Política de privacidad | Crear catálogos OCI y cXML PunchOut | PunchCommerce ![](//analytics.punchcommerce.de/matomo.php?idsite=1&rec=1) Política de privacidad punchcommerce.de ================= Estas políticas de privacidad se aplican a nuestras ofertas disponibles en https://punchcommerce.de, https://www.punchcommerce.de o https://\*.enterprise.punchcommerce.de. Legal Notice Legally binding is only the German version of these privacy notices. The provided English translation is for better understanding and is not legally binding. In case of discrepancies or interpretation issues, the German version shall prevail. A. Website Data Processing -------------------------- The privacy notice under A. relates to the processing of your personal data in the context of our website as an internet presence. For the processing of your personal data in the context of our services, please see [Section B](#b). ### 1. Name and Address of the Controller Unless expressly stated otherwise in this privacy notice, the controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the member states of the European Union, and other provisions of a data protection nature is: **netzdirektion | Gesellschaft für digitale Wertarbeit mbH,** *legally represented by the Managing Director: Patrick Dornbusch* Adam-Foßhag-Str. 29 65428 Rüsselsheim am Main Phone: [+49 (0) 6142 / 953 80 - 60](tel:061429538060) Email: ### 2. Name and Address of the Data Protection Officer The Data Protection Officer of the controller is: **Mr. Attorney Jens Engelhardt, his deputy is Mr. Attorney Prof. Sven Kolja Braune** c/o NOTOS Xperts GmbH Heidelberger Str. 6 64283 Darmstadt Phone: +49 6151-52010-0 Fax: +49 6151-52010-99 Website: www.notos-xperts.de Email: datenschutz@notos-xperts.de Any data subject may contact our Data Protection Officer directly at any time with any questions or suggestions regarding data protection. ### 3. Definitions The privacy notice of netzdirektion | Gesellschaft für digitale Wertarbeit mbH is based on the terminology used by the European legislator when adopting the General Data Protection Regulation (GDPR). Our privacy notice is intended to be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terminology used in advance. In this privacy notice and on our website, we use, among others, the following terms: #### 3.1 Personal Data Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. #### 3.2 Data Subject Data subject is any identified or identifiable natural person whose personal data is processed by the controller. #### 3.3 Processing Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. #### 3.4 Restriction of Processing Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future. #### 3.5 Profiling Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. #### 3.6 Pseudonymisation Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. #### 3.7 Controller or Controller Responsible for the Processing Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. #### 3.8 Processor Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. #### 3.9 Recipient Recipient means a natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. #### 3.10 Third Party Third party means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. #### 3.11 Consent Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. ### 4. General Notes on Data Processing Data protection, data security, and confidentiality are of high priority for netzdirektion | Gesellschaft für digitale Wertarbeit mbH (hereinafter also referred to as netzdirektion). The lasting protection of your personal data, your company data, and your trade secrets is important to us. You can generally visit our website without providing any personal information. However, if you wish to use services of our company via our website, the provision of personal data may be necessary. As a rule, we use the data you provide and the data collected and stored during the use of the website exclusively for our own purposes, namely for the operation and provision of our website and the initiation, performance, and execution of the services/offers provided via the website (contract fulfilment), and do not disclose them to third parties unless there is an obligation ordered by authorities. In all other cases, we obtain your separate consent. The processing of your personal data is carried out in accordance with the requirements of the General Data Protection Regulation and in compliance with the country-specific data protection provisions applicable to netzdirektion. By means of this privacy notice, we would like to inform you about the nature, scope, and purpose of the personal data we process. Furthermore, we inform you by means of this privacy notice about the rights to which you are entitled. netzdirektion has implemented technical and organisational measures to ensure an appropriate level of protection for personal data processed via this website. Nevertheless, internet-based data transmissions may in principle have security gaps, so absolute protection cannot be guaranteed. ### 5. Collection of General Data and Information The website of netzdirektion collects a series of general data and information each time it is accessed by a data subject or an automated system. This general data and information is stored in the server log files. The following may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-pages accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that serves to avert danger in the event of attacks on our information technology systems. When using this general data and information, netzdirektion does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) ensure the permanent functionality of our information technology systems and the technology of our website, and (3) provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack. This anonymously collected data and information is therefore evaluated by netzdirektion both statistically and with the aim of increasing data protection and data security in our company, in order to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data from the server log files is stored separately from all personal data provided by a data subject. ### 6. Inquiry Form and Telephone or Email Contact Our