to process your order. The information required to process the order is marked separately; any additional information is optional.
a) Customer Account
If you are purchasing a product from Atelier Muff or are using a service for the first time, we will set up a password-protected customer account in which you can view and manage your master data and other data.
b) Duration of storage of your data
We are obligated by commercial and tax law to store your address, payment, and order data for a period of ten years. However, after two years we limit the processing of your data, that is, your data will only be used to comply with legal obligations.
c) Data Security
Credit card information is not stored but collected and processed directly by our payment service. We secure our website and other systems using technical and organisational measures against loss, destruction, access, modification or processing your data by unauthorised persons. To prevent unauthorised access to your personal data by third parties, especially financial data, the order process is encrypted using TLS technology.
If you send us an email, this data will be saved. Insofar as this website affords any user the opportunity to enter personal or business information such as their e-mail address, name, postal address, or the like, such information and its appropriate processing to contact the data subject shall be deemed to have been provided voluntarily by such user. We will not disclose your personal information to third parties.
6. External Links
This website contains so-called “external links” to other websites, upon whose contents and for any data collection the data controller of the website has no influence. For this reason, the data controller cannot accept any liability for the content and data collection of these websites.
7. Data Transfer
Your data will only be passed on to our employees or other service providers who support us with order processing in individual processing steps as part of the order process. This information will naturally not be passed on beyond that.
8. Storage duration of personal data
The storage duration of personal data depends on the respective retention period. After the deadline has expired, the data will be deleted, unless it serves consent, contract fulfilment or contract initiation.
9. Routine deletion and blocking of personal data
Personal data is only processed in the context of the intended use. The data controller processes and stores personal data of the data subject only for this period. The routine deletion or blocking of personal data takes place when the legal requirements regarding the retention period (storage period) and the storage purpose of the data controller no longer exist.
10. Rights of the data subject
Data subjects have the right to request confirmation from the data controller as to whether personal data relating to you is processed.
a) Right to information
According to the General Data Protection Regulation and the Federal Data Protection Act, you have the right to free information about your stored data.
- The purpose of the processing
- The categories of personal data that are processed
- The recipients or categories of recipients to whom the personal data has been or will be disclosed,in particular recipients in third countries or international organisations
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- The existence of a right to correction or deletion of the personal data concerning you or of a restriction of the processing by the data controller or of a right to object to such processing
- The right to lodge a complaint with a supervisory authority if the personal data is not collected from the data subject: any available information about the origin of the data
- The existence of any automated decision-making processes, including profiling, as defined in Art. 22 para.1 and 4, GDPR and — at least in these cases — meaningful information on the logic involved and the scope and intended effects of such processing for the data subject
b) Right to rectification
The data subject has the right to request that the data controller correct any incorrect personal data. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
c) Right to erasure (‘Right to be forgotten’)
The data subject has the right to ask the data controller to immediately delete the personal data concerned if:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- The data subject shall withdraw the consent on which the processing referred to in Article 6 para. 1 letter a or Article 9 para. 2 letter a was based and there is no other legal basis for processing.
- The data subject shall oppose processing in accordance with Article 21 para. 1 and there are no overriding legitimate grounds for processing or the data subject shall oppose processing in accordance with Article 21 para 2.
- The personal data has been unlawfully processed.
- The personal data must be deleted in compliance with the obligations under European Union or Member State law to which the data controller is subject.
- The personal data has been collected in relation to information society services provided in accordance with Article 8 para 1 GDPR.
If the reasons given above apply, one of our employees will comply with the request to delete the personal data. The data controller will take appropriate measures (also of a technical nature) within the scope and taking into account the available technical measures. Other data controllers (data processing by third parties) will also be informed of the deletion.
d) Right to restriction of processing
The data subject shall have the right to require the data controller to restrict processing if one of the following conditions is met:
- the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data,
- the processing is unlawful, and the data subject refuses to delete the personal data and instead requests a restriction on the use of the personal data;
- the data controller no longer needs the personal data for the purposes of processing, but it is required by the data subject for the establishment, exercise or defence of legal claims, or
- the data subject has lodged an objection to the processing referred to in Article 21 para. 1, pending determination of whether the legitimate grounds of the data controller prevail over those of the data subject.
