Privacy Policy

Privacy Policy

of Schokoladenmuseum Köln GmbH, Am Schokoladenmuseum 1a, 50678 Cologne,

represented by the managing directors Annette Imhoff and Dr Christian Unterberg-Imhoff

(hereinafter “Chocolate Museum”)

When you visit our web offerings, data about your use is collected and retained for technical reasons.

The Chocolate Museum respects and protects your privacy when you use its services, by us generally aiming for anonymous use of all offerings.

To the extent that you have provided us with personal data, we collect, retain and use such data only where this is necessary to answer your enquiries, to establish, handle and perform contracts concluded with you or to render the services and for the technical administration.

In this Privacy Policy, you will learn about

  • the data we capture when you visit the Chocolate Museum website, use one of the contact forms or use the Chocolate Museum Online Shop,
  • the purposes for which we process your data and
  • the rights and setting options you have, in particular how you may object to the processing of your data and withdraw any consent you might have given.
  1. What company is responsible for the Chocolate Museum Online Shop?
    The company responsible in terms of the European Data Protection Regulation (GDPR) for data processing in connection with your use of the Chocolate Museum Online Shop is the

Schokoladenmuseum Köln GmbH
Am Schokoladenmuseum 1a
50678 Cologne

In the following, “we”, “us” or “Chocolate Museum” therefore refers to Schokoladenmuseum Köln GmbH as the operator of the Chocolate Museum Online Shop. Further details about our company and our contact details can be found in the Site Notice.

You may contact our Data Protection Officer at datenschutzbeauftragter@schokoladenmuseum.de or at our postal address set out above by adding “FAO the Data Protection Officer”.

  1. What data is captured by the Chocolate Museum?

2.1 When you visit our website

You may visit the Chocolate Museum website without providing any information about yourself. In this case, we capture the technical access data your browser automatically transmits to our server in the course of page views. The access data includes, in particular, the following details:

  • date and time of access
  • address of the accessed website and of the requesting website
  • content of the request (addresses and designations of the requested files)
  • details about the browser used and the operating system (versions, language settings)
  • online identifiers (e.g. IP address, device identifiers, session IDs)
  • any error messages (if the requested contents cannot be displayed)
  • the website you previously visited and from which you accessed a website of the Chocolate Museum Online Shop via a link

During your visit, your access data is automatically retained in the server log files of our server and then anonymised, with your IP address either being shortened or erased. It is then no longer possible to draw any direct conclusions about you based on the server log files.

2.2 Cookies
We use cookies in the Chocolate Museum Online Shop. These may be cookies set by us (“Chocolate Museum cookies”) and cookies from third-party providers. A cookie is a standardised text file that is stored by your browser for a period of validity stipulated in advance by the respective provider. Cookies enable the local retention of information, such as language settings, shopping cart contents and temporary identification features, which can be retrieved during subsequent website visits in order to reload the corresponding settings. You may view and erase the cookies used in the security settings of your browser. You may also configure your browser setting according to your wishes and hence, for example, refuse the acceptance of cookies from third-party providers or any cookies at all. Please note that you might not be able to fully use all functions of our website in this case.

Our own Chocolate Museum cookies are used to make your visit to our website more user-friendly and more secure.

In addition, we use cookies from third-party providers for web analysis and advertising purposes. For more information, please refer to clauses 5 and 6 of this Privacy Policy.

2.3 When you register for a Chocolate Museum customer account
Of course, you may also shop in the Chocolate Museum Online Shop as a guest without a personal Chocolate Museum customer account. However, registering with our online shop may make it easier for you to shop with us in the future and provide you with an order history. For example, the address data will be preselected for your next purchase order. With the customer account, we may also retain your data (e.g. ordering data) contiguously in our customer database and, on this basis, show you personalised product recommendations and more relevant search results aligned with your previous shopping interests.

If you register for a Chocolate Museum customer account, we will set up password-protected direct access to your master data retained with us (e.g. name, address, e-mail address, corporate name) and ordering data (products ordered, item numbers). The mandatory information required for the registration is usually marked separately, e.g. with an asterisk (“*”). In addition, we temporarily retain the IP address used by you during the registration for security reasons.

