Data protection

Affected persons

This statement is addressed to all persons who are visitors to the website of the person responsible to which this data protection information is linked. All personal names refer to all genders and the associated forms of language, in particular diverse, feminine, masculine. Each personal name must be understood with the addition “(m/w/d)”.

Responsible

The person responsible for the processing described here is: kfzteile24 GmbH, Am Treptower Park 28-30, 12435 Berlin, phone: 030 40 50400, e-mail: info@kfzteile24.de, represented by the management: Markus Winter (CEO), Matthias Gossenz (COO), Just Beyer (CCO), Sebastian Bourmer (CFO).

Rights of data subjects and other information

(1) Data subjects have the following rights with regard to the data stored about them: The right to information, the right to correct incorrect data, the right to delete data for which there is no longer a reason for storage, to restrict processing and to data portability. They also have the right to complain to the supervisory authority responsible for the person responsible.

(2) Insofar as processing is based on the consent of the data subject, the data subjects may withdraw their consent at any time and with effect for the future; for example by sending an informal message to one of the above contact channels (responsible person).

(3) Insofar as processing is based on the fulfilment of a legitimate interest, i.e. on Article 6 paragraph 1 sentence 1 lit. f GDPR, data subjects may object to processing at any time; for example by sending an informal message to one of the above-mentioned contact channels (responsible person). If the objection is justified, processing will be terminated. If the legitimate interest lies in direct marketing, the objection is always justified.

(4) Automated decision-making, including profiling, does not take place.

(5) A legal obligation to process only exists if reference is made to Article 6 paragraph 1 sentence 1 lit. c GDPR below.

(6) If data processing is described below, this does not mean that the persons concerned have any kind of claim to the associated actions (e.g. media recordings, reviews). The claims of the person concerned arise from paragraphs 1 to 3 of this section. The data processing procedures described below only describe possible courses of action, but they do not apply to all data subjects.

Transfer to countries outside the European Union

(1) If personal data is transferred to bodies outside the European Union, the person responsible must provide additional protection guarantees in accordance with Article 44 et seq. of the GDPR.

(2) If the person responsible invokes a so-called adequacy decision in the following data protection declaration, this means that the receiving body is based in a country, region or specific sector for which the EU Commission has decided that it offers an adequate level of data protection. The guarantee then follows from Article 45 GDPR.

(3) If the person responsible invokes the so-called EU standard contractual clauses in the following data protection declaration, this means that the receiving body has contractually committed itself to respecting the EU data protection principles and does so on the basis of the so-called EU standard contractual clauses. The guarantee then follows from Article 46 GDPR.

(4) If the person responsible refers to so-called binding, internal data protection regulations in the following data protection declaration, this means that the competent supervisory authority has approved the transfer. The guarantee then follows from Article 47 GDPR.

(5) If the person responsible in the following privacy policy claims that the data subjects have expressly consented to the transfer to a country outside the European Union, this means that they nevertheless agree to the transfer, knowing all associated risks. The guarantee then follows from Article 49 paragraph 1 lit. a GDPR. Any risk warnings can be found in the glossary.

Expected standard data processing

Informational use:

Presentation of the website

Those affected initially use the website for informational purposes, i.e. they access the website without actively interacting with it. To the extent technically necessary to display the website, the person responsible collects the following data from the data subject: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred, website from which the request comes, browser, operating system and its interface, language and version of the browser software. The purpose is to present the website. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR, where the legitimate interest results from the purpose mentioned above.

Assertion of rights

If the person concerned assert their rights under the GDPR or other legal regulations, the person responsible processes the data to verify and, if necessary, fulfill these claims. The purpose is to fulfill a legal obligation. The legal basis is Article 6 paragraph 1 sentence lit. c GDPR in conjunction with the standard from which the legal obligation results.

Conflicts in the usage relationship

In the event of a legal conflict between the person concerned and the person responsible, the data will be processed in order to provide appropriate explanations and, if necessary, to obtain external legal advice. The following data is processed here: Name, contact details, all processes related to the legal conflict. The purpose of processing is to exercise external legal advice/support and to exercise the controller's own rights. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR, where the legitimate interest follows from the above purposes. Insofar as data is processed externally, this does not constitute order processing (see DSK short paper 13), but a transfer of data, which in turn is justified by Article 6 paragraph 1 sentence 1 lit. f GDPR. It is therefore a case of other outsourcing.