If the above conditions are met, an employee may then restrict the processing restricted.
e) The right to data portability
The data subject has the right to receive the personal data concerning him/her which he/she has provided to a data controller in a structured, current and machine-readable format and to transmit this data to another data controller without interference by the data controller to whom the personal data has been provided, provided that:
- the processing is based on consent pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a or on the basis of a contract pursuant to Article 6 paragraph 1 letter b and
- the processing is carried out using automated procedures.
In exercising his/her right to data transferability, the data subject shall have the right to have the personal data transferred directly by a data controller to another data controller, where technically feasible. The data subject can contact one of our employees regarding data portability.
f) Right to object
The data subject shall have the right to object at any time to the processing of personal data relating to him/her on the basis of Article 6 para. 1 letters e or f for reasons arising from his/her particular situation, including profiling based on those provisions.
The data controller will no longer process the personal data unless it can demonstrate compelling legitimate grounds for processing which outweigh the interests, rights and freedoms of the data subject, or the processing is for the purpose of enforcing, pursuing or defending legal claims.
Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him/her for the purposes of such advertising, including profiling in so far as it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
The data subject must be expressly informed of the aforementioned right at the latest at the time of the first communication with him/her; this information must be provided in an intelligible form separate from other information.
In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his right of opposition by means of automated procedures using technical specifications.
The data subject shall have the right to object to the processing of personal data relating to him/her for scientific or historical research purposes or for statistical purposes in accordance with Article 89 para. 1 for reasons arising from his/her particular situation, unless such processing is necessary for the performance of a task in the public interest.
g) Automated decisions on a case-by-case basis, including profiling
Every data subject has the right not to be subjected to a decision based solely on automated processing – including profiling – that has legal bearing on him/her or that significantly affects him/her in a similar manner. This does not apply if the decision:
- is necessary for entering into, or for the performance of, a contract between the data subject and a data controller,
- is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the rights and freedoms of the data subject and legitimate interests or
- is made with the express consent of the data subject.
If you wish to assert rights relating to automated decisions, you can contact one of our employees.
11. Lawfulness of data processing
For us, the legal basis for the lawful processing of personal data may arise from the consent of the data subject.
This may also be based on the fact that the processing is necessary for the fulfilment of a contract to which the data subject is party or in order to fulfil contractual requirements at the request of the data subject prior to entering into a contract.
In rare cases, legality may arise if the processing is necessary to fulfil a legal obligation to which the controller is subject.
Moreover, the processing is permitted to protect the vital interests of the data subject or another natural person.
Personal data may also be processed if it is necessary to safeguard the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh them.
12. Changes to our privacy policies
13. Data protection for the use of Facebook
We use Facebook technologies on our website. Facebook.com is a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. In the EU, this service is also operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, hereinafter both referred to as “Facebook.”
It is certified according to the EU-US Privacy Shield
Facebook guarantees that it will follow the EU’s data protection regulations when processing data in the United States.
Our legal basis relates to Art. 6 para. 1 lit. f) GDPR due to the quality improvement of our website. Further information about the assignment of personal data and the transfer of information via plug-ins and their respective functions is available from Facebook at:
If the plug-in is in use or you have the Facebook page open at the same time, data will be collected from you. This affects the pages you visit and our website. It is therefore necessary for technical reasons that Facebook processes your IP address and the type and duration (including date and time) of your stay.
Facebook collects information and assigns the personal data to your user account. Another option for data collection and processing is the “Like” button. By using the “Like” button, data may be published on the Facebook platform.
