Version: 12 March 2019
1.1 The following data protection declaration applies to the use of the website shop-grail.com/uk and the services offered through it. This website is a service provided by the Grail Message Association, a Scottish charitable incorporated organisation (No. SC047716) registered at c/o the Grail Movement in the UK and Ireland, Suite F6 Flemington House, 110 Flemington Street, Glasgow, Scotland G21 4BF (UK administration office: Woodend Farm, Grindon Lane, Grindon, Stockton-on-Tees, England TS21 3HX), as the data controller within the meaning of the Data Protection Act 2018, implementing the EU General Data Protection Regulation (‘GDPR’).
1.2 Protecting your personal data is very important to us, especially with regard to the task of protecting personal rights while this information is being processed and used. The following section provides information regarding the collection of personal data associated with the use of our website. The phrase ‘personal data’ refers to all data that can be mapped to you personally, such as your name, address, e-mail addresses and user behaviour.
2. Automated data collection and processing by the browser
2.1 As is the case with any other website, our server automatically and temporarily collects data in the server log files. These server log files are transferred by the browser, unless you have deactivated this facility. If you wish to view our website, we shall collect the following data, which is technically necessary in order for us to be able to show you our website and guarantee stability and security [legal basis: Article 6, Section 1(f) of the GDPR]:
- IP address of the enquiring computer
- The client’s file request
- The http response code
- The website from which you are visiting us (referrer URL)
- The time of the server request
- Browser type and version
- Operating system used by the enquiring computer
The server log files are not analysed in an individual-related manner. The service provider can never map this data to specific individuals. This data is not combined with other data sources, unless you give your consent for such a course of action [e.g. by signing up for the newsletter (refer to clause 3.2)].
2.2 We use the self-hosted Matomo analytics tool in order to be able to analyse and regularly improve the use of our website. The statistics obtained in this manner enable us to improve our offer and make it more interesting for you (the user). The legal basis for the use of Matomo is Article 6, Section 1(f) of the GDPR. Cookies (more information regarding this topic can be found in clause 5) are stored on your computer in order to facilitate this analysis. The responsible entity only uses its server in Germany to store the information that has been collected in such a manner. You can discontinue such analyses by deleting existing cookies and preventing cookies from being stored. However, we would like to point out that you may not be able to use this website to the fullest extent if you prevent cookies from being stored. You can prevent cookies from being stored by making the corresponding adjustment in your browser. You can prevent the use of Matomo by unticking the following option, which in turn activates the opt-out plug-in:
This website uses Matomo in conjunction with the ‘AnonymizeIP’ add-on. IP addresses are thus shortened before they are processed further. This ensures that they cannot be directly linked to specific individuals. The IP address that your browser transfers using Matomo is not combined with other data collected by us.
2.3 Google Maps This website uses Google Maps. This enables us to directly display interactive maps within the website, which in turn makes it convenient for you to use the map function. The legal basis for the use of Google Maps is Article 6, section 1(f) of the GDPR. When you visit the website, Google realises that you have viewed the respective sub-page of our website. The data specified under clause 2.1 of this declaration is also transferred. This happens regardless of whether Google has provided a user account that you have used to log in, or whether no such user account exists. If you have logged on to Google, your data is directly correlated with your account. If you want to prevent such a correlation with your Google profile, you must log out before activating the button. Google stores your data in the form of usage profiles, and uses the same for purposes related to advertising, market research and/or the need-based configuration of its website. In particular, such an analysis takes place (even for users who have not logged in) in order to generate need-based advertisements, and in order to inform other users of the social network about your activities on our website. You have the right to object to the formation of these user profiles; you will have to contact Google in order to exercise this right. Further information regarding the purpose and extent of data collection and data processing by the plug-in provider can be obtained from the respective providers’ data protection declarations. They also provide you with further information regarding the rights that you have in this regard, and the adjustment options that you can use to protect your privacy: http://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA, and it has agreed to abide by the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
3. Collection and processing of voluntarily-disclosed data
3.1 General contact If you provide us with personal data via e-mail, through our website or in any other manner (name, first name, e-mail address, address), this is generally done on a voluntary basis. This data is used to execute the contractual relationship, process your queries or orders, carry out in-house market or opinion research operations and send separate advertisements via post and e-mail. The data is not used in a further-reaching manner; in particular, it is not forwarded to third parties for the purposes of advertising and market or opinion research. The legal basis is Article 6, section 1(b) of the GDPR, or Article 6, section 1(f) of the GDPR.
