Data protection regulations for communication via WhatsApp

The following data protection regulations apply to communication with the wholesale business of Orion Versand GmbH & Co. KG, Flensburg, via WhatsApp.

I. Name and Address of the Responsible Party

The responsible party for the purpose of the General Data Protection Regulation (GDPR) and other national data protection acts of the member states as well as other data protection regulations is:

ORION Versand GmbH & Co. KG
Schäferweg 14
24941 Flensburg
Deutschland
Tel.: 0461 50 40 0
E-Mail.: service@orion.de

II. Name and Address of the Data Protection Officer

The Data Protection Officer is:

Stefan Götz
Schäferweg 14
24941 Flensburg
Tel.: 0461 50 40 277
E-Mail: sgoetz@orion.de

III. General Information about Processing Data

1. The Scope of Processing Personal Data

We gather and use our users’ personal data only to the extent necessary for providing a functioning website as well as content and performance. The gathering and the use of our users’ personal data takes place regularly only with the user’s consent. There is only an exception to this when previous consent cannot be obtained for essential reasons and the processing of data is permitted by legal regulations.

2. Legal Basis for Processing Personal Data

Insofar as we can obtain the consent from the person concerned for the processing of personal data, Art. 6 paragraph. 1 lit. a from the EU General Data Protection Regulation (GDPR) serves as the legal basis for processing personal data.

Art. 6 paragraph. 1 lit. b GDPR serves as the legal basis for processing personal data of which the person concerned is the affected party that is required to fulfil a contract. This also applies to the processing that is required for the consummation of pre-contractual measures.

Art. 6 paragraph. 1 lit. c GDPR serves as the legal basis insofar as processing personal data is necessary for the fulfilment of a legal obligation that is subject to our company. Art. 6 paragraph. 1 lit. d GDPR serves as the legal basis in the event of essential interests of the person concerned or another natural person requiring the processing of personal data. Art. 6 paragraph. 1 lit. f GDPR serves as a legal basis for the processing when the processing is required to protect a legitimate interest of our company or a third party and the interests, civil rights and fundamental freedoms of the person concerned does not outweigh the aforementioned interest.

3. Deleting of Data and Storage Period

The personal data of the person concerned will be deleted or blocked as soon as it is no longer necessary for the purpose of its collection. Furthermore, storage can take place if it is provided by a European and national legislator in EU regulations, legislation or other requirements to which the person responsible is subject. Blocking or deleting data also takes place when a storage period, required by the mentioned norms, expires, unless it is necessary to store data for longer for a completion of a contract or a fulfilment of a contract.

IV. Communication via WhatsApp

1. Description and Scope of Data Processing

When using WhatsApp as a means of communication in the context of customer communication with the Wholesale department of Orion Versand GmbH & Co. KG, we process the following personal data:

Declaration of consent for the use of WhatsApp in customer communication and time of the declaration of consent

Telephone number

WhatsApp username and, if applicable, profile picture

Content of communication with the Wholesale department of Orion Versand GmbH & Co. KG, chat history and the time of communication

2. Legal Basis for Processing Data

The legal basis for the collection and processing of the data is your consent in accordance with Art. 6 paragraph. 1 lit. a GDPR.

3. The Purpose of Processing Data

The purpose of processing personal data is to process customer communication.

4. The Duration of Storage

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected.

The data will be deleted after 6 months at the latest.

5. Right of Revocation

If the processing of personal data takes place on the legal basis of previously granted consent, you have the right to withdraw your consent from Orion Versand GmbH & Co. KG at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent before the withdrawal.

To revoke you consent please email: wholesale@orion.de

Furthermore, you are, of course, free to deactivate the WhatsApp channel at any time.

6. Possibility of Objection and Removal

If applicable, the right to object if the legal basis is of valid interest.

V. Further Rights of the Affected Person

If your personal data is processed, you are the affected person according to the GDPR and these are the following rights that you have:

1. Right to Information

You have the right to demand a confirmation from the responsible party whether personal data that affects you will be processed by us.