Deletion:

After expiry of the storage periods (see “After the end of the active contractual relationship” below), the data will be deleted. The purpose of the deletion is to fulfill a legal obligation and is based on Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 5 paragraph 1 lit. a, e GDPR.

After the end of use

Storage in accordance with German law

(1) After the end of use of the website, all of the above data that is still stored will be stored. With regard to storage, the purpose and legal basis are set out in the list of storage periods below (paragraph 2)

(2) The following storage periods apply: a. Retention period 1: Data that is created when the data subject assert data protection claims against the person responsible is kept for three years, starting on December 31 of the calendar year in which the person responsible reacts to this. The processing serves to protect the interest in defending oneself against claims and is based on Article 6 paragraph 1 sentence 1 lit. f GDPR, where the legitimate interest follows from the above purpose. The duration of the legitimate interest follows from the statute of limitations for claims for damages (Sections 195, 199 paragraph 1 BGB) and, in addition, from the statute of limitations under administrative offense law (Section 31 paragraph 2 number 1 OWiG in conjunction with Article 83 GDPR). b. Retention period 2: Data that arise when the persons concerned assert other claims against the person responsible will be kept for three years, beginning with December 31 of the calendar year in which the person responsible reacts to this. The processing serves to protect the interest in defending oneself against claims and is based on Article 6 paragraph 1 sentence 1 lit. f GDPR, where the legitimate interest follows from the above purpose. The duration of the legitimate interest follows from the statute of limitations for claims for damages (Sections 195, 199 paragraph 1 BGB). c. Retention period 3: Data based on consent must be kept until consent is withdrawn or until the purpose associated with the processing ceases to exist, whichever is earlier. Storage serves the purpose associated with consent and is based on Article 6 paragraph 1 sentence 1 lit. a DSGVO. d. Retention period 4: Data that proves the granting of consent must be kept for 3 years, starting from the time of withdrawal of consent or the purpose ceases to exist, whichever comes earlier. The processing serves to protect the interest in defending oneself against claims and is based on Article 6 paragraph 1 sentence 1 lit. f GDPR, where the legitimate interest follows from the above purpose. The duration of the legitimate interest follows from the statute of limitations of administrative offenses law (Section 31 paragraph 2 number 1 OWiG in conjunction with Article 83 GDPR).

Deleting data

After the retention periods have expired, the data is deleted. The purpose of the deletion is to fulfill a legal obligation and is based on Article 6 paragraph 1 sentence 1 lit. c DSGVO in conjunction with Article 5 paragraph 1 lit. a, e GDPR.

Exceptional computing

external web hosting

The person responsible uses an external web host, which presents the website and processes the technically necessary data for this purpose. In doing so, it processes the following data: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and version of the browser software. The purpose is to present the website. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR, where the legitimate interest follows from the above purpose.

Content delivery network (CDN)

The person responsible uses a content delivery network (CDN for short) to expedite the provision of the website. In doing so, it processes the following data: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and version of the browser software. The purpose is to present the website. The legal basis is Article 6 paragraph 1 sentence 1 lit. f GDPR, where the legitimate interest follows from the above purpose.

Cookie consent

The person responsible gives the person concerned the choice of whether they agree to the use of cookies and uses a cookie consent tool for this purpose. In doing so, it processes the following data: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and version of the browser software, status of consent, date of consent. The purpose is to fulfill a legal obligation. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR in conjunction with Article 7 paragraph 1 GDPR.

form

The person responsible provides a form tool on the website. In this way, communication takes place between data subjects and the person responsible, in which the submissions of the data subjects are documented and transmitted to the responsible persons. The following data is processed here: Data about the content, type and scope of entries in the respective form. The purpose is to initiate and/or execute contracts. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.

Download the catalog

On the website, the person responsible allows catalogues to be downloaded (partly free of charge, partly for a fee), for example in PDF format. The following data is processed here: time of download, email address, if applicable. The purpose is to initiate and/or execute contracts. The legal basis is Article 6 paragraph 1 sentence 1 lit. b GDPR.