website contains an inquiry form which can be used for electronic contact. When you use the form, in addition to the general information mentioned in Section 5, the following data is transmitted to us and stored: - Name - Company - Telephone - Email - Message - Upload of requirement documents in PDF or ZIP format The data collected during the contact process is automatically transmitted to our ticket system and further processed for responding to your inquiry. In this process, we use an AI tool trained and operated by us, which provides us with suggested responses based on the inquiry and previous tickets, in order to accelerate and optimise the answering of inquiries. After processing a ticket, the tickets are fed into the AI tool. This enables us to answer future inquiries more quickly and efficiently. The tool was programmed by us and does not contain any third-party software. Your data is not processed online in this context and is not forwarded to any other providers. Our website also contains contact information. It is possible to contact us via the provided email address, fax, or telephone number. When you contact us via one of these means, the personal data you transmit to us is automatically stored (email, fax) or recorded and manually stored by us. In this context, no data is passed on to third parties. The data is used exclusively for processing the conversation or handling your inquiry. ### 7. Cookies #### 7.1 Scope and Description of Data Processing Our website uses only technically necessary cookies required for the operation of the website. In no case is data transmitted to third-party providers. Cookies are text files that are stored in or by the internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that enables the browser to be uniquely identified when the website is accessed again. #### 7.2 Technically Necessary Cookies ##### Legal Basis § 25 (2) TDDDG in conjunction with Art. 6 (1) lit. f GDPR for technically strictly necessary cookies ##### Storage Purpose The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. ##### Storage Duration We define the shortest possible lifetime for cookies. Furthermore, you have the option to manually delete cookies on your device at any time. ##### Objection By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of the website to their full extent. The following technically necessary cookies may be stored in your browser during your visit to our website. Name Purpose punch\_commerce\_session Maintains the user's state across all page requests. XSRF-TOKEN Required for the secure transmission of form data to our server. ### 8. Newsletter On our website, we use a newsletter service provided by Brevo. The provider is SendinBlue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany (or SendinBlue SAS, 55 rue d'Amsterdam, 75008 Paris, France; e.g., as the server location). Brevo is a service that can be used to organise and analyse the sending of newsletters. The data you enter for the purpose of receiving the newsletter (e.g., email address) is stored on the servers of SendinBlue. Our newsletters sent via Brevo enable us to analyse user behaviour. For example, it is recorded how many recipients opened the newsletter and which links in the newsletter were clicked and how often. So-called tracking links are used to count these clicks. During the newsletter registration, the following data from the input form is transmitted to us: - Your email address \* Fields marked with \* are mandatory. In addition, the following data is collected during registration: - IP address of the accessing computer - Date and time of registration For the processing of data, we obtain your consent within the framework of the so-called double opt-in procedure. In this process, we also refer to this privacy notice. If you do not wish to receive analysis by Brevo, you can unsubscribe from the newsletter at any time. You will find a corresponding unsubscribe link in every newsletter email. Alternatively, you can revoke your consent at any time with effect for the future by sending an email to the address stated in our legal notice. The data you have provided for the newsletter is stored by us until you unsubscribe from the newsletter. After unsubscribing, your data is deleted from both our servers and the servers of SendinBlue. Data that has been stored by us for other purposes (e.g., for the members area) remains unaffected. Further information can be found in our privacy notice and in Brevo's privacy policy at: ### 9. Use of Matomo (Cookieless Tracking) We use the web analytics tool "Matomo" by InnoCraft Ltd. (7 Waterloo Quay PO625, 6140 Wellington, New Zealand) to analyse and regularly improve the use of our website. Matomo enables us to generate statistics and improve our offering, thus making it more interesting for you as a user. Cookie tracking is deactivated in the analytics tool. We therefore only collect technically necessary data for which no consent is required. Your IP address is collected in anonymised form by masking the last 2 bytes. This means that it is no longer possible to assign the truncated IP address to the accessing computer. In addition, an overview of your access data, the browser and device type you used, and the activities you performed on our website is stored. When individual pages of our website are accessed, the following data is stored: - IP address (masked 2 bytes) of your accessing system (e.g., 192.168.xxx.xxx) - Browser type and version, screen resolution, language settings, local time, operating system used - The number of pages and files you access on our website, time spent on the website, frequency of your visits, number of actions, bounce rate, page generation time - The website from which you visit us (referrer URL) - unless your browser prevents this - Device used (e.g., television, consoles, smartphones, desktops, etc.) - Where applicable, the website you visit after ours (when clicking an external link on our website) - Date and time of your access. No tracking cookies are placed on your computer as part of our web analytics. The Matomo software and the data collected by Matomo are operated, stored, and processed exclusively on our own servers. The processing