The following declaration about data protection applies to the use of the website www.p24.eu, hereinafter referred to as “the website” and “the online offer”. P24 attaches great importance to privacy. The collection and processing of your personal data is carried out in compliance with the applicable data protection regulations, in particular with the General Data Protection Regulation (GDPR) . We collect and process your personal data in order to offer you this Website. This Declaration describes how and for what purpose your personal data is collected and used, and what choices you have in connection with your data. By using this Website, you consent to the collection, use and transfer of your data in accordance with this Data Protection Declaration. If you wish to object to our collection, processing or use of your data completely or with regard to individual measures in accordance with this Data Protection Regulation, you can address your objection to the controller.
The controller who is the body responsible for the collection, processing and use of your personal data within the meaning of GDPR is
Kapuzinerstr. 4, 94032 Passau
1.2 Data Protection Officer
You can reach our data protection officer at
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means. The term has a broad meaning and practically comprises all handling of data.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘deletion’ of personal data means both the definitive and therefore irrevocable, complete removal of data (destruction) and of the personal reference to them (anonymisation). In any case, after the deletion process a reference to specific persons can no longer be established.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2 Data Processing
2.1 Types of processed data:
- Date of birth
- Address data (street, house number, postal code and city)
- Contact data (e. g. email, phone numbers)
- Content data (e.g. text entries, history, foto);
- Usage data (e.g. visited websites, interest in contents, access times);
- Meta/communications data (e.g. device information, IP addresses);
2.2 Categories of Data Subjects
Visitors and Users of the Online Offer. Hereinafter, we will refer to the Data Subjects also as “user”.
2.3 Purpose of the processing
2.3.1 Registration process / Conclusion of contract
In order to set up your eAccount, your personal data is required to be filled out in the online form during registration. During the application process, you will be provided with the required mandatory information (title, first name, surname, street no., postcode, city, date of birth, mobile phone number, email) and processed for the purposes of fulfilling the contract on the basis of Art. 6 sec. 1 lit. b GDPR. As a registered user you have the possibility to change or revise your personal data at any time in the “Personal data” section.
P24 collects, stores and processes your personal data on their computers in order to further develop and improve all services provided to you, to communicate with you and to manage your eAccount. P24 will only provide access to your personal information to those employees who need it to provide our services.
We will not disclose any information except in the limited circumstances described below, as permitted by applicable law, or with your express permission:
- To Card Compact Ltd, 483 Green Lanes London N13 4BS United Kingdom for the use and management of card services
- To anyone to whom we transfer or may transfer our rights and duties under our Terms and Conditions with you
2.3.2 Website Hosting
The hosting service we use serves the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, security and technical maintenance services which we use to operate this Online Offer.
Here, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this Website based on our legitimate interests in an efficient and secure provision of this Online Offer according to Art. 6 sec. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of the contract about the processing of commissioned data).
2.3.3 Replying to contact requests and communication with users
When you contact us (e.g. via contact form, agent bot or email), we store your details (e.g. name, address, telephone number, email address, conversation history) to process your enquiry and in the event that follow-up questions arise in relation to a subsequent contractual or business relationship in accordance with Art. 6 sec. 1 lit. b GDPR. We only store and use further personal data if you give your consent or if this is legally permissible without special consent.
The Website partly uses so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and safer. Cookies are small text files that are stored on your computer and saved by your browser.
Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser on your next visit. You can set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited. Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested (e.g. shopping basket function) are stored on the basis of Art. 6 sec. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimised provision of his services. Insofar as other cookies (e.g. cookies for analysing your surfing behaviour or such of third parties) are stored, these are treated separately in this data protection declaration.
2.3.5 Further integration of third-party services and content (plugins)
Within our online offer we use on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation and in the interest of an appealing presentation of our online offer) in accordance with Art. 6 sec. 1 lit. f. DSGVO content or service offers from third parties to integrate their content and services, such as videos or contributions. Such integration always requires that the third-party providers of these contents are aware of your IP address, as they cannot send the contents to your browser without the IP address. The IP address is therefore required to display this content.