Email automation and advertising via email (legitimate interest)

The person responsible receives data on the website, which it processes for automated communication; both in (1) contractual and (2) commercial terms. In doing so, it processes the following data. Name, email addresses, tags (which indicate certain characteristics, e.g. existing customers, interested parties, etc.), communication data, reading behavior information (time of opening the email, status of the response). The purpose (1) is the initiation and/or execution of contracts and purpose (2) advertising, direct marketing. The legal basis for purpose (1) is Article 6 paragraph 1 sentence 1 lit. b GDPR. The legal basis for purpose (2) is Article 6 paragraph 1 sentence 1 lit. f GDPR, where the legitimate interest follows from the above-mentioned purpose (2).

Analysis of usage behavior

So-called cookies are used to analyze the user behavior of those affected on this website. These are text files that are stored on the computer of the person concerned and which enable an analysis of the use of the website. Information about usage behavior is used to generate reports on activities and interactions. The local responsible person uses this data to be able to regularly improve the user experience on the website. Using the statistics obtained, it can also improve its offering in order to focus the interest of those affected in a more targeted manner on products and services that are suitable for them. Further details can be found below in the information about the third parties. The following data is processed: cookie-based data about interactions (in. order of interactions, length of stay). Further details can be found below in the information about the third parties. The purpose is to optimize this website and to improve the advertising of those affected. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.

Newsletter subscription

(1) The person responsible enables the person concerned to sign up for a newsletter on the website.

(2) First, it asks for consent and documents the answer. To obtain consent, the person responsible uses the so-called double opt-in procedure. This means that, after subscribing to the newsletter, she sends the person concerned an email to the specified email address asking them to confirm their consent. If they do not confirm their registration after a pre-defined waiting period, their information will be blocked and automatically deleted after a further waiting period. In addition, the person responsible stores the IP addresses used and the times of registration and confirmation. The following data is therefore processed: name, consent status, date of decision, IP address. The purpose is to fulfill a legal obligation under Article 7 paragraph 1 GDPR. The legal basis is Article 6 paragraph 1 sentence 1 lit. c GDPR.

(3) If consent is given, the person responsible uses the email addresses of the data subjects to address them for advertising purposes. The following data is therefore processed here: name, e-mail address. The purpose is advertising or direct marketing. The legal basis is Article 6 paragraph 1 sentence 1 lit. a GDPR.

Outsourcing: recipients, contract processors

In this context, the following recipients and other external bodies receive data from those affected:

AWS (Suite): Various applications from Amazon Web Services EMEA SARL (Luxembourg - EU), which was commissioned in accordance with Article 28 GDPR, are used. A non-exclusive transfer of data to a third country (here to Amazon Web Services Inc., USA) is justified in the case of employee data in accordance with Article 46 GDPR and for all other data in accordance with Article 45 GDPR. The following tools are used:

AWS cloud

webflow: It will be the web hosting service “webflow” from Webflow, Inc. (USA), which was commissioned in accordance with Article 28 GDPR. A non-exclusive transfer of data to a third country (in this case USA) is justified in the case of employee data in accordance with Article 46 GDPR and for all other data in accordance with Article 45 GDPR.

Google (Suite): Various applications from Google Ireland Ltd. (Ireland - EU), which was commissioned in accordance with Article 28 GDPR, are used. A non-exclusive transfer of data to a third country (here to Google LLC in the USA) is justified in accordance with Article 45 GDPR. The following tools are used:

Google Analytics: The following should be added: Google Analytics helps to analyze usage behavior on the website. The IP address is abbreviated beforehand by the third-party provider within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a third-party server in the USA and abbreviated there. The IP address transmitted by the browser as part of the use of this tool is not combined with other data by the third-party provider. The tool is also used for cross-device analysis of visitor flows, which is carried out via a user ID.

Google Tag Manager: The following should be added: With this tool, the person responsible can integrate various codes and services on this website in an organized and simplified manner. This tool implements the tags or triggers the associated tags. When a tag is triggered, the third-party provider may also process personal data.

Glossary: The following is a glossary. Not all issues explained in the glossary necessarily play a role in the data processing processes described here. They are only for general understanding and therefore transparency.

Topic: Basic concepts

Personal data: This is all information that allows conclusions to be drawn directly or indirectly about natural persons, i.e. human beings.