You may erase your Chocolate Museum customer account and the data retained in it at any time. Simply send us an informal message, e.g. by e-mail to service@schokoladenmuseum.de, or use our contact form. Please note that the erasure of your customer account does not automatically extend to the ordering transactions and the personal data retained for this purpose (see clause 8: How long will my data be retained?).

2.4 When you order something from the Chocolate Museum Online Shop
We capture and retain data about the products you order. We also retain data that is directly related to the handling of your purchase orders. Ordering data includes, in particular:

  • details about the products ordered, such as item numbers and quantity
  • e-mail address
  • invoice and delivery address
  • payment data
  • ordering numbers

2.5 When you participate in surveys, sweepstakes and promotional activities
We capture the details you provide when you participate in surveys, sweepstakes and promotional activities.

For example, we occasionally conduct surveys to find out how our offerings are used by our customers and how they feel about contacting the customer service.

For sweepstakes, we use your contact details to notify you of the prize and, where appropriate, to prevent repeated participations.

Detailed notices can be found, where applicable, in separate data protection notices on the respective survey, sweepstake or promotional activity.

2.6 When you contact us
If you contact us via the contact form on our website, by e-mail, phone or any other means, we capture the communication data arising in the process. Depending on the channel you use to contact us, this may include, for example, your contact details (such as your e-mail address or phone number) and the content of your message to us. Phone calls to the Chocolate Museum Service are not recorded.

We also use the offerings of social networks, such as Facebook, Instagram, TripAdvisor and Twitter, to engage with our customers. Please note that the Chocolate Museum has no influence on the terms of use of the social networks and their data processing practices. So please check carefully what personal data you share with us via social networks.

2.7 When you order the Chocolate Museum Newsletter
Where you have subscribed to the Chocolate Museum Newsletter, we retain the data you have provided for this purpose to compile and send the newsletters.

2.7.1 Subscription
If you subscribe to the Chocolate Museum Newsletter, we ask you for the following mandatory details:

  • e-mail address (for the newsletters: visitors, press, education, tourism)
  • salutation (for the newsletters: press)
  • corporate name (for the newsletters: press)
  • department (for the newsletters: press)
  • position (for the newsletters: press)
  • title (for the newsletters: press)
  • first name (for the newsletters: press)
  • name (for the newsletters: press)

We need these details to send and personalise the Chocolate Museum Newsletter for the respective category.

We also use your voluntary details to personalise the Chocolate Museum Newsletter.

To prevent any misuse of e-mail addresses, we usually ask you to confirm your subscription by e-mail in an automated process (double opt-in procedure). Your subscription and any confirmation are logged, with the IP address used also being documented for future reference.

2.7.2 Unsubscription
You may unsubscribe from the Chocolate Museum Newsletter at any time. To unsubscribe, you may, for example, use the unsubscribe link in each Chocolate Museum Newsletter or write an appropriate e-mail to service@schokoladenmuseum.de.

2.7.3 Personalisation
Each Chocolate Museum Newsletter contains a randomly assigned identifier. Using this identifier, we may capture whether and when a newsletter was opened and what links were clicked on, and form pseudonymous usage profiles on this basis.

You do not want us to send you personalised offerings?

If you do not want us to use your data for personalisation in the way described above, you may unsubscribe from the Chocolate Museum Newsletter at any time. We will then erase the generated usage profiles. To unsubscribe, you may, for example, use the unsubscribe link in each Chocolate Museum Newsletter or use the contact form.

2.7.4 Use of newsletter service providers
We deploy technical service providers for the data processing operations set out in these data protection notices. If we have to disseminate your data to a service provider for this purpose, this is done as part of order processing according to our instructions.

2.7.5 Legal bases and other important data protection notices
The legal basis for the data processing described above is point (a) of Art. 6(1) GDPR (consent).

  1. For what purposes does the Chocolate Museum use my data?

3.1 Provision of the Chocolate Museum Online Shop
When you visit the Chocolate Museum websites or the Chocolate Museum Online Shop, we process the access data, server log files and cookies generated in the process to provide you with our website and the contents and functions you have accessed, and to ensure the stability and security of our IT systems and databases.

Legal bases:

If you use the Chocolate Museum Online Shop with your Chocolate Museum customer account, the legal basis is point (b) of Art. 6(1) GDPR (contract performance and steps prior to entering into a contract).

If you use the Chocolate Museum Online Shop without registering, the legal basis is point (f) of Art. 6(1) GDPR (balancing of interests based on our legitimate interests set out above).