is based on our legitimate interest in the statistical analysis of user behaviour for optimisation and marketing purposes pursuant to Art. 6 (1) lit. f GDPR. You have a right to object pursuant to Art. 21 GDPR (see below). The IP address transmitted by your browser is neither merged with other data collected by us nor disclosed to third parties. ### 10. LinkedIn Page We maintain a page on the platform of the provider LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. We use this page to: - Present our company and our services - Engage and stay in contact with the community and followers - Handle questions and concerns from customers and prospects When visiting our page, LinkedIn as the controller collects personal data of users, for example through the use of cookies. Such data collection by LinkedIn may also occur for visitors to this page who are not logged in or registered with LinkedIn. Information about data collection and further processing by LinkedIn can be found in LinkedIn's privacy notices at https://www.linkedin.com/legal/privacy-policy?\_l=de\_DE. netzdirektion | Gesellschaft für digitale Wertarbeit mbH cannot trace which user data LinkedIn collects. netzdirektion | Gesellschaft für digitale Wertarbeit mbH also does not have full access to the collected data or your profile data. netzdirektion | Gesellschaft für digitale Wertarbeit mbH can only see the public information of your profile. You decide which information this includes in your LinkedIn settings. If our page offers a chat function, netzdirektion | Gesellschaft für digitale Wertarbeit mbH uses your data when using the chat function to answer your inquiry. The service and customer support information collected in this way serves to contact you in order to provide you with the desired information and offers. Based on legitimate interest, netzdirektion | Gesellschaft für digitale Wertarbeit mbH receives anonymous statistics from LinkedIn regarding the use and utilisation of the page. The following information is provided: - Followers: Number of people who follow netzdirektion | Gesellschaft für digitale Wertarbeit mbH - including growth and development over a defined time frame. - Reach: Number of people who see a specific post. Number of interactions with a post. From this, it can be derived, for example, which content resonates better with the community than others. - Ad performance: How many people were reached by a post or paid advertisement and interacted with it? - These statistics, from which we cannot draw conclusions about individual users, are used by us to continuously improve our online offering on LinkedIn and to better respond to the interests of our community. We cannot link the statistical data to the profile data of our followers. You can decide in your LinkedIn settings in what form targeted advertising is displayed to you. netzdirektion | Gesellschaft für digitale Wertarbeit mbH receives personal data via LinkedIn when you actively share it with us via a personal message on LinkedIn. We use your data (e.g., first name, last name, company, and position) to respond to your inquiry. Your data is stored for this purpose. Further information about the processing of personal data by netzdirektion | Gesellschaft für digitale Wertarbeit mbH and about your rights can be found in this privacy notice. ### 11. Use of Easyfeedback For conducting surveys and feedback forms, we use the service Easyfeedback. The provider is easyfeedback GmbH, Ernst-Abbe-Straße 4, 56070 Koblenz, Germany. Easyfeedback enables us to conduct surveys and feedback processes in a data-protection-compliant and efficient manner. The data you provide in the context of surveys or feedback forms is stored and processed on Easyfeedback's servers in Germany. Participation in surveys is voluntary. The following data is processed in the context of the survey: - Answers to the questions asked - Date and time of participation - IP address (stored in anonymised form) The processing of data is carried out exclusively on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR. You may revoke your consent at any time with effect for the future. The collected data is used exclusively for the evaluation of the respective survey and is not used for other purposes. The data is evaluated in anonymised form, unless you have expressly given us your consent to process personal data. The data you have provided in the context of the survey will be deleted as soon as the purpose of the collection no longer applies. As a rule, deletion takes place no later than 12 months after the completion of the survey. Further information on data protection at Easyfeedback can be found at: ### 12. Legal Bases, Purposes of Processing, Storage Duration, Objection and Removal Options #### 12.1 General Information on Legal Bases Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 (1) lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data. In the processing of personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures. Insofar as processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis. If the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and the interests, fundamental rights, and fundamental freedoms of the data subject do not override the former interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing. #### 12.2 General Information on Data Erasure and Storage Duration The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the purpose of entering into or performing a contract. #### 12.3 Individual Details Date / Data General system data per Section 5 Legal Basis Art. 6 (1) lit. f GDPR (legitimate interest) Storage Purpose The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session. Storage Duration The data is deleted as soon as it is no longer necessary for the purpose of its collection. In the case of data collection for the provision of the website, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after no more than seven days. Storage beyond this period is possible. In this case, the IP addresses of users are deleted or anonymised so that assignment of the accessing client is no longer possible. Objection / Removal Option No, as it is strictly necessary for the operation of the website --- Date / Data Data from inquiry form and email contact per Section 6 Legal Basis The legal basis for the processing of data for inquiries via the inquiry form and/or email is generally Art. 6 (1) lit. b GDPR (contract fulfilment; pre-contractual measures); Art. 6 (1) lit. c GDPR (fulfilment of a legal obligation, e.g., answering data protection questions) and otherwise Art. 6 (1) lit. f GDPR (legitimate interest). Storage Purpose The processing of personal data from the input form/email serves solely for the processing of the contact or the inquiry. This also constitutes the required legitimate interest in the processing of the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems. Storage Duration The data is deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the input form of the inquiry form and those sent by email, this is the case when the respective conversation with the user has ended. The conversation has ended when it can be inferred from the circumstances that the matter in question has been conclusively resolved. The foregoing does not apply if the correspondence is subject to a commercial retention obligation. The additional personal data collected during the sending process is deleted after a period of seven days at the latest. Objection / Removal Option The user has the option to object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. --- Date / Data Cookies per Section 7 Legal Basis § 25 (2) TDDDG in conjunction with Art. 6 (1) lit. f GDPR for technically strictly necessary cookies. Otherwise: § 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a GDPR (consent) Storage Purpose The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. The use of analytics cookies serves the purpose of improving the quality of our website and its content. Through analytics cookies, we learn how the website is used and can thus continuously optimise our offering. These purposes also constitute our legitimate interest in the processing of personal data pursuant to Art. 6 (1) lit. f GDPR. Storage Duration Cookies are stored on the user's computer and transmitted to our site by the user. Therefore, you as a user also have full control over the use of cookies. Objection / Removal Option By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of the website to their full extent. --- Date / Data Newsletter Legal Basis Art. 6 (1) lit. f GDPR (legitimate interest). Storage Purpose Acquisition of new customers and existing customer retention Storage Duration The data is deleted as soon as it is no longer necessary for the purpose of its collection or the user revokes consent. Objection / Removal Option The user has the option to object to the storage of their personal data at any time. --- Date / Data Use of Matomo (cookieless tracking) per Section 9 Legal Basis The legal basis for the processing of data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the analysis and optimisation of our website in order to make our offering more user-friendly. If you have consented to data processing (e.g., through cookies), the legal basis is Art. 6 (1) lit. a GDPR. Storage Purpose The processing serves the statistical analysis of user behaviour on our website in order to continuously improve the functionality and content and to optimise the user experience. Storage Duration The collected data is either processed in anonymised form or, if technically required, deleted no later than 6 months. If you revoke your consent, the data will be deleted immediately. Objection / Removal Option You can object to the processing of your data by Matomo at any time by activating the Do-Not-Track function of your browser or by deactivating the use of cookies via your browser settings. Furthermore, you may revoke your consent, if given, at any time with effect for the future. Date / Data Use of LinkedIn per Section 10 Legal Basis The legal basis for the processing of data is our legitimate interest (Art. 6 (1) lit. f GDPR). Our legitimate interest arises from the interaction and communication with LinkedIn users and the promotion of our company and our services. If you have consented to data processing, e.g., by clicking a checkbox, the legal basis for the processing is consent (Art. 6 (1) lit. a GDPR). Storage Purpose The purpose of storage is the improvement of our information offering and the handling of your contact with us or your inquiry. Further purposes of processing are determined by the provider LinkedIn. Storage Duration The data is deleted as soon as our legitimate interest no longer exists or we are obligated to delete the data due to legal or regulatory orders. If the processing is based on consent, the data will be deleted when the user revokes their consent. Objection / Removal Option As a user, you have the option at any time to object to the processing of your data pursuant to Section 13.7. For further information, please refer to the privacy policy provided by LinkedIn. Date / Data Answers to surveys, date and time of participation, anonymised IP address, as well as optionally voluntarily provided personal data (e.g., email address, if explicitly requested). Legal Basis The processing of data is carried out exclusively on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR. You may revoke your consent at any time with effect for the future. Storage Purpose The processing of data serves the conduct and evaluation of surveys and feedback forms in order to improve services, products, or internal processes. Storage Duration The data is deleted as soon as the purpose of the collection no longer applies, generally no later than 12 months after the completion of the survey. If you revoke your consent, the data will be deleted immediately. Objection / Removal Option You can object to the processing of your data at any time by revoking your consent. The revocation can be made by contacting us or directly via Easyfeedback. Further information can be found in Easyfeedback's privacy policy at: ### 13. Your Rights If your personal data is being processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-a-vis the controller: #### 13.1 Right of Access You may request confirmation from the controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you