Processing of personal data: Any active or passive handling of personal data, from collection to core processing to deletion.

Consent: This is a verifiable declaration of intent that is given voluntarily before personal data is processed and which allows specific processing of the personal data of the declaring data subject.

Topic: Social media

Company and/or product page: This wording means that the person responsible maintains a company or product page on a social medium that is also linked to the website. If those affected click on this link (meaning the link to the company or product page), they will be taken to the person responsible's profile.

Plugin: This wording means that the person responsible has integrated a plug-in from a third-party social network or medium on the website. If those affected click on this plugin, they will be taken to the profile of the person responsible. The person responsible uses the so-called two-click solution. This means that, after the click, no personal data is initially passed on to the respective third-party provider of the plug-in. The third-party provider can be recognized by the design of the plugin (e.g. by the logo). The person responsible enables the person concerned to communicate directly with the third-party provider of the plug-in via the button. Only if you click on the marked field and activate it will the third party receive the information that the person concerned has accessed this website. Only then is the data transmitted. By activating the plug-in, personal data of the data subject is therefore transmitted to the respective third party provider. This data transfer takes place regardless of whether the persons concerned have an account with the respective third party provider and are logged in there. If they are logged in to the third-party provider, their data collected by the local controller will be assigned directly to the account that the data subjects maintain with the respective third party provider.

Ads: This wording means that the person responsible uses so-called “ads” (ads) in a social medium. With the help of “ads”, local managers can draw attention to their offers within the framework of the respective social network or medium. In relation to the data from the advertising campaigns, it can determine how successful the individual advertising measures are. This is intended to show data subjects “ads” that are of interest to them, to make this website more interesting for them and to carry out a fair calculation of advertising costs. These “ads” are delivered by the respective third-party provider. If the data subjects access the website of the local person responsible via “ads”, which the respective third party presents to them, a cookie is stored on the computer of the person concerned. These cookies are generally not intended to personally identify those affected.

Pixel: This wording means that the person responsible uses so-called pixels. This is an analysis tool that allows the person responsible to measure the effectiveness of advertising. It is usually used to understand and understand the actions of people on a website. The person responsible has implemented the pixel on their website by placing the pixel code in the header. When those affected then visit the website and perform an action (e.g. complete a purchase), the pixel is triggered and the action is reported. In this way, the person responsible knows when the person concerned takes an action and can evaluate this.

Upload to the Custom Audience: This wording means that the person responsible uploads the data of the data subjects (usually the email address) to a third-party provider of a social network or medium; only after giving consent, of course. As a result, the local responsible person can display interest-based advertisements (“ads”) to the person concerned when visiting a social network or medium. This is done as follows: She uploads the contact details (usually the email address) to the respective third party provider. The third party then checks whether the persons concerned are registered with her using these contact details. If the answer is negative, the contact details will not be entered into the Custom Audience (a type of database that the person responsible maintains with the respective third party provider). If yes, the data will be entered into the Custom Audience of the person responsible. If the data subjects then visit the social network or medium provided by the respective third party provider, the local responsible person has the option of showing the data subject advertising that is of interest to them.

Publication of media recordings: This wording means that the person responsible uploads media recordings of the data subjects (photos, sound and/or film recordings) to the respective social medium or network and publishes them there.

June2025

Endgerätezugriff und Datenverarbeitung für Nutzungsanalyse und personalisierte Werbung. Wir verwenden Tools, mit denen wir Informationen deines Endgeräts auslesen/speichern und deine Daten verarbeiten. Mit deiner Einwilligung nutzen wir Tools für die Personalisierung von Inhalten und Anzeigen, für die Nutzungsanalyse, Erstellung von Nutzerprofilen und Auswertung unserer Werbekampagnen sowie für Social-Media-Funktionen. (Deine Daten werden auch an unsere Werbepartner weitergegeben und gegebenenfalls mit weiteren Daten zusammengeführt.)  Deine Einwilligung umfasst die Übermittlung in Drittländer, wobei Behörden möglicherweise auf deine Daten zugreifen und deine Betroffenenrechte nicht durchgesetzt werden könnten. Deine Einwilligung ist jederzeit widerrufbar. Weitere Informationen findest du in unserer Datenschutzerklärung.
EinstellungenNur notwendigeAlle zulassen