If your personal data is being processed, you can demand disclosure about the following information:

  1. The purposes of processing personal data;
  2. The categories of personal data that will be processed;
  3. The recipient or categories from the recipient to whom your personal data has been or will be disclosed;
  4. The planned duration of the storage of your personal data or, if concrete information about this is not possible, the criteria used for determining the storage period;
  5. The existence of the right to rectification or erasure or your personal data, the right to restrict processing from the responsible party or a right to object to the processing;
  6. The existence of the right to complain to a supervisory authority;
  7. All available information about the origin of the data when the personal data is not collected from the affected person;
  8. The existence of automated decision-making including profiling according to Art. 22 paragraph. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved as well as the consequences and the intended effects of such a processing for the affected person.

You have the right to demand information about whether your personal data will be passed on to a third country or an international organisation. In this context, you can demand to be informed about suitable guarantees according to Art. 46 GDPR related to the transmission.

2. Right to Recrification

You have the right to have your personal data rectified and/or completed by the responsible party if this data is inaccurate or incomplete. The responsible party has to rectify the information immediately.

3. Right to Restriction of Processing

You can demand a restriction of the processing of your personal data under the following conditions:

  1. If you dispute the accuracy of your personal data for a period of time that enables the responsible party to check the accuracy of the personal data;
  2. The processing is unlawful and you do not want your personal data to be deleted and you request that your personal data is restricted;
  3. The responsible party no longer needs the personal data for the purpose of processing but you require the data for enforcing, exercising or defending a legal claim, or
  4. If you have entered an objection against the processing according Art. 21 paragraph. 1 GDPR and it is not yet certain whether the valid reasons from the responsible party outweigh your reasons.

If the processing of your personal data has been restricted, this data – with the exception of its storage – may only be processed with your consent or for enforcing, exercising or defending a legal claim or protection of rights from another natural or legal person or for reasons of important public interest of the Union or of a member state.

If the restriction of the processing is restricted according to the aforementioned conditions, you will be informed before the restriction has been lifted.

4. Right to Erasure

a) Obligatory deletion

You can demand that the responsible party deletes your personal data immediately and the responsible party must delete this data immediately if the following reasons apply:

  1. If your personal data is no longer needed for the purpose it was collected or processed.
  2. If you withdraw your consent to which the processing was based on according to Art. 6 paragraph. 1 lit. a or Art. 9 paragraph. 2 lit. a GDPR, and there is no other legal basis for processing the data.
  3. If you enter an objection against the processing according to Art. 21 paragraph. 1 GDPR and no overriding valid reasons exist for the processing or you enter an objection against the processing according to Art. 21 paragraph. 2 GDPR.
  4. If your personal data was processed unlawfully.
  5. If the deletion of your personal data is required for fulfilling a legal obligation according to European Union law or the right of the member states to which the responsible party is subject.
  6. If your personal data was collected in relation to offered information society services according to Art. 8 paragraph. 1 GDPR.

b) Information Given to Third Parties

If the responsible party has made your personal data public and they are obliged to delete the data according to Art. 17 paragraph. 1 GDPR, then they shall take appropriate measures taking account of the available technology and the cost of implementation, including those of a technical nature, in order to inform the responsible data processors, who process your personal data, that you, as the affected person, have demanded that all links to this personal data or from copies or replicas of this personal data be deleted.

c) Exceptions

The right to erasure does not apply if the processing is necessary for:

  1. Exercising the right of freedom of expression and information;
  2. Fulfilling a legal obligation that requires processing under the law of the Union or member states to which the responsible party is subject or for the performance of a task that is of public interest or in the exercise of official authority that is delegated to the responsible party;
  3. Reasons of public interest in the area of public health according to Art. 9 paragraph. 2 lit. h and i, as well as Art. 9 paragraph. 3 GDPR;
  4. Archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes according to Art. 89 paragraph. 1 GDPR, insofar as the law referred to in paragraph a) is likely to make the realisation of the aims of this processing impossible or seriously affect them, or
  5. Enforcement, exercise or defence of legal claims.