may request information from the controller regarding the following: - the purposes for which the personal data is being processed; - the categories of personal data being processed; - the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed; - the envisaged period for which the personal data concerning you will be stored or, if specific information is not possible, criteria for determining the storage period; - the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing; - the existence of a right to lodge a complaint with a supervisory authority; - all available information about the origin of the data where the personal data is not collected from the data subject; - the existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) GDPR and - at least in those cases - meaningful information about the logic involved and the scope and the intended effects of such processing for the data subject. You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer. #### 13.2 Right to Rectification You have a right to rectification and/or completion vis-a-vis the controller, provided that the processed personal data concerning you is inaccurate or incomplete. The controller shall carry out the rectification without undue delay. #### 13.3 Right to Restriction of Processing Under the following conditions, you may request the restriction of processing of the personal data concerning you: - if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data; - the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data; - the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defence of legal claims; or - if you have objected to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds. Where processing of personal data concerning you has been restricted, such data may - apart from storage - only be processed with your consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State. If the restriction of processing has been restricted according to the above conditions, you will be informed by the controller before the restriction is lifted. #### 13.4 Right to Erasure ##### 13.4.1 Obligation to Erase You may request the controller to erase personal data concerning you without undue delay, and the controller is obligated to erase such data without undue delay where one of the following grounds applies: The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed. You withdraw your consent on which the processing was based pursuant to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR, and there is no other legal basis for the processing. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR. The personal data concerning you has been unlawfully processed. The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject. The personal data concerning you has been collected in relation to information society services offered pursuant to Art. 8 (1) GDPR. ##### 13.4.2 Information to Third Parties Where the controller has made the personal data concerning you public and is obligated pursuant to Art. 17 (1) GDPR to erase it, the controller shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as a data subject have requested the erasure of all links to, or copies or replications of, those personal data. ##### 13.4.3 Exceptions The right to erasure does not apply to the extent that processing is necessary: - for exercising the right of freedom of expression and information; - for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; - for reasons of public interest in the area of public health pursuant to Art. 9 (2) lit. h and i and Art. 9 (3) GDPR; - for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or - for the establishment, exercise, or defence of legal claims. #### 13.5 Right to Notification If you have exercised the right to rectification, erasure, or restriction of processing vis-a-vis the controller, the controller is obligated to communicate such rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right vis-a-vis the controller to be informed about these recipients. #### 13.6 Right to Data Portability You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. Furthermore, you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, where the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR, and the processing is carried out by automated means. In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, where technically feasible. The freedoms and rights of other persons must not be impaired by this. The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. #### 13.7 Right to Object You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 (1) lit. e or f GDPR; this also applies to profiling based on those provisions. The controller shall no longer process the personal data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for these purposes. You have the option, in the context of the use of information society services - notwithstanding Directive 2002/58/EC - to exercise your right to object by means of automated procedures using technical specifications. #### 13.8 Right to Withdraw Consent You have the right to withdraw your data protection consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. #### 13.9 Automated Individual Decision-Making, Including Profiling You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is necessary for entering into, or performance of, a contract between you and the controller, is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or is based on your explicit consent. However, such decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g applies and suitable measures to safeguard your rights, freedoms, and legitimate interests have been taken. With regard to cases referred to in (1) and (3), the controller shall implement suitable measures to safeguard your rights, freedoms, and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your own point of view, and to contest the decision. #### 13.10 Right to Lodge a Complaint with a Supervisory Authority Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant about the status and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR. B. PunchCommerce Platform Data Processing ----------------------------------------- The following privacy notice relates to the data processing