Last updated on November 13th, 2019
Canyan only processes personal data insofar as required for providing a functioning website as well as contents and Canyan services. Users’ personal data is usually only processed if required for fulfilling contractual or legal obligations or with the user’s consent. Cases where it is impossible to obtain prior consent for effective reasons and the data processing is permitted by law form an exception to this rule.
In the event of Canyan obtaining consent from the data subject for personal data processing activities, Art. 6 (1) lit. a of the General Data Protection Regulation (hereinafter referred to as “GDPR”) forms the legal basis.
When processing personal data required for fulfilling an agreement to which the data subject is party, Art. 6 (1) lit. b GDPR forms the legal basis. The same applies to processing activities required for implementing pre-contractual measures.
In the event of personal data having to be processed for fulfilling a legal obligation of Canyan, Art. 6 (1) lit. c GDPR forms the legal basis.
Should essential interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.
If the processing is required to maintain a justified interest of Canyan or third party, and if the interests, basic rights and freedoms of the data subject do not outweigh the interest stated above, Art. 6 (1) lit. f GDPR serves as the legal basis for processing.The personal data of the data subject is deleted or blocked as soon as the purpose for its storage ceases to exist. Data may also be stored if stipulated by European or national legislation in EU directives, laws or other regulations which apply to Canyan. Data is also blocked or deleted if a storage period stipulated by the above standards expires, unless it is necessary to continue storing the data for the conclusion or fulfilment of an agreement.
The Canyan systems automatically collect data and information from the system of the accessing computer each time the Canyan website (and the websites of its affiliated companies) is accessed.
The following data is collected during this process:
Information on the browser type and version, the user’s operating system, internet service provider and IP address, date and time of access, websites from which the user’s system is referred to Canyan’s website, and websites accessed by the user’s system through the Canyan website(s).The data is also stored in the Canyan log files. This data is not stored together with other personal data of the user.
Data and log files are temporarily stored on the legal basis of Art. 6 (1) lit. f GDPR.
The system has to temporarily store the user’s IP address to display the website on the user’s computer. The user’s IP address has to be stored for the duration of the session for this purpose.
It is stored in log files to ensure the functionality of the website. We also use this data to optimise the website and ensure the security of our IT systems. The data is not analysed for marketing purposes in this respect.
The above-stated purpose also constitutes the justified interest of Canyan in the data processing in accordance with Art. 8 (1) lit. f GDPR.
The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected. If the data is collected for displaying the website, this is the point at which the respective session ends.
If the data is stored in log files, it is deleted no later than seven days from being collected. Data may be stored for longer periods than the ones stated above. In such event, the user’s IP address is deleted or alienated so that it is no longer possible to allocate it to the accessing client and this data no longer links to a specific person.
The collection of data for displaying the website and storage of data in log files is crucial for operating the website. The user therefore has no option to object.
Our website uses cookies. Cookies are text files stored in the browser and/or by the browser on the user’s computer system. A cookie may be stored on the user’s operating system if the user accesses a website. This cookie contains a characteristic sequence which makes it possible to clearly identify the browser when the website is accessed again.
We use cookies to create a more user-friendly website. Some elements on our website require for the accessing browser to be identified even after switching pages.
The following data is stored and transferred in the cookies for this purpose: language settings, shopping basket items, log-in information, browser type, operating system, referrer URL (previously visited page), time of server request and IP address.We also use cookies that make it possible to analyse the user’s surfing behaviour on our website(s).
The following data can be transferred in this manner:
browser type, operating system, referrer URL (previously visited page), time of server request and IP address.The user data collected in this manner is pseudonymised by technical features. Once this process has been completed, it is no longer possible to allocate the data to the accessing user. The data is stored separately to other personal user data.
When accessing our website(s), users are informed about the use of cookies for analysis purposes and referred to this Data Protection Declaration on an information banner. Information on how the storage of cookies can be prevented by adjusting the browser settings is also provided.
The legal basis for the processing of personal data and use of technically required cookies is Art. 6 (1) lit. f GDPR.
Art. 6 (1) lit. a GDPR forms the legal basis for processing personal data whilst using cookies for analysis purposes with the user’s consent.
Cookies are stored on the user’s computer from where they are transferred to Canyan. You, the user, have full control over the use of cookies. You can adjust your browser settings to deactivate or limit the transfer of cookies. Previously stored cookies can be deleted at any time (also automatically). Deactivating cookies on the Canyan website may result in not all of the website functions being fully usable.