To prevent data from being collected when you visit our website, you must prevent the use of add-ons and Facebook plug-ins in your Internet browser and must not be logged into Facebook or use any Facebook applications.
14. Data protection for the use of Instagram
To advertise our products and services as well as to communicate with interested parties or customers, we have a presence on the Instagram platform.
On this social media platform, we are jointly responsible with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland.
The data protection officer of Instagram can be reached via this contact form:
We have defined the joint responsibility in an agreement regarding the respective obligations within the meaning of the GDPR. This agreement, which sets out the reciprocal obligations, is available at the following link:
The legal basis for the processing of the resulting and subsequently disclosed personal data is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis, communication, sales, and promotion of our products and services.
The legal basis may also be your consent per Art. 6 para. 1 lit. a) GDPR granted to the platform operator. Per Art. 7 para. 3 GDPR, you may revoke this consent with the platform operator at any time with future effect.
When accessing our online presence on the Instagram platform, Facebook Ireland Ltd. as the operator of the platform in the EU will process your data (e.g. personal information, IP address, etc.).
This data of the user is used for statistical information on the use of our company presence on Instagram. Facebook Ireland Ltd. uses this data for market research and advertising purposes as well as for the creation of user profiles. Based on these profiles, Facebook Ireland Ltd. can provide advertising both within and outside of Instagram based on your interests. If you are logged into Instagram at the time you access our site, Facebook Ireland Ltd. will also link this data to your user account.
If you contact us via Instagram, the personal data your provide at that time will be used to process the request. We will delete this data once we have completely responded to your query, unless there are legal obligations to retain the data, such as for subsequent fulfilment of contracts.
Facebook Ireland Ltd. might also set cookies when processing your data.
If you do not agree to this processing, you have the option of preventing the installation of cookies by making the appropriate settings in your browser. Cookies that have already been saved can also be deleted at any time. The instructions to do this depend on the browser and system being used. For Flash cookies, the processing cannot be prevented by the settings in your browser, but instead by making the appropriate settings in your Flash player. If you prevent or restrict the installation of cookies, not all of the functions of Facebook may be fully usable.
It cannot be excluded that the processing by Facebook Ireland Ltd. will also take place in the United States by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025.
Facebook Inc. has submitted to the EU-US Privacy Shield, thereby complying with the data protection requirements of the EU when processing data in the USA.
15. User account & registration
If you have set up a user account on this page, the information you provide will be saved for the duration of the usage relationship. With regard to the required mandatory information, we refer to the pre-contractual or contractual fulfilment for the purpose of customer care. For this, we store the IP address and time. This data will not be transferred to any third party.
During the registration process, consent is obtained through processing.
If you purchase a product from Atelier Muff, we will set up a password-protected direct online access to your master data stored in our customer account. You can view and, if necessary, manage the following data in your customer account:
- Current news (e.g. current information about new versions, new products, update reports, downloads)
- User data (title, name, email address, telephone, fax, preferred language, change of password, …)
- Company data (customer number, company name, company type, telephone, fax, email address, website, VAT ID number, address, …)
- Manage users (overview of company users, admin rights assignment)
- Authorization files (option to download all authorization files of the company)
- Purchased products (overview of purchased products with assignment)
- Offers (overview of offers received, PDF download, accessible only for users with admin rights)
- Invoices (overview of invoices received and PDF download)
- Vouchers (overview of vouchers received, expiry date, amount, status, redemption date)
b) Closing the customer account
If you as a customer do not want a password-protected customer account, you can of course close it at any time. Please send us a request in text form (e.g. email, fax, letter) to our contact address.
c) Data Security
Access to your customer account is only possible after entering your personal password. You should keep your access information confidential and close the browser window when you have finished your session with us, especially if you share your computer with others.
In order to prevent unauthorized access by third parties to your personal data, the connection is encrypted using TLS technology.
The legal basis is Art. 6 para. 1 lit. a) GDPR.