We endeavour to use only such content whose respective providers use your IP address only to deliver the content. Third party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on your device and may contain technical information about your browser and operating system, referring web pages, visiting time and other details about your use of our online services, as well as being linked to such information from other sources.
We use Facebook Pages, Facebook Groups and Facebook Social Plugins (“Plugins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
The pages, groups and plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are recognizable to you by one of the Facebook logos (white “f” on blue tile, the terms “Like”, “Like” or a “thumbs up” sign) or are marked with the addition “Facebook Social Plugin”. If you call up a function of our online offer that contains such a plugin, your device establishes a direct connection with the Facebook servers. In doing so, user profiles can be created from the processed data. We therefore have no influence on the extent of the data that Facebook collects with the help of this plugin and therefore inform users according to our state of knowledge. By integrating the plugins, Facebook receives the information that you have called up the corresponding page through our online offer. If you are logged in to Facebook, Facebook can assign the visit to your Facebook account. If you are not a member of Facebook, there is still the possibility that Facebook will find out your IP address and save it. According to Facebook, only an anonymous IP address is stored in Europe.
Furthermore, we use the so-called “Facebook pixel” on our website. This enables the users of our website to be presented with interest-related advertisements (“Facebook ads”) when they visit the social network Facebook or other websites that also use the procedure. With the use of the Facebook pixel, we pursue the purpose of displaying Facebook ads placed by us only to those Facebook users who have also shown an interest in our Internet offering. With the help of the Facebook pixel, we want to ensure that our Facebook ads correspond to the potential interest of the users and do not appear annoying. In addition, the Facebook pixel allows us to track the effectiveness of Facebook ads for statistical purposes by showing us whether users were redirected to our website after clicking on a Facebook ad. The legal basis for the use of the Facebook pixel is Art. 6 sec. 1 lit. a GDPR and depends on your consent, which you can change at any time in your cookie consent settings.
Within our online offer, functions and contents of the Vimeo service can be used. Vimeo is operated by Vimeo, LLC with headquarters at 555 West 18th Street, New York, New York 10011.
On some of our website pages we use plugins from the provider Vimeo. When you access the Internet pages of our website that are equipped with such a plugin, a connection is established to the Vimeo servers and the plugin is displayed. This tells the Vimeo server which of our Internet pages you have visited. If you are logged in as a member of Vimeo, Vimeo assigns this information to your personal user account. When you use the plugin, such as when you click on the start button of a video, this information is also assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the corresponding cookies from Vimeo.
Within our online offer, functions and contents of the service Twitter, offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, can be used.
This includes a button with which you can subscribe to our posts. If you are a member of the Twitter platform, Twitter can assign the access to the above-mentioned content and functions to your profile.
Within our online offer, functions and content of the LinkedIn service, offered by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, may be used.
This includes a button with which you can subscribe to our contributions. If you are a member of the LinkedIn platform, LinkedIn may associate the access to the above content and features with your profile.
Within our online offer, functions and contents of the Zoho service of Zoho Corporation service, 4141 Hacienda Drive Pleasanton, California 94588, USA can be used.
If you contact us through the agent bot, we store your details (e.g. name, address, telephone number, email address, conversation history) according to Art. 6 sec. 1 lit. b GDPR to process your request and in the event that follow-up questions arise in relation to a subsequent contractual or business relationship.
2.3.7 Access data
P24 collects information about you when you use this Website. We automatically collect information about your user behaviour and the interaction with us and register information about your computer or mobile device. We collect, store and use data about every access to our Online Offer (so-called server log files). The access data includes the name and URL of the retrieved file, date and time of the retrieval, the amount of data transferred, the message about a successful retrieval (HTTP response code), browser type and browser version, operating system, referrer URL (i.e. the previously visited page), IP address and the requesting provider.