carried out in the context of our services on the PunchCommerce platform. This privacy notice applies in addition to the data processing already described in Section A on our website for the use of the services we offer. ### 1. Controller For the processing of personal data described below, either we, netzdirektion | Gesellschaft für digitale Wertarbeit mbH, or, as defined below, Users or Customers, are independent controllers within the meaning of data protection law, as specified in the information under "11.3 Individual Details" in this section. For details on which user is the controller for the personal data concerning you, please refer to the tab "Information on the Controller". ### 2. Contact Details of the Data Protection Officer netzdirektion | Gesellschaft für digitale Wertarbeit mbH **Mr. Attorney Jens Engelhardt, his deputy is Mr. Attorney Prof. Sven Kolja Braune** c/o NOTOS Xperts GmbH Heidelberger Str. 6 64283 Darmstadt Phone: +49 6151-52010-0 Fax: +49 6151-52010-99 Website: www.notos-xperts.de Email: datenschutz@notos-xperts.de Any data subject may contact our Data Protection Officer directly at any time with any questions or suggestions regarding data protection. User/Customer: Whether the User or Customer has appointed a Data Protection Officer and, if so, their contact details can be found in the tab "Information on the Controller" on the PunchCommerce portal. ### 3. Definitions - Us/We: netzdirektion | Gesellschaft für digitale Wertarbeit mbH - Business Partner: Customer of our customer - User of a Business Partner: Authorised representative or employee of the customer of our customer - User or Customer: User of our platform who creates business partners - Furthermore, the definitions set out under Section A. 3 of this privacy notice apply. ### 4. Collection of General Data and Information Our website collects a series of general data and information each time it is accessed by a data subject or an automated system. This general data and information is stored in the server log files. The following may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-pages accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that serves to avert danger in the event of attacks on our information technology systems. When using this general data and information, netzdirektion does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimise the content of our website and advertising for it, (3) ensure the permanent functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack. This anonymously collected data and information is therefore evaluated by netzdirektion both statistically and with the aim of increasing data protection and data security in our company, in order to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data from the server log files is stored separately from all personal data provided by a data subject. ### 5. Creation of a User Account It is possible to create a personalised user account. In this process, the following data is transmitted to us and stored until the deletion of the user account or the end of the statutory warranty periods: - Name - Email address. In the event of entering into a contract, the following data is additionally transmitted to us and stored until the deletion of the user account or the end of the statutory retention obligation: - Company - Address - Billing email address. ### 6. Login Upon login, the following data is transmitted to us and stored: - Time of login - IP address - Type of device - Browser used - Username - Password ### 7. Creation of a Business Partner When creating a business partner, the name assigned by the user is stored by us, a randomly generated username and a randomly generated password are created and displayed to the user. ### 8. Access to Our Service by Employees of the Business Partner #### 8.1 Access to the OCI PunchOut Catalog by Employees of the Business Partner Access to the OCI PunchOut catalog is not person-specific. The following information is transmitted to us upon access via the OCI protocol. The OCI protocol is a protocol for the transmission of shopping carts to an ERP system. - General environment information (browser used, OCI client software version used) - Time of access - IP address - Username - Password - Information about products placed in the shopping cart. #### 8.2 Access to the cXML PunchOut Catalog by Employees of the Business Partner Access to the cXML PunchOut catalog by the user of a business partner is not person-specific. The following information is transmitted to us upon access via the cXML protocol. The cXML protocol is a protocol for the transmission of shopping carts to an ERP system. - General environment information (browser used, cXML client software version used) - IP address - Time of access - Username - Password - Billing address within the business partner's company - Delivery address within the business partner's company - Email address, first name, and last name of the user within the business partner's company - Information about products placed in the shopping cart. #### 8.3. Access to the OCI Gateway Function by Employees of the Business Partner We offer the user the option to configure our application as a gateway (access point) to their online shop via the OCI protocol. In this case, upon access by the user of the business partner, the following data is transmitted to us: - General environment information (browser used, OCI client software version used) - Time of access - IP address - Username - Password - Information about products placed in the shopping cart. ### 9. Use of Plugins for Various Online Shop Systems #### 9.1 Use of the Shopware 5 Plugin We offer a free software extension for Shopware 5 that enables the upload of products for display in a PunchOut catalog within our platform. When using the plugin for the upload of products to our platform, the following data is transmitted to us: - General environment information (browser used) - Address of the Shopware shop - Time of access - IP address - API key. #### 9.2. Use of the Shopware 6 Plugin We offer a free software extension for Shopware 6 that enables the upload of products for display in a PunchOut catalog. Furthermore, the plugin enables