Insofar as you have consented to the data processing, the primary legal basis is your consent (point (a) of Art. 6(1) GDPR).

3.2 Contract performance, in particular purchase handling
We process your data to perform the contracts concluded with you and to render services at your request. The purposes are primarily governed by the specific contract content or the purpose of the services you have requested. Details on the purposes of processing can be found in the relevant contract documents and terms and conditions, for example our General Terms & Conditions. Examples are:

  • setup and provision of your customer account
  • performance of purchase contracts
  • performance of sweepstakes
  • non-commercial communication with you (e.g. safety notes and changes relevant to the contract)

Legal bases:

Legal basis of this data processing is point (b) of Art. 6(1) GDPR (contract performance and steps prior to entering into a contract).

3.3 Customer service and communication in the context of existing customer relationships
We process your data to provide our customer service. This includes, for example:

  • handling your concerns and enquiries by the Visitor Service
  • non-commercial communication with you (e.g. safety notes and technical support)

Legal basis:

Legal basis of this data processing is point (b) of Art. 6(1) GDPR (contract performance and steps prior to entering into a contract).

3.4 Payment handling
Depending on the payment method agreed, we disseminate the data required to handle payments (e.g. credit card data) to the payment service provider engaged to arrange the payment. In part, the payment service providers also collect such data themselves on their own responsibility. this is subject to the data protection notices of the respective payment service provider.

The transfer of your data to the external payment service providers is based on point (b) of Art. 6(1) GDPR (contract performance).

  • Our payment service provider for payments by credit card is the ePay payment platform of Transact Elektronische Zahlungssysteme GmbH (Transact).

The legal basis for this is point (f) of Art. 6(1) GDPR based on our legitimate interest. We do not retain your real credit card data. You have to enter the credit card data manually again for each purchase.

  • Our payment service provider for payments via PayPal is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (“PayPal”).
  • Our credit card acquirer for payments by credit cards of the Visa and Mastercard brands is BS PayOne GmbH, Ferdinand Str. 13, D-44789 Bochum, Germany

3.5 Internal market research, optimisation and advancement of our offering
We use your access data as well as the data you provide (e.g. master data, ordering data) for internal statistical and market research purposes. Before doing so, we pseudonymise or anonymise your data, e.g. by erasing your name and further data suitable for identification from the statistics, before it is processed further.

This allows us, for example, to determine the websites and products of our shop that are particularly popular, the devices our customers generally use or the regions from which our website is accessed. This information helps us to continuously optimise our existing offering and to develop new functions and services.

Legal basis:

Legal basis of such data processing operations is point (f) of Art. 6(1) GDPR (balancing of interests based on our legitimate interests set out above).

3.6 Processing for consented purposes
Where you have consented to us processing your data for certain purposes, the legal basis of the data processing operations for these purposes is primarily your consent (point (a) of Art. 6(1) GDPR).

Withdrawal of consents

You have the right, pursuant to Article 7(2) GDPR, to withdraw at any time towards us any consent once given. This will have the consequence that we will no longer continue any data processing based on such consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

  1. Chocolate Museum Route Planner (Google Maps)
    Our website uses the Google Maps map service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), for the “Route Planner” function. In order for the Google map material we use to be integrated and displayed in your web browser, your web browser must establish a connection to a Google server, which may also be located in the USA, when you access the contact page. For the case that personal data is transferred to the USA, Google has agreed to comply with the EU-US Privacy Shield. As a result, Google is informed that the contact page of our website was accessed from the IP address of your device.

You may use the Route Planner to plan how to get to the Chocolate Museum using Google Maps. You may enter any address data (country, postcode, city and/or street name) to start route planning from there.

Legal basis for such data processing is point (f) of Art. 6(1) GDPR based on our legitimate interest in providing the Route Planner described above.

If you access the Google Maps service on our website while you are logged into your Google profile, Google may also link this event to your Google profile. If you do not wish to be assigned to your Google profile, you need to log out of Google before using our store locator. Google retains your data and uses it for advertising purposes, market research and/or the personalised representation of Google Maps. You may object to such data collection towards Google.

More information on this can be found in the Privacy Policy of Google and the Google Maps Additional Terms of Service.