We use this protocol data – without assigning it to you personally or creating another profile – for statistical evaluations in order to operate, make secure and optimize our Online Offer, but also to anonymously collect the number of visitors (traffic) on our Website and the extent and type of use of our Website and services, as well as for billing purposes to measure the number of clicks received from cooperation partners. Based on this information, we can provide personalized and location-based contents and analyze the data traffic, search and remedy errors and improve our services. We reserve the right to check the log data retrospectively if, on the basis of concrete indications, the legitimate suspicion of unlawful use exists. We store IP addresses in the log files for a limited period, if necessary for security purposes or for the provision of services or the billing of a service, e.g. if you use one of our offers. We also store IP addresses, if we have a specific suspicion of a crime in connection with the use of our Website. In addition, we store the date of your last visit (e.g. when registering, logging in, clicking links, etc.) as part of your account.
The processing of personal data takes place here on the basis of our legitimate interests in an efficient and secure provision of this online offer as well as on the basis of legal obligations according to Art. 6 sec. 1 lit. c and f GDPR.
2.3.8 Access measurement
This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”). Google Analytics uses so-called “cookies”, i.e. text files which are stored on your computer and which will enable an analysis of your use of the website. On behalf of the operator of this website, Google will use the above-mentioned information to evaluate your use of the website, to compile reports on website activities and to provide further services to the website operator in connection with website and internet use. The IP address transmitted by your browser within the scope of Google Analytics is not combined with other data from Google.
The purposes of data processing are to evaluate the use of the website and to compile reports on activities on the website. On the basis of the Use of the website and the Internet should then provide other related services can be provided.
Within the scope of the coverage analysis of Google Analytics, on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer) in accordance with Art. 6 sec. 1 lit. f GDPR the following data are processed:
Name and URL of the accessed file, date and time as well as country of origin of the access, transferred data volume, notification of successful access (HTTP response code), browser type and browser version, operating system, referrer URL (i.e. the previously visited page), IP address and the requesting provider as well as the number of visits and your time spent on the website.
Your IP address will be anonymized immediately after it has been saved by Google.
Pseudonymous user profiles of the users can be created from the processed data. The cookies have a storage period of one week. The data stored by the cookie about your use of this website will only be published on our website and server and not passed on to third parties. You can disable the storage of cookies by setting your browser software. You can also prevent the collection of the data generated by the cookie and stored about your use of the website (including your IP address) and the processing of this data by Google, by downloading and installing the following browser plugin: Browser Add On to Deactivation of Google Analytics.
Additionally or as an alternative to the browser add-on you can disable tracking by Google Analytics on our pages by changing our cookie consent settings. Thereby an Opt-out cookie is installed on your device. This will prevent Google Analytics from collecting data for this website and for this browser in the future as long as the cookie remains installed in your browser.
The logs with your data will be deleted at the latest 1 year after the last visit of the website. Until then, the evaluation of the collected data is necessary for an effective control of the optimization and simplification of the online offer.
The website uses the function “demographic characteristics” of Google Analytics. This allows reports to be generated that contain statements about the age, gender and interests of the site visitors. This data comes from interest-based advertising by Google as well as from visitor data from third parties. This data cannot be attributed to any specific person. You can disable this feature at any time in your Google Account Ads settings or opt-out of having your information collected by Google Analytics as described in the “Opt-out of data collection” section.
2.3.9 Google Analytics Remarketing
Our websites use the functions of Google Analytics Remarketing in conjunction with the cross-device functions of Google Ads and Google DoubleClick. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This feature allows advertising audiences created with Google Analytics Remarketing to be linked to the cross-device capabilities of Google Ads and Google DoubleClick.
In this way, interest-based, personalized advertising messages that have been customized for you on one device (e.g. mobile phone) can be displayed on another of your devices (e.g. tablet or PC) depending on your previous usage and surfing behavior on that device. If you have given permission, Google will link your web and app browsing history to your Google Account for this purpose. In this way, the same personalized advertising messages can be displayed on any device you sign in with your Google Account.
To support this feature, Google Analytics collects Google-authenticated user IDs that are temporarily linked to our Google Analytics data to help define and create audiences for cross-device advertising. You can opt-out of cross-device remarketing/targeting permanently by deactivating personalized ads in your Google Account at https://www.google.com/settings/ads/onweb.