access to the online shop via the Gateway OCI protocol (see also 7.) When using the plugin for the upload of products to our platform, the following data is transmitted to us: - General environment information (browser used) - Address of the Shopware shop - Time of access - IP address - API key. When using the plugin for access by the user of a business partner, the following data is transmitted to us: - General environment information (browser used, OCI client software version used) - Address of the Shopware shop - Time of access - IP address - Username - Password - API key - Information about products placed in the shopping cart. #### 9.3 Use of the JTL Shop Plugin When using the plugin for access by the user of a business partner, the following data is transmitted to us: - General environment information (browser used, OCI client software version used) - Address of the online shop - Time of access - IP address - Username - Password - API key - Information about products placed in the shopping cart. ### 10. Creation of a Support Request We offer the logged-in user the option to create support requests. When creating a support request, the following data is transmitted to our ticket system: - Type of request - Title of request - Name of business partner - Description - Time of access - IP address - Username - File attachments, if uploaded ### 11. Legal Bases, Purposes of Processing, Storage Duration, Objection and Removal Options #### 11.1 General Information on Legal Bases We process your personal data exclusively on the basis of a legal basis. Insofar as the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures. Insofar as processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis. For data processing on behalf of our User/Customer, the processing of your personal data is based on contract fulfilment pursuant to Art. 6 (1) lit. b GDPR between the business partner and the User/Customer. We have concluded a data processing agreement with the User/Customer pursuant to Art. 28 GDPR regarding this processing. #### 11.2 General Information on Data Erasure and Storage Duration The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the purpose of entering into or performing a contract. #### 11.3 Individual Details Date/Data User account and login per Sections 5 and 6 Controller Netzdirektion | Gesellschaft für digitale Wertarbeit mbH Legal Basis Insofar as the user has entered into a contract with us, the data processing is based on Art. 6 (1) lit. b GDPR (contract fulfilment). The legal basis for creating a user account for the use of our trial offer is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, to promote our service and to enable potential customers to trial our service. Storage Purpose The purpose of storing the user account is to make our service available to the contractual partner / customer. Storage Duration The data is deleted as soon as it is no longer necessary for contract fulfilment. For the personal data of the user account, this is the case when the respective contractual relationship with the user has ended. The foregoing does not apply if the data is subject to a statutory retention obligation. In this case, the personal data is deleted after the expiry of the retention obligation. Objection / Removal Option The customer is entitled to terminate the contract and delete their user account at any time. Personal data that is processed due to statutory retention periods will in any case only be deleted after the expiry of the legally prescribed obligation. Date/Data Fraud prevention and technical functionality of our service Controller Netzdirektion | Gesellschaft für digitale Wertarbeit mbH Legal Basis The processing of personal data is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest consists in the prevention and resolution of technical problems and fraud prevention. Storage Purpose We process technical data (IP address, API key, IP address, device information, etc.) to prevent fraud cases. Furthermore, we process the data to ensure the technical functionality of our service and to optimise functionality and resolve errors. The processing of username and password data also serves to prevent fraud cases and to enable a user to access our service. Storage Duration The data is deleted as soon as it is no longer necessary for the fulfilment of the stated purposes. Accordingly, the data is deleted after a maximum period of 30 days. Objection / Removal Option There is no option to object, as the processing is strictly necessary for our legitimate interest in fraud prevention and error resolution. However, the data is deleted after a short period (see storage duration). Date/Data Creation of a business partner per Section 7 Controller Responsible User/Customer Legal Basis The legal basis for the processing of personal data of business partners is contract fulfilment between the business partner and the customer pursuant to Art. 6 (1) lit. b GDPR. Storage Purpose The purpose of storing the data of a business partner is to make the PunchOut catalog available to the business partner and to enable the interaction of the business partner with the client via the PunchOut catalog/gateway. Storage Duration The data is deleted as soon as it is no longer necessary for contract fulfilment. For the personal data of the business partner's user account, this is the case when the respective contractual relationship with the user has ended. The foregoing does not apply if the data is subject to a commercial retention obligation. Objection / Removal Option The business partner can contact the user who registered their data as a business partner and request them to delete the data via the application interface. Such a deletion does not lead to the deletion of data that we are required to store due to statutory retention periods. Date/Data Access to our service by employees of the business partner per Section 8 Controller Responsible User/Customer Legal Basis The processing is carried out for contract fulfilment or contract initiation between our customer and the business partner. The processing of personal data relating to employees of the business partner is based on the legal basis of contract fulfilment pursuant to