Any email address entered by you when purchasing goods or services on the Canyan website may be used by Canyan to send you a newsletter. The newsletter exclusively contains direct advertising for our own goods and services. We engage external service providers for sending the newsletter.
We record the number of opened and delivered newsletters in this respect. The newsletters contain a web beacon, i.e. a one-pixel file which is accessed by the server of our service provider when the newsletter is opened. Technical information, such as on your browser and system as well as your IP address and time of request, is collected as part of this request. This information is used for improving the technical aspects of the service on the basis of technical data or the target groups and their read behaviour based on their request locations (which can be determined with the help of the IP address) or access times.
The statistical data collected also includes the determination if the newsletters have been opened and when and which links have been clicked. This information can be allocated to the individual newsletter recipients for technical reasons. However, neither we nor our service provider intend to monitor individual users. The analyses merely serve for us to recognise the read behaviour of our users and to adjust our contents accordingly or to send different contents that meet our users’ interests.
Section 7 (3) of the Act against unfair competition (Gesetz gegen den unlauteren Wettbewerb – UWG) forms the legal basis for sending the newsletter following the sale of goods or services.
Art. 6 (1) lit. f GDPR forms the basis for recording the number of opened and delivered newsletters.
Email addresses and user names are collected for delivering a personalised newsletter.
The number of opened and delivered newsletters is recorded to recognise potential technical problems and to improve the contents. This purpose also constitutes Canyan’s justified interest in accordance with Art. 6 (1) lit. f GDPR.
The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected. The user email address is therefore stored for as long as the newsletter subscription remains active.
The affected user can cancel the newsletter subscription at any time. A corresponding link is included in every newsletter for this purpose.
The Canyan website contains contact forms that can be used for contacting the company via electronic channels. If the user decides to use this option, the data entered in the input mask is transferred to Canyan and stored.
This data includes: email address, customer number and phone number, if required.Art. 6 (1) lit. a GDPR forms the legal basis for data processing with the user’s consent.
The legal basis for processing data transferred as part of an email is provided by Art. 6 (1) lit. f GDPR. If the email contact aims at concluding an agreement, Art. 6 (1) lit. b GDPR forms an additional legal basis for processing.
Canyan exclusively processes personal data from the input masks for processing the contact request. In the case of contact being made via email, this also constitutes the necessary and justified interest in processing the data.
The other personal data processed during the send process serves to prevent the misuse of the contact form and ensure the security of Canyan’s IT systems.The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent via email, this is the case once the respective conversation with the user has ended. The conversation has been concluded once the respective matter has been clarified in full and final.
The user may withdraw its consent for processing the personal data at any time. In such case, the conversation cannot be continued.
We use the services of Google (Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043 USA) for our work as well as internal and external communication. We have concluded a data processing agreement with this company. As part of our work, various personal data (such as IP address of the querying computer, your name, your email address and other data processed during the conclusion of an agreement and/or its performance by us) is stored on Google servers, if required for the performance of the agreement or communication with the customer (such as email, conclusion of agreements via Google drive).
Art. 6 (1) lit. b and f GDPR forms the basis for the processing of personal data.
Customer contacts and other various processes that are required for the performance and fulfilment of the agreement.
The data is deleted if no longer required and we are not obliged to store it by law.
The Canyan website uses Google Analytics, a web analysis service provided by Google Inc.. Google Analytics uses cookies which are stored on the user’s computer and which make it possible to analyse the user’s use of the website. This enables Canyan to analyse the use of the website(s) and thus create even more user-friendly contents.
The additional “User ID” function is also integrated on some websites.
The User ID is a unique, permanent and non-personalised character sequence which we allocate to you as a person and not to a specific device. It enables us to record your visit and user behaviour on our website from various devices (e.g. smartphone, tablet or laptop). The User ID is only allocated to you if we can clearly identify you as a user. This generally is the case when you register for the first time on our website. We do not combine the data collected under the User ID with personal data. We only transfer the pseudonymised User ID to Google Universal Analytics and use it as your pseudonym when dealing with Google. Other data and information relating to your account is not transferred to Google. Your user behaviour on our websites is then transferred to the Google servers in the USA, together with your User ID, where it is stored and processed for analysis purposes. Google links the transferred information to pseudonymised user profiles and provides Canyan with a summary of them. Canyan does not combine these transferred user profiles with your personal data. This makes it impossible to allocate the data to specific persons at all times. You can object to the transfer of a User ID to Google by sending us an email with the following subject: “Data Protection: User-ID”.
