Data protection policy
(As of 25.05.2018)
Since 25 May 2018, the provisions of the General Data Protection Regulation (hereinafter referred to as the GDPR) have applied across Europe. In the following, we wish to provide you with information regarding the processing of personal data carried out by Rakuten Deutschland GmbH according to this regulation (see Article 13 GDPR).
1. DATA CONTROLLER
The data controller for data processing purposes as defined by the German Federal Data Protection Act and the GDPR is
Rakuten Deutschland GmbH (hereinafter referred to as ‘Rakuten DE’)
Data protection officer: Sven Steinacker
Geisfelder Str. 16
Fax: +49 (0)951 40 83 91 09
2. DATA COLLECTION AND USE
The following data protection information outlines the type and scope of the processing by Rakuten DE of what is known as personal data. Personal data is information that is to be and/or can be directly or indirectly attributed to your person.
Data processing by Rakuten DE can be broken down into two main categories:
All data required for the performance of a contract with Rakuten DE shall be processed for the purposes of contractual fulfilment. If external service providers are also involved in contractual fulfilment, such as merchants, logistics companies or payment service providers, your data shall be provided to them to the extent this is required.
When the Rakuten DE website/application is accessed, various pieces of information are shared
between your end device and our server. These may also involve personal data. Information collected in this manner is used for purposes such as optimising our website or displaying advertising in the browser of your end device.
In line with the provisions of the GDPR, you have various rights which you may assert towards us. These include the right to object to selected forms of data processing, particularly data processing for advertising purposes. The option to object is highlighted in bold.
If you have any queries concerning our data protection information, you may consult our company data protection officer at any time. You can find their contact details above under 1. Data controller.
2.2. Contractual fulfilment
As the operator of Rakuten marketplaces, Rakuten DE collects personal data if you share this with us as part of your merchant registration, when making contact with us (e.g. via contact form or email) or when requesting additional information. The data collected, such as
First name, surname,
Billing and company address,
Online shop URL,
Tax number/VAT ID,
Telephone number, Fax number
is evident from the relevant input forms. We collect, store and process your data on the basis of consent, for the purposes of contractual fulfilment, a legal obligation and based on our legitimate interest according to Article 6, section 1 a), b), c) and f) GDPR in order to process your registration, membership, including any subsequent warranty claims and the assertion of any claims against you, for our services, for fraud prevention, technical administration and, if applicable, our own marketing purposes.
If we do not use your contact details for advertising purposes, we will store the data collected as part of contractual fulfilment until the legal periods have expired, unless further-reaching legal retention periods are in place (such as Article 147 of the German Tax Code (AO), Article 195 in conjunction with Article 199 of the German Civil Code (BGB) or Article 257, section 4 of the German Commercial Code (HGB)) or you have consented to further-reaching use of your data. For the legally required period (usually ten years from conclusion of the contract), the data shall only be processed again in the event of an audit by the tax authorities.
When you access our website/application, information is automatically sent by the browser used on your end device to our website/application server and temporarily stored in what is known as a log file. We have no influence over this process. The following information is also collected and stored until its automatic erasure without your involvement:
The IP address of the querying internet-enabled device, the date and time of access, the name and URL of the file accessed, the website/application from which access occurred (referrer URL), the browser you use and, if applicable, the operating system of your internet-enabled device and the name of your service provider.
The legal basis for IP address processing is Article 6 section 1 f) GDPR. Our legitimate interest arises from the data collection purposes listed below. The data collected does not allow us to draw any direct conclusions regarding your identity and we shall not draw any such conclusions.
We use the IP address of your end device and other data listed above for the following purposes:
Guaranteeing a smooth connection,
Guaranteeing ease of use of our website/application,
Assessing system security and stability,
Detecting and preventing fraud, spam, misuse, security-related incidents and malicious activities.
The data is stored for a period of 12 months before being erased automatically. We also use what are known as cookies, tracking tools, targeting procedures and social media plugins for our website/application. The exact procedures involved and how your data is used for the purposes thereof will be explained in further detail below.