The aggregation of the collected data in your Google Account is based solely on your consent, which you can give or withdraw to Google (Art. 6 sec. 1 lit. a GDPR). For data collection operations that are not merged into your Google Account (e.g. because you don’t have a Google Account or because you have objected to the merging), the collection of data is based on Art. 6 sec. 1 lit. f GDPR. The legitimate interest arises from the fact that the website operator has an interest in the anonymised analysis of website visitors for advertising purposes. Further information and the data protection regulations can be found in the Google data protection declaration at https://www.google.com/policies/technologies/ads.
2.3.10 Google Ads and Google Conversion-Tracking
This website uses Google Ads. Ads is an online advertising program of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). As part of Google Ads, we use what is known as conversion tracking.
When you click on an ad placed by Google, a conversion tracking cookie is set. These cookies expire after 30 days and are not used to personally identify users. If the user visits certain pages of this website and the cookie has not expired, Google and we may recognize that the user clicked on the ad and was redirected to that page. Each Google Ads customer receives a different cookie. The cookies cannot be tracked through the websites of Ads customers. The information collected through the conversion cookie is used to compile conversion statistics for those Ads customers who have opted in to conversion tracking. Customers are told the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag.
However, you will not receive information that personally identifies users. If you don’t want to participate in tracking, you can opt-out of this use by turning off the Google Conversion Tracking cookie slightly in your web browser under User Preferences. You will then not be included in the conversion tracking statistics.
3 Legal bases and storage period
Unless specifically stated, we only store your personal data for as long as necessary to fulfil the purposes pursued in accordance with Art. 6 GDPR. Furthermore, your data will be deleted if the data is no longer required to fulfil contractual or legal storage obligations in accordance with Art. 17 sec. 3 lit. b GDPR (e.g. tax and commercial law storage obligations) as well as dealing with possible warranty and comparable obligations. In addition, we store your personal data for the purpose of asserting, exercising or defending legal claims according to Art. 17 sec. 3 lit. e GDPR.
If personal data may no longer be processed for the original purpose, but storage obligations still exist, the data will be archived from the productive processing or storage locations, completely deleted from the productive level and access restricted. Once all storage obligations have been fulfilled, storage rights have lapsed and all deletion periods have expired, the corresponding data is routinely deleted.
4 Your rights as a Data Subject
Under applicable law, you have various rights regarding your personal data. If you wish to assert these rights, please send your request to the data protection officer by email or by mail with a clear identification of your person (see Clause 1.2). As a Data Subject, you have the following rights:
4.1 Right of access
According to Art. 12 and 13 you have the right to obtain from us a confirmation as to whether or not your personal data is being processed. Where that is the case, you have the right to obtain free information from us about your personal data and a copy of this data.
4.2 Right to rectification
According to Art. 16 GDPR you have the right to obtain from us the immediate rectification of inaccurate personal data concerning you. In consideration of the purposes, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
4.3 Right to erasure (“Right to be forgotten”)
According to Art. 17 GDPR you have the right to obtain from us the immediate erasure of your personal data and we are obliged to erase your personal data immediately, unless there are legal or contractual obligations to keep records. In this case the further processing of your personal data will be restricted.
Where we have made personal data public and we are required to erase it, we will take appropriate measures, taking into account available technology and implementation costs, also of technical nature, to inform the controllers who process your personal data that you have requested the deletion of any personal data or of copies or replications of such personal data according to Art. 19 GDPR.
4.4 Right to restriction of processing
According to Art. 18 GDPR you have the right to obtain from us restriction of processing of your personal data. For example, you can oblige us to process only those personal data that are absolutely necessary for the provision of our services.
4.5 Right to data portability
According to Art. 20 GDPR You have the right to receive your personal data provided to us in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without objection from us.