Canyan has activated IP anonymisation (“_anonymizeIP()” extension) on this website. This means that IP addresses are recorded anonymously by way of IP masking to remove any direct link to persons. The full IP address is only transferred to Google servers in the USA and abbreviated there in exceptional circumstances. The IP address is usually abbreviated within the member states of the European Union or other contracting states of the Agreement on the European Economic Area and transferred to Google servers in the USA in abbreviated form.
Art. 6 (1) lit. a and f GDPR forms the basis for the processing of personal data. The above purpose also constitutes Canyan’s justified interest in the processing of personal data in accordance with Art. 6 (1) lit. f GDPR.
Google uses this information on behalf of Canyan for analysing the use of the latter’s website, for compiling website activity reports and for providing other services relating to the use of the internet and website for Canyan. Google does not combine the IP address transferred by your browser within the scope of Google Analytics with other data.
By using this website you agree for us to collect and process your personal data in the manner and for the purpose stated above if you have not installed the above browser plug-in.
As part of the use of Google products, data is stored on servers located within the United States of America. This data usually (see Section VIII. A. 1.) does not relate to a person as it has been anonymised prior to being transferred.
Data transfer to the United States of America is justified by the conclusion of the agreement between Canyan and Google which contains standard contractual clauses developed by the EU Commission.
Canyan uses Sentry, a service provided by Software Inc., Sentry, 1501 Mariposa St # 408, San Francisco, CA 94107, USA, on its website for checking and monitoring stability.
Art. 6 (1) lit. f GDPR forms the basis for the processing of personal data.
This service is used for monitoring the technical stability of the services provided by Canyan on its websites. This makes it possible to monitor system stability and recognise and improve code errors. The collected data enables Canyan to recognise when and which display errors have occurred and on which operating system. This data exclusively serves to provide Canyan services with the least possible errors and to rectify any errors found.
The above purposes also constitute the justified interest of Canyan in the data processing in accordance with Art. 6 (1) lit. f GDPR.
All data, such as information on the device used and time of error are collected in anonymised form, stored and deleted immediately once it has been analysed. Canyan is unable, at any time, to link the stored data back to a specific or determinable person. Any entries made by the user are recognised as such by Sentry and never collected.
Canyan transfers the personal data that has been collected and stored to our service providers within the scope of contractual regulations if this is necessary for processing your agreement. Obviously, these service providers are requested to comply with the applicable data protection regulations.
We cooperate with external service providers for the various payment methods available:Credit card payments: XXXX.
Paypal payments: XXXX
Affiliated companies are companies that are controlled by Canyan. Data may be transferred to affiliated companies. However, we only transfer data if these companies are either governed by this Data protection Declaration or comply with guidelines that provide at least the same level of protection as this Data Protection Declaration.
We only disclose the personal data of our customers if required to do so by law or if such transfer is necessary to assert our general terms and conditions of business or other agreements or to protect our rights and the rights of our customers and third parties. This includes an exchange of data with companies specialising in the prevention and minimisation of misuse and credit card fraud. No data is transferred for commercial use by these companies, it is exclusively transferred for the purposes stated above.
Canyan maintains a presence on the following social networks:
Facebook is a social network operated by Facebook Ireland Limited (Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland). Canyan maintains a Facebook page (fan page).
If you have logged into your Facebook account and use the Canyan Facebook fan page, Facebook gives us access to your “public information” on Facebook that you make available to the public or approve for the respective application via a technical interface. On Facebook, “public” means that everyone, including persons outside of Facebook, can see your data. This includes your name, profile picture, cover photo, gender, networks, “Likes”, user name (Facebook URL) and user ID (Facebook ID).
Based on the Facebook data protection policy, Facebook decides which data is permanently accessible to the public and which you can make accessible by adjusting your privacy settings.
Canyan maintains a Twitter account. Twitter is a microblogging service operated by the US company Twitter, Inc. (795 Folsom Str., Suite 600, San Francisco, CA 94107).
We collect your title, name, address, date of birth and payment information within the scope of the conclusion of an agreement.