  1. Web analysis

5.1 Google Analytics
Our website uses the Google Analytics web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies with a validity of 14 months to capture your access data when you visit our website. The access data is compiled by Google on our behalf into pseudonymous usage profiles and transferred to a Google server in the USA. Your IP address is anonymised beforehand. We are therefore unable to determine the usage profiles belonging to a specific user. Using the data captured by Google, we can thus neither identify you nor determine how you use our website. For the case that personal data is exceptionally transferred to the USA at the same time, Google has agreed to comply with the EU-US Privacy Shield. Google has thus undertaken to guarantee the European data protection principles and the local level of data protection in the context of data processing in the USA as well.

Google will use the information obtained by the cookies in our behalf to analyse the use of our website, to compile reports on the website activities and to render further services relating to the use of the website and the Internet to us. Further information on this can also be found in the Google Analytics Privacy Policy.

You may object to the web analysis by Google at any time. You have several options to do so:

Legal basis for such data processing is point (f) of Art. 6(1) GDPR (balancing of interests based on our legitimate interest in evaluating the general usage behaviour).

  1. Online advertising
    Legal basis for the data processing described below is point (f) of Art. 6(1) GDPR (balancing of interests based on our legitimate interest in the interest-related advertising of our products).

You have the option of preventing the retention of cookies from third-party providers which are used to implement the data processing operations described below by setting your browser accordingly (as explained in clause 2.2). The following descriptions also contain further possibilities of objection.

6.1 Facebook
Our websites use conversion and retargeting tags (also “Facebook pixels”) of the Facebook social network, a service of Facebook Inc, 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”), for marketing purposes. We use Facebook pixels to analyse the general use of our websites and to see how effective Facebook advertising is (“conversion”). In addition, we use the Facebook pixels to play you individualised advertising messages based on your interest in our products (“retargeting”). For this purpose, Facebook processes data collected by the service via cookies and similar technologies on our websites.

The data generated in this context may be transferred by Facebook to a server in the USA for evaluation and retained there. For the case that personal data is transferred to the USA, Facebook has agreed to comply with the EU-US Privacy Shield.

If you are a member of Facebook and have allowed Facebook to do so via the privacy settings in your account, Facebook may also link the information captured about your visit to us to your member account and use it to target Facebook ads. You may view and change the Privacy Settings of your Facebook profile at any time. If you are not a Facebook member, you may stop the data processing by Facebook by clicking on the opt-out button for the “Facebook” provider on the external TrustArc opt-out website. You may further stop data processing by clicking on the following button.

If you opt out from the data processing by Facebook, Facebook will only display generic Facebook ads not selected based on the information captured about you.

More detailed information on this can be found in the Data Policy of Facebook.

6.2 Google AdWords and AdWords Remarketing
Our website uses the “AdWords Conversion Tracking” and “AdWords Remarketing” services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Using “AdWords Conversion Tracking”, we capture and analyse defined customer actions (such as clicking on an ad, page views, downloads). We use “AdWords Remarketing” to show you individualised advertising messages for our products on partner websites of Google. Both services use cookies and similar technologies for this purpose. The data generated in this context may be transferred by Google to a server in the USA for evaluation and retained there. For the case that personal data is transferred to the USA, Google has agreed to comply with the EU-US Privacy Shield.

If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalise ads, depending on the settings retained in your Google account, If you do not wish to be assigned to your Google account, you need to log out of Google before accessing our website.

You may opt out from the processing of your data for personalised online advertising within the Google advertising network at any time. There are several ways to do this:

Please note that if you opt out from personalised advertising, Google will only show you general advertising not selected based on the access data captured about you.

6.3 Google AdWords and AdWords Remarketing
Our website uses plugins from the TripAdvisor website operated by TripAdvisor Inc. The operator of the websites is the company TripAdvisor Inc., 141 Needham Street, Newton, MA 02464, USA. If you visit one of our websites equipped with a TripAdvisor plugin, a connection to the servers of TripAdvisor is established. In this way, the TripAdvisor server receives information about our websites you have visited.

You can find further information about how user data is handled in the TripAdvisor Privacy Policy at https://tripadvisor.mediaroom.com/UK-privacy-policy.