4.6 Right to object
According to Art. 21 GDPR you have the right to object, on grounds relating to your particular situation, at any time the processing of your personal data which is based on Art. 6 sec. 1 lit. e or f GDPR, including profiling based on those provisions. We do no longer process your personal data unless we can demonstrate compelling grounds, worthy of protection, for the processing which override your interests, rights and freedoms or unless the processing serves for the establishment, exercise or defense of our legal claims.
4.7 Right of withdrawal of a declaration of consent given under data protection law
According to Art. 6 sec. 1 lit. a GDPR, you have the right to revoke the previously granted consent to data processing without giving reasons. If no other lawfulness of the processing within the meaning of Art. 6 sec. 1 GDPR justifies further data processing, your personal data must then be deleted immediately. Otherwise, the processing of your personal data must be temporarily restricted (blocked).
4.8 Right to appeal to a supervisory authority
You have the right to appeal to a supervisory authority, in particular in the Member State of your home, work or at the place where the infringement has allegedly been committed, if you have the opinion that the processing of the data concerning you is unlawful.
For P24 the competent supervisory authority is the
Bavarian State Office for Data Protection Supervision
Promenade 27 (castle)
5 Data security
We endeavor to ensure the security of your personal data under the scope of applicable data protection laws and technical options.
We transmit your personal data in encrypted form. This applies to your orders and also to a customer login. We use the SSL (Secure Socket Layer) coding system, but point out that data transmission over the Internet (e.g. when communicating by email) can have security gaps. It is not possible to protect such data completely against access by third parties.
When personal data is accessed by authorized personnel, access is only possible via an encrypted connection. When accessing data in a database, the IP number of the person accessing the data must also be pre-authorized to gain access. All access to personal data is blocked by default. Access to personal data is restricted to individually authorized personnel. Our security and data protection officer issues authorizations and keeps a log of the authorizations granted. Authorized employees are granted only the minimum access they absolutely need for their tasks through our role and authorization concept. Administrative processes, including system access, are logged to provide an audit trail when unauthorized or accidental changes are made. System performance and availability is monitored by both internal and external monitoring services. Databases are backed up continuously to enable recovery at any time within a 35-day retention period. Backups are stored in file storage in the same geographic location as the database. To safeguard your data, we maintain technical and organizational security measures that we always adapt to state-of-the-art technology.
Furthermore, we do not warrant that our offer will be available at specific times; disturbances, interruptions or failures cannot be excluded. The servers we use are regularly and diligently backed up.
In the event that your data is compromised, we will notify you and the relevant regulatory authorities by email within 72 hours of the extent of the breach, the data involved, any impact on the service and the plan of action to secure the data and limit any adverse effects on the data subject.
6 Automated decision-making
No automated decision-making will be done on the basis of the collected personal data.
7 Transfer of data to third parties, data transfer to non-EU/EEA countries
As a rule, we only use your personal data in our company.
In addition, your personal data will only be passed on if you have given your consent in accordance with Art. 6 sec. 1 lit. a GDPR, the transfer is necessary for the fulfilment of a contract in accordance with Art. 6 sec. 1 lit. b GDPR, we are subject to a legal obligation in accordance with Art. 6 sec. 1 lit. c GDPR (e.g. e.g. tax regulations, participation in the clarification of a criminal offence), or if this is necessary to protect our legitimate interests in accordance with Art. 6 sec. 1 lit. f GDPR, unless your interests or fundamental rights and freedoms that require the protection of personal data outweigh this.
Furthermore, it is only permitted to transfer personal data to institutions or persons outside the EU/EEA under the conditions set out in Art. 44 following GDPR. In particular, adequate protection is then guaranteed by appropriate measures, such as standard contractual clauses of the EU Commission within the meaning of Art. 46 sec. 2 lit. d GDPR.
8 Data protection officer
Should you still have any questions relating to our data protection or to this Data Protection Declaration, or should you intend to exercise your rights named herein, kindly contact our data protection officer (contact details see point 1.2).
9 Changes to the Data Protection Declaration
Users are asked to inform themselves regularly about the content of the Data Protection Declaration. You can save and print this Data Protection Declaration at any time.
(Last update: August 2020)