You may revoke your prior consent to receive this newsletter under Art. 7 para. 3 GDPR with future effect. All you have to do is inform us that you are revoking your consent or click on the unsubscribe link contained in each newsletter.
17. Google Fonts
We use Google Fonts on our website to display external fonts. This is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 (hereinafter: Google).
Through certification according to the EU-US Privacy Shield
Google guarantees that it will follow the EU’s data protection regulations when processing data in the United States. To enable the display of certain fonts on our website, a connection to the Google server in the USA is established whenever our website is accessed.
The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the optimization and economic operation of our site.
When you access our site, a connection to Google is established from which Google can identify the site from which your request has been sent and to which IP address the fonts are being transmitted for display.
Google offers detailed information at
in particular on options for preventing the use of data.
18. Data protection for the use of Google analytics
We use Google Analytics on our website. This is a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 (hereinafter: Google).
Through certification according to the EU-US Privacy Shield
Google guarantees that it will follow the EU’s data protection regulations when processing data in the United States. The Google Analytics service is used to analyse how our website is used. The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis, optimization, and economic operation of our site.
Usage and user-related information, such as IP address, place, time, or frequency of your visits to our website will be transmitted to a Google server in the United States and stored there. However, we use Google Analytics with the so-called anonymization function. whereby Google truncates the IP address within the EU or the EEA before it is transmitted to the US.
The data collected in this way is in turn used by Google to provide us with an evaluation of visits to our website and what visitors do once there. This data can also be used to provide other services related to the use of our website and of the Internet in general.
Google states that it will not connect your IP address to other data. In addition, Google provides further information with regard to its data protection practices at
including options you can exercise to prevent such use of your data.
In addition, at
For directions on our site, we use OpenStreetMap, a service of the OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom, hereinafter referred to as “OpenStreetMap”.
When you access one of our Internet pages that includes the OpenStreetMap service, OpenStreetMap stores a cookie on your terminal device via your browser. This processes your user settings and user data for the purpose of displaying the page or guaranteeing the functionality of the OpenStreetMap service. Through this processing, OpenStreetMap can recognize the website from which your request has been sent and to which IP address the directions should be transmitted.
The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the optimization and economic operation of our site.
If you do not agree to this processing, you have the option of preventing the installation of cookies by making the appropriate settings in your browser. Further details can be found in the section about cookies above.
OpenStreetMap offers further information about its data collection and processing as well your rights and your options for protecting your privacy at:
20. Application and use of PayPal
The data controller has integrated components from PayPal on this website. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which are virtual private or business accounts. In addition, PayPal provides the option of processing virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address, which is why there is no classic account number. PayPal makes it possible to initiate online payments to third parties or to receive payments. PayPal also acts as a trustee and provides buyer protection services.
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie.S.C.A. 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.
If the data subject selects “PayPal” as a payment option during the order process in our online shop, data of the data subject will be automatically transmitted to PayPal. By selecting this payment option, the data subject consents to the transfer of personal data required for payment processing.
The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, telephone number, mobile phone number, or other data required for payment processing. Personal data in connection with the order in question are also necessary to process the purchase contract.
The purpose of this data transfer is to process payments and prevent fraud. The data controller will transfer personal data to Novalnet AG in particular if there is a legitimate interest for the transfer. Personal data exchanged between PayPal and the controller may be transferred by PayPal to credit reference agencies. The purpose of this transfer is to verify identity and creditworthiness.
21. Application and use of Stripe
If you choose a method of payment from the payment service provider Stripe, payment is processed by the payment service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we pass on information about the order (name, address, account number, bank code, possibly credit card number, invoice amount, currency and transaction number) within the framework of the order process in accordance with Art. 6, para. 1 lit. b) GDPR.
The data of the person concerned will only be passed on for the purpose of payment processing with the payment service provider Stripe Payments Europe Ltd. and only insofar as it is necessary for this. You can find more information on Stripe’s data protection at the URL