Art. 6 (1) lit. b GDPR (contract fulfilment). Storage Purpose The data (in particular information about products in the shopping cart) is processed and stored to enable the use of the software solutions described in Section 7 for the customer and their business partners (through their employees). The username and password are processed to implement access restrictions to the business partner's account. The technical data (browser, software version, IP address, time of access) is processed to ensure the functionality of the service. Storage Duration The data is deleted as soon as it is no longer necessary for the stated purposes. For the personal data of the business partner's user account, this is the case when the respective contractual relationship with the customer (user) has ended. The foregoing does not apply if the data is subject to a commercial retention obligation. The technical data is deleted after a period of 14 days. Objection / Removal Option The business partner is entitled at any time to request the deletion of data from the customer or from us. Such entitlement on the part of an employee exists only within the framework of the data subject rights described below. Data that serves as evidence of completed transactions is deleted exclusively after the expiry of the applicable statutory retention periods. Date/Data Use of plugins for various online shop systems per Section 9 Controller Responsible User/Customer Legal Basis The processing is carried out for contract fulfilment or contract initiation between our customer and the business partner and the execution of business in our customer's online shop. Accordingly, the processing is based on the legal basis of contract fulfilment pursuant to Art. 6 (1) lit. b GDPR (contract fulfilment). Storage Purpose The data (in particular information about products in the shopping cart) is processed and stored to enable the use of the software solutions described in Section 8 for the customer and their business partners (their employees). The username and password are processed to implement access restrictions to the business partner's account. The technical data (browser, software version, IP address, time of access, API key) is processed to ensure the functionality of the service, in order to enable smooth contract execution. Storage Duration The data is deleted as soon as it is no longer necessary for the stated purposes. For the personal data of the business partner's user account, this is the case when the respective contractual relationship with the customer (user) has ended. Furthermore, the personal data is deleted as soon as the contractual relationship of the business partner with our customer has ended and the business partner deletes their account. The foregoing does not apply if the data is subject to a statutory retention obligation. Objection / Removal Option The business partner is entitled at any time to request the deletion of data from the customer or from us. Such entitlement on the part of an employee exists only within the framework of the data subject rights described below. Data that serves as evidence of completed transactions is deleted exclusively after the expiry of the applicable statutory retention periods. Date/Data Creation of a support request per Section 10 Controller Netzdirektion | Gesellschaft für digitale Wertarbeit mbH Legal Basis We process your personal data in the context of support requests on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest consists in providing support for our customers, prospects, and users regarding our service and our internet offering. Storage Purpose We process the data transmitted to us in the context of a support request in order to contact you regarding the resolution of the problem or request and to answer your inquiry. We process the content of your request in order to specifically assist you with the described matter. Storage Duration The data is deleted as soon as it is no longer necessary for the above-mentioned purposes. Objection / Removal Option The user has the option to object to the storage of their personal data at any time. In such a case, the support request cannot be processed. Date/Data Retention of personal data based on statutory retention periods Controller Netzdirektion | Gesellschaft für digitale Wertarbeit mbH Legal Basis The processing of personal data for statutory retention periods is carried out due to a legal obligation. Accordingly, Art. 6 (1) lit. c GDPR serves as the legal basis. Storage Purpose Personal data collected in the course of using our service that must be retained in accordance with statutory provisions is stored by us for the duration of this period. The data is processed exclusively for the legally prescribed purposes. Storage Duration The retention period is determined in accordance with the respective provision (e.g., §§ 147 AO, 257 HGB – 6 or 10 years) Objection / Removal Option No, as the processing is legally required. ### 12. Your Rights You are entitled to the rights listed under Section A, Paragraph 13. - These rights include: - Right of access - Right to rectification - Right to restriction of processing - Right to erasure - Right to notification - Right to data portability - Right to object Furthermore, you have the right to lodge a complaint with the supervisory authority responsible for us. You may exercise these rights by sending a request to the following address: datenschutz@notos-xperts.de In your relationship with the User/Customer, you may also exercise these rights vis-a-vis them. For this purpose, please contact the User/Customer at the email address provided in the tab "Information on the Controller" on the "Privacy Notice" page. Note: We and the User/Customer are each independent controllers within the meaning of Art. 4 No. 7 GDPR. As of: March 2026 [ PunchCommerce® ist ein Produkt der ![Netzdirektion GmbH](https://www.punchcommerce.de/static/netzdirektion-logo.png "PunchCommerce® ist ein Produkt der netzdirektion | Gesellschaft für digitale Wertarbeit mbH") ](https://netzdirektion.de) [Comentarios deseados - ¡Tu opinión nos ayuda a mejorar aún más!](https://easy-feedback.de/umfrage/1883200/5FuM95 "¡Tu opinión nos ayuda a mejorar aún más!")