5. Right to Notification

If you have asserted your right to rectification, erasure or restriction of the processing of your data against the responsible party, then they are obliged to inform all the recipients, that have disclosed your personal data, about the rectification or erasure of the data or the restriction of the processing of the data, except when it proves to be impossible or involves disproportionate effort.

You have the right to be informed about the recipients by the responsible party.

6. Right to Data Portability

You have the right to receive your personal data, which you have given to the responsible party, in a structured, current and machine-readable format. Furthermore, you have the right to transfer this data to another responsible party without obstruction from the responsible party that has already received your personal data provided that

  1. The processing is based on consent according to Art. 6 paragraph. 1 lit. a GDPR or Art. 9 paragraph. 2 lit. a GDPR or based on a contract according to Art. 6 paragraph. 1 lit. b GDPR and
  2. The processing is done using automated procedures.

In exercising this right, you also have the right to ask one responsible party to transfer your personal data directly to another as far as this is technically possible. The rights and freedoms of others are not allowed to be affected.

The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task, that is of public interest or in the exercise of official authority that has been delegated to the responsible party.

7. Right to Object

You have the right to object at any time, for reasons that arise from your particular situation, to the processing of your personal data that takes place because of Art. 6 paragraph. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.

The responsible party no longer processes your personal data, except when they can provide compelling, worthy reasons for the processing that outweigh your interests, rights and freedoms or the processing is for the enforcement, exercise or defence of legal claims

If your personal data is processed to conduct direct advertising, you have the right to object at any time against the processing of your personal data for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you object to the processing for direct advertising purposes, then your personal data will no longer be processed for these purposes.

You have the possibility of exercising your right to object through automated procedures in the context of using services from the information society – regardless of the directive 2002/58/EG – where technical specifications are used.

8. Right to Object to the Data Protection Consent Declaration

You have the right to withdraw your data protection consent declaration at any time. Withdrawing your consent will not affect the lawfulness of the processing carried out on the basis of the consent up until the withdrawal.

9. Automatic Decision in an Individual Case Including Profiling

You have the right not to be subject to a decision based solely on an automated processing – including profiling – that will have legal effects or affects you significantly in a similar way. This does not apply when the decision is

  1. Necessary for the conclusion or fulfilment of a contract between you and the responsible party,
  2. Permissible on the grounds of legislation from the Union or member states to which the responsible party is subject, and that the legislation has suitable measures to safeguard your rights, freedoms and legitimate interests or
  3. With your explicit consent.

However, these decisions must not be based on specific categories of personal data according to Art. 9 paragraph. 1 GDPR, unless Art. 9 paragraph. 2 lit. a or g applies and suitable measures have been taken to protect your rights, freedoms and legitimate interests.

In regard to the cases mentioned in (1) and (3), the responsible party shall take suitable measures to safeguard your rights, freedoms and legitimate interests, where at least the right to obtain intervention of a person on the part of the responsible party to declare their own point of view and to hear an appeal of the decision.

10. Right to Complain to a Supervisory Authority

Regardless of other administrative or judicial relief, you have the right to complain to a supervisory authority especially in the member state of your place of residence, your place of work or the place of the alleged offence when you are of the opinion that the processing of your personal data violates the GDPR.

The supervisory authority, where the complaint was submitted, informs the claimant about the status and the results of the complaint including the possibility of judicial relief according to Art. 78 GDPR.

The responsible supervisory authority is ULD Schleswig-Holstein with its head office in Kiel, Germany.

VI. Data Security

We use the most modern security methods for data transfer: the latest version of the TLS protocol 1.3. Our certificate, that is based on a large 2048-bit key, has been signed by SHA256. Furthermore, we also provide Perfect Forward Secrecy, so that no conclusions from our secret key for partially compromised information are allowed. All the information (as well as the website’s address/URL) transferred this way is encrypted like this.

Furthermore, we have always implemented up-to-date technical and organisational measures to protect your data against accidental or intentional manipulation, loss, destruction or unauthorised access by third parties. Further information on data security when using WhatsApp can be found here: https://www.whatsapp.com/legal/channels-privacy-policy-eea?lang=en

Updated February 2024