  1. To whom is my data disseminated?
    In principle, we disseminate your data only if
  • you have given your explicit consent to this under point (a) of Art. 6(1) GDPR,
  • such dissemination under point (f) of Art. 6(1) GDPR is necessary for the establishment, exercise or defence of legal claims and there is no reason to assume that you have any overriding interest worth being protected in the non-dissemination of your data,
  • we are legally obliged to disseminate your data under point (c) or point (e) of Art. 6(1) GDPR, in particular if we are obliged to provide information to an authority, or
  • such dissemination is legally admissible and necessary under point (b) of Art. 6(1) GDPR to execute contractual relationships with you or in order to take steps at your request prior to entering into a contract.

Part of the data processing described in this Privacy Policy may be carried out on our behalf by external service providers. In addition to the service providers set out in this Privacy Policy, this may include, in particular, computer centres used to retain and supervise our website and databases or IT service providers (e.g. Visitate GmbH & Co. KG) maintaining our systems.

If we disseminate data to our service providers, they may only use such data to complete their tasks. The engaged service providers process your data as part of order processing under Article 28 GDPR. The service providers have been carefully selected and engaged by us. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of the data subjects and are regularly controlled by us.

We do not share your data beyond this Privacy Policy with any service provider located in a country outside the European Economic Area (EEA). If you have any questions, please contact our Data Protection Officer.

  1. How long will my data be retained?
    Unless otherwise stated in this Privacy Policy, we retain your data only for as long as is necessary to meet our contractual or legal duties or to achieve the purposes for which the data has originally been collected or if we have any legitimate interest in continuing to retain it.

In all other cases, we erase your personal data, except for such data that we need to continue to retain to meet legal storage periods. We will, however, restrict processing in such cases, meaning that your data will only be used to comply with legal obligations.

If you cancel your Chocolate Museum customer account or have it erased, we will erase all data retained about you there. If it is not possible or necessary for legal reasons to erase your data in full, the relevant data will be restricted for further processing. As a rule, your ordering and payment data and any further data is subject to legal storage obligations, for example from the German Commercial Code and the Fiscal Code of Germany. We are thus obliged to store such data for up to ten years.

Even if your data is not subject to any legal storage obligation, we may refrain from erasing it in cases permitted by law and block it instead. This applies, in particular, in cases in which we might still need the relevant data to continue contract implementation or legal prosecution or legal defence. The blocking duration in this context is governed by the statutory limitation periods.

  1. Your data protection rights
    To assert your statutory data protection rights described hereinafter, you may contact our Data Protection Officer (see clause 1) at any time:

You have the right to have access to the processing of your personal data by us at any time. We will explain the data processing when providing such information and will also provide you with an overview of the data retained about your person.

If any data we have retained is incorrect or no longer up to date, you have the right to have such data rectified.

You may also request the erasure of your data. If such erasure is exceptionally not possible due to other legal provisions, the data is blocked so that it is only available for this legal purpose.

You may also have the processing of your data restricted, for example if you consider that the data we retain is incorrect.

You have the right to data portability, which means that we provide you upon request with a digital copy of the personal data you have provided to us.

You also have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is the North Rhine-Westphalia State Officer for Data Protection and Freedom of Information, Kavalleriestraße 2-4, 40213 Düsseldorf.

  1. Right of withdrawal and objection
    If you want to make use of your following rights of withdrawal or objection, it is sufficient to send an informal message to the contact data set out in clause 1 above.

Withdrawal of consents

You have the right, pursuant to Article 7(2) GDPR, to withdraw at any time towards us any consent once given. This will have the consequence that we will no longer continue any data processing based on such consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Objection to the processing of your data

To the extent that we process your data on the basis of legitimate interests under point (f) of Art. 6(1) GDPR, you have the right, pursuant to Article 21 GDPR, to object at any time to the processing of your data where any grounds relating to your particular situation exist or such objection is brought against direct marketing. In the latter case, you have a general right to object which we will implement even without reasons being given.

  1. Data security
    We maintain adequate technical and organisational measures to ensure data security, in particular to protect your data against risks during data transfers as well as from unauthorised knowledge by third parties. Such measures are customised in each case in accordance with the current state of the art. To secure the personal data you provide on our website, we use the Secure Sockets Layer (SSL) to encrypt the information you enter.
  2. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example if we customise our website or if legal or regulatory requirements change. We will document essential changes in this Privacy Policy and, if necessary, obtain the consent of our customers.