2.4. Rakuten services/merchant account
If you register with us, we will set you up a password-protected merchant account on the basis of Article 6 section 1 b) GDPR and in accordance with our terms and conditions for merchants. Please keep your personal login details confidential and do not provide access to said details to any unauthorised third parties in particular. We cannot accept liability for misused passwords unless the misuse was our responsibility. Please note that you will automatically remain logged in when you leave our web page unless you have actively logged out.
The purpose of data collection for setting up the merchant account is to provide you with access to your shop management and to provide the legally required information to your customers and the relevant authorities.
Deleting your merchant account
You can request the deletion of a merchant account at any time by terminating the contract. All you need to do is send a notification in writing (e.g. email, fax, letter) to the contact details under point 1 above.
Once the contract has been fulfilled in full or your merchant account has been deleted, your data shall be blocked for further use and deleted following the expiry of retention periods required by tax and commercial law (usually 10 years following conclusion of the contract), unless you have expressly consented to further use of your data or we reserve the right to a further-reaching use of data which is permitted by law and of which we inform you in this data protection statement.
3. USE OF DATA FOR ADVERTISING PURPOSES
The following information concerns the processing of personal data for advertising purposes. The GDPR declares that data processing of this nature is possible in principle and is a legitimate interest on the basis of Article 6 1 f) GDPR. The duration of data storage for advertising purposes does not follow any rigid principles and is based on the question of whether storage is required for an advertising-related approach.
3.1. Interest-based advertising
As well as processing your data for the purpose of fulfilling your merchant contract with Rakuten DE, we also use your data to provide you with information in conjunction with your contract with Rakuten and to recommend products or services that may be of interest to you. Information provided by you and automatically generated in line with point 2.3 above is used to create advertising tailored to you and your interests. In order to do this, we use available information, such as information on the computer and internet connection, operating system and platform, date and time of visit to our web pages. By analysing and assessing this information, we are able to improve our website and online service on an ongoing basis and show you advertising tailored to your interests on the website or provide you with said advertising via newsletter. Our aim is to ensure our newsletter is more useful and of greater interest to you. As such, we may also compare which of our emails you open in order to avoid sending you emails that are not of interest.
3.2. Rakuten DE advertising purposes
As a registered or prospective merchant of Rakuten DE, your postal contact details are processed by us without us having received specific consent so that we may provide information about new products and services in this way.
3.3. Right to object for advertising purposesWiderspruchsrecht für Werbezwecke
You may object to the use of your personal data for advertising purposes (direct advertising), including the creation of a user profile, the delivery of newsletters and the personalisation of advertising, at any time, in full or for specific activities, with effect for the future, without incurring any costs other than those of communication at the basic rates and without affecting the legality of the processing which has already taken place based on consent prior to withdrawal. All you need to do is send a notification in writing (e.g. email, fax, letter) to the contact details under point 1 above.
If you raise an objection, the contact address in question will be blocked for further data processing for advertising purposes. Please note that in exceptional cases, you may still receive advertising materials for a short time after your objection has been received. This is due to the required technical lead time for advertising and does not mean that we are not acting on your objection. Thank you for your understanding.
3.4. Newsletter delivery
If you have registered for our newsletter in accordance with Article 6, section 1 a) GDPR, we use the data required for this purpose or shared separately by you (particularly your form of address, name and email address) in order to send you, on a regular basis, our personalised email newsletter with information, partner offers and special promotions. By registering as a Rakuten merchant, you declare that you consent to data on your usage behaviour (e.g. opening and clicking links in the email) being collected and processed by us in order to coordinate the content of the emails based on your requirements and be able to send you personalised offers.
You may unsubscribe from our newsletter at any time with effect for the future. This may be done by sending a message to the email address listed under point 1 above or via a link for this purpose in the newsletter or, if available, in your customer account.
3.5. Email advertising without newsletter registration and your right to object
If we obtain your email address in conjunction with registration on our marketplace and you have not raised an objection, we reserve the right, under Article 7 section 3 of the German Law against Unfair Competition (UWG), to send you regular offers via email for products similar to those already provided from our range. This serves to safeguard our interests, which are predominantly justified in the context of a weighing up of interests, in a promotional approach for our customers in accordance with Article 6, section 1 f) GDPR.