In addition to the existing data, e.g. from the customer order, Canyan also uses your traffic and user data. Traffic and user data include data created during telephone calls or through other methods via the network used by Canyan (SMS / MMS, data services).
Art. 6 (1) lit. b GDPR forms the basis for the processing of this data.
The traffic data is created when the telecommunication connection is established and maintained and is required for invoicing purposes. It is stored, processed and used for a maximum period of six months from dispatch of invoice.
The existing data is required for performing the agreement. The email address is also required for contacting the customer (sending invoices and other product-related information).
The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected.
In accordance with the German Telecommunications Act (Telekommunikationsgesetz – TKG), we are obliged to store the existing data until the close of the calendar year following the termination of the agreement. Any longer data storage periods required in accordance with commercial law, such as for invoices (German Commercial Code (Handelsgesetzbuch – HGB) or German Tax Code (Abgabenordnung – AO)) are binding.
Users may request the deletion of their personal data at any time. Upon receipt of such request, Canyan deletes the personal data, unless obliged to store it in accordance with commercial law.
Please also refer to the general terms and conditions of business and specification of services applicable to the respective product.If a user’s personal data is processed, this user becomes a data subject within the meaning of the GDPR. As a data subject, you have the following rights against Canyan, unless stated otherwise in the individual data processing regulations above:
You may request confirmation if Canyan processes your personal data.
In the event of your personal data being processed, you may request the following information from the controller:
You have the right to request information regarding the question if your personal data is transferred to a third country or international organisation. You may request to be informed about the suitable guarantees in accordance with Art. 46 GDPR relating to the data transfer in this respect.
You have the right to request the correction and/or completion of the data from the controller if your processed personal data is incorrect or incomplete. The controller must correct the data immediately.
You may request for the controller to delete your personal data immediately. The controller is obliged to delete such data if one of the following reasons applies:
If the controller has published your personal data and is obliged to delete it in accordance with Art. 17 (1) GDPR, the controller shall implement adequate measures, including technical measures that take into consideration the available technology and implementation costs, to inform the controllers that are processing the personal data that you, the data subject, have requested the deletion of all links to this personal data, copies or duplicates thereof.
The right to deletion does not exist if the processing is required for:
If you have asserted the right to correction, deletion or limitation of processing against the controller, the latter is obliged to notify all recipient to which your personal data has been disclosed of such correction and deletion of the data or its limitation of processing, unless this is impossible or would incur disproportionate costs and effort. You have the right to be notified by the controller about such recipients.
You have the right to receive your personal data which you provided to the controller in a structured, standard and machine-readable format. You also have the right to transfer this data to another controller without being restricted by the controller to whom the personal data has previously been provided.
The processing is based on consent in accordance with Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or an agreement in accordance with Art. 6 (1) lit. b GDPR, and Automated methods are used for processing the data.
In execution of this right, you further have the right to enforce that your personal data is transferred directly from one controller to another, insofar as this is technically possible. Such actions may not impair the freedoms and rights of other persons.
The right to data transferability does not apply to personal data processing that is required for fulfilling a task transferred to the controller that is in the interest of the general public or necessary to enforce the orders of a public authority.
You have the right to object against the processing of your personal data based on Art. 6 (1) lit. e or f GDPR at any time and for reasons arising from your specific situation; the same applies for any profiling based on these regulations.
The controller will no longer processes your personal data in this case, unless it can provide evidence of compelling reasons worth protecting for the processing which outweigh your interests, rights and freedoms, or the processing serves to asset, enforce or defend legal claims.
If your personal data is processed for the purpose of direct advertising, you have the right to object to the processing of your personal data for such advertising purposes at any time; the same applies to profiling that is related to such direct advertising.
If you object to the processing for the purpose of direct advertising, your personal data will no longer be processed for such purpose.
You have the option to assert your right to object by using automated methods that employ technical specifications in connection with the use of services provided by the information company, regardless of Directive 2002/58/EC.
You have the right to withdraw your data protection consent declaration at any time. The withdrawal of this consent does not affect the legality of the processing based on the consent until its withdrawal.
Notwithstanding any other remedy under administrative law or before the courts, you have the right to complain to a supervisory authority, particularly in the member state where you reside, work or where the alleged violation took place if you are of the opinion that the processing of the respective personal data violates the GDPR.
The supervisory authority to which the complaint was submitted informs the complainant of the status and results of the complaint, including the option of legal remedy in accordance with Art. 78 GDPR.