You may object to this use of your email address at any time by sending a message to the stated contact details or via a link for this purpose in the advertising email without incurring any costs other than those of communication at the basic rates.
4. PROVIDING DATA TO THIRD PARTIES
Your personal data shall only be provided or otherwise transmitted to third parties if this is required for contract fulfilment or billing purposes, if we are legally obliged to do so or are legally justified in doing so or if you have consented to this in advance.
With regard to queries sent via the contact form in the partner portal, we only forward the data entered therein to the relevant partner via email.
Global data protection policies
Some of the Rakuten services in connection with which your data may be used are delivered in countries in which the standard of data protection does not correspond to the European standard of data protection. In order to guarantee the European standard of data protection within the Rakuten Group and to guarantee the services it provides, the Rakuten group has agreed what are known as Binding Corporate Rules (binding internal data protection provisions). This document is available to view here.
In any case, please note that if you use another Rakuten service, your data is also processed in line with the data protection guidelines for the relevant Rakuten service in use.
5. WEB PRESENCE AND WEBPAGE OPTIMISATION
5.1. Cookies and similar technologies – general information
However, you can configure your browser to prevent cookies from being stored on your computer or always to display a notification before a new cookie is created. However, fully deactivating cookies may mean that you are unable to access our services or cannot use all functions of our website.
The length of time for which cookies are stored depends on their purpose and is not the same across the board.
Once you have objected, an opt-out cookie is usually stored on your end device. If you delete your cookies, you will need to exercise the opt-out option once again.
5.2. Use of Tealium
We use Tealium iQ tag management based on Article 6 section 1 a) and f) GDPR to manage the various analytics services and cookie and pixel tag technologies we use to monitor use of our website. To enable this functionality, a cookie called utag_main is used.
We also use Tealium AudienceStream on our website. This collects and stores data that can be used to create pseudonymised usage profiles. We commission Tealium to use this information to tailor use of the website to requirements automatically and in real time. Tealium collects some non-personal data via a cookie to optimise loading of the tracking pixel. This cookie becomes invalid 13 months after the user’s last session. The following information is stored in the Tealium cookie: timestamp of the visit to the web page, page access ID, visitor ID, session ID, flag (0 or 1) to mark the beginning of the session.
The pseudonymised usage profiles are not combined with personal data on the bearer of the pseudonym without consent, which must be provided separately. The IP address transmitted from your browser will not be combined with the usage profiles either.
Cookies or similar technologies for mobile devices are used to create the usage profiles. You can prevent the storage of cookies by setting your browser software accordingly; however, please note that, in that case, you may not be able to use all functions of our website to their full extent.
5.3. Rakuten web analysis
On this website, data is collected and stored, which is then used to create usage profiles using pseudonyms. These pseudonymous usage profiles are used to analyse user behaviour and are assessed by us and Rakuten Inc. in order to improve our service and tailor it to requirements. Cookies and what are known as clear GIFs (also ‘tracking pixels’ or ‘web beacons’) may be used for this purpose. Clear GIFs are small graphics (usually only 1 x 1 pixel), which are embedded into the website in a way that is not visible and which can be used to measure certain actions taken by visitors to the web page. The pseudonymous usage profiles are not combined with personal data on the bearer of the pseudonym without express consent, which must be provided separately.
You may object to the collection and storage of data at any time with effect for the future by sending a message to the email address stated under point 1 above.
5.4. Use of Google Analytics for web analysis
Users can prevent the storage of cookies by setting their browser software accordingly; users may also prevent the collection of the data generated by the cookie and related to their use of the online service by Google and the processing of such data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
You can find more information on use of data for advertising purposes by Google, settings and opt-out options on the Google web pages:
‘Use of data by Google in your use of websites or apps of our partners’, ‘Use of data for advertising purposes’, ‘Managing information that Google uses to show you advertising’ and ‘Determining which advertising Google shows you’.
5.5. Targeting – general
This website uses technologies from various advertising networks to place advertising based on the use of previously visited pages of our or other websites (targeting). The targeting measures used by us and listed below are used in accordance with Article 6, section 1 f) GDPR. By using these targeting measures, we wish to ensure that you are only shown advertising on your end devices based on your actual or presumed interests. It is both in your interests and in ours that we do not inconvenience you by showing you advertising that is not of interest to you.
On our website, cookies are used to collect and assess information on optimising advertising. This information contains, for example, details of which of our products you showed an interest in. Collection and assessment are done exclusively pseudonymously and does not allow us to identify you. In particular, the information is not combined with personal data concerning you. Based on the information, we can show you offers on our page that are specifically targeted towards your interests, as indicated by your previous user behaviour.
We also use retargeting technologies. These allow us to tailor our online service to be of more interest to you. To do this, we use a cookie that collects data on your interests using pseudonyms. Based on this information, you are shown ad displays for our services on our partners’ websites based on your interests. No direct personal data is stored and no usage profile is associated with your personal data.
5.6. Individual providers and options for objection
Google AdWords and DoubleClick
Provider: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data protection information: https://policies.google.com/privacy
Option for objection: Google ad settings deactivation
Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Data protection information: https://privacy.microsoft.com/
Option for objection: Deactivate Microsoft on the Digital Advertising Alliance page
Facebook Website Custom Audiences
Provider: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA
Data protection information: https://www.facebook.com/privacy/explanation
Option for objection: https://www.facebook.com/ads/website_custom_audiences/
5.7. Allgemeine Widerspruchs-/ Opt-Out-Möglichkeit
As well as the stated deactivation methods, you can also stop the targeting technologies described more broadly using a relevant cookie setting in your browser.
You can also deactivate preference-based advertising using this preference manager.
6. YOUR RIGHTS
As well as the right to withdraw the consent you have provided to us, you have the following rights, subject to the relevant legal requirements being met:
Right to access the personal data we store concerning you in accordance with Article 15 GDPR; in particular, you may access information regarding the purposes of the processing, the category of personal data concerned, the categories of recipient to whom the personal data has been or will be disclosed, the envisaged storage period, the origin of the data, if this was not collected directly from you,
Right to obtain the rectification of inaccurate data or the completion of accurate data in accordance with Article 16 GDPR, right to erasure of data stored by us concerning you in accordance with Article 17 GDPR, providing there are no legal or contractual retention periods or other legal obligations and/or rights to further storage which must be complied with,
Right to restriction of processing your data in accordance with Article 18 GDPR, providing you dispute the accuracy of the data, the processing is unlawful, but you oppose its erasure; the data controller no longer requires the data, but you require said data for the assertion,
exercise or defence of legal claims or you have objected to the processing pursuant to Article 21 GDPR,
Right to data portability Article 20 GDPR, i.e. the right to receive selected personal data stored by us concerning you in a commonly used and machine-readable format or to transmit said data to another controller,
Right to lodge a complaint with a supervisory authority. To do this, you may usually consult the supervisory authority for your ordinary place of residence or place of work or our company headquarters.
For queries regarding the collection, processing or use of your personal data, for access, rectification, blocking or erasure of data and the withdrawal of any consent already issued or objection to a certain use of data, please consult the controller (see point 1 above).
6.2. Right to object in accordance with Article 21, section 1 GDPR
Subject to the conditions of Article 21, section 1 GDPR, data processing may be objected to for reasons arising from the specific situation of the person affected.
The above-mentioned general right to object applies to all purposes of processing described in this data protection information, which are processed based on Article 6, section 1 f) GDPR. Unlike the special right to object to data processing for advertising purposes (see point 3.3 above), according to the GDPR, we are only obliged to implement any such general objection if you give us reasons of overriding importance (e.g. a possible danger to life or health).
7. DATA SECURITY
All data personally transmitted by you, including your payment details, are transferred using the standard security technology SSL (Secure Socket Layer). SSL is a secure, tried and tested standard, which is also used for things like online banking. You can tell a secure SSL connection by the additional s at the end of http (i.e. https://...) in the address bar of your browser or the lock symbol at the bottom of your browser.
We also use suitable technical and organisational security measures to protect the data you store with us from manipulation, partial or total loss and unauthorised third-party access. Our security measures are subject to constant improvement in line with technological advances.