3.2 Newsletter We will need your e-mail address if you want to subscribe to our newsletter; you also have the option of voluntarily stating your name. Along with your e-mail address, the data that is automatically transferred by your browser (operating system, browser type and version, referrer URL and your IP address) is also collected and stored. This data is only used to communicate with you within the context of our newsletter. By subscribing to the newsletter, you accept the fact that we shall store the aforementioned data in order to be able to send the newsletter. We use the so-called ‘double-opt-in procedure’ in operations in which users sign up for our newsletter. After you sign up, we shall send an e-mail to the specified e-mail address. This e-mail will ask you to confirm that you wish to receive the newsletter. If you do not confirm your enrolment in 14 days, your information shall be deleted. We also save the IP addresses that you have used, along with information regarding the time of enrolment and confirmation. The goal of the procedure is to verify your enrolment and (if applicable) gain the ability to clarify any potential misuse of your personal data. The legal basis is Article 6, section 1(a) of the GDPR. You can always revoke your consent for the future. You can announce your revocation by changing the newsletter settings on our newsletter page.
4. Forwarding to third parties
4.1 If you have provided us with personal data, the said data is, as a matter of principle, not forwarded to third parties. This data is only forwarded:
– within the framework of consent given by you (cf. clause 3.2). When the data is collected, the recipients or categories of recipients shall be disclosed to you;
– to commissioned sub-contractors within the framework of the processing of your queries, your orders and the use of our services. These commissioned sub-contractors only receive the necessary data so that they will be able to carry out the task in question. They shall only use the said data for this specific purpose;
– to external service providers within the framework of order data processing (as per Article 28 of the GDPR). These external service providers are carefully selected and commissioned by us, bound by our instructions and the provisions of the GDPR, and monitored regularly;
– to entities that are entitled to receive information; this is done within the framework of the fulfilment of legal obligations.
4.2 This website uses social plug-ins. Social plug-ins are web applications that connect this website to selected social networks. However, these social plug-ins are not directly integrated into the system; they must first be activated with a separate click. Regardless of whether you actually click on the social plug-ins, a connection with the social network is only established after such an activation. This connection can be used to transfer your IP address and the user data of the respective social network to the social network in question. Details of the social plug-ins that have been used can be found in clause 6.
– Transient cookies (refer to 5.2)
– Persistent cookies (refer to 5.3).
5.2 Transient cookies are deleted automatically as soon as you close the browser. Session cookies belong to this type. They store a so-called session ID, which can be used to correlate various queries of your browser with the overall session. This makes it possible for your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close the browser.
5.3 Persistent cookies are automatically deleted after a predefined period of time, which can vary depending on the cookie in question. You can always use your browser’s security settings to delete the cookies.
5.4 You can configure your browser settings based on your wishes. For example, you can refuse to accept third-party cookies or all cookies in general. We would like to point out that it might not be possible for you to use all the functions of this website.
6. Social Networks
6.1 Our website contains links to the Facebook, Twitter, YouTube, Google +, Tumblr and WordPress.com social networks. This situation only involves links, not social plugins. No data is transferred.
6.1 YouTube We use the video service of YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (‘YouTube’) to display our videos. The legal basis is Article 6, section 1(f) of the GDPR. If YouTube videos are directly integrated into our website, YouTube directly transfers the contents of the respective embedded video to your browser. Your browser simultaneously sends certain pieces of data to YouTube. This happens regardless of whether or not you click on the video. We cannot influence the scope of the data that YouTube collects in this manner. As far as we know, such a scenario involves the following data (especially in order to show the embedded YouTube videos): the visited page of our website which contains the video, the data generally transferred by your browser (IP address, browser type and version, operating system, time), Google user IDs (in case of registered and logged-on YouTube or Google users). Certain browser add-ons can be used to hide embedded YouTube videos. In such a case, YouTube will not collect any data. If you have logged on to Google, your data is directly correlated with your account. If you want to prevent such a correlation with your YouTube profile, you must log out before activating the button. YouTube stores your data in the form of usage profiles, and uses the same for purposes related to advertising, market research and/or the need-based configuration of its website. In particular, such an analysis takes place (even for users who have not logged in) in order to generate need-based advertisements, and in order to inform other users of the social network about your activities on our website. You have the right to object to the formation of these user profiles; you will have to contact YouTube in order to exercise this right. Further information regarding the purpose and extent of data collection and data processing by YouTube can be found in the data protection declaration. It also provides you with further information regarding your rights and the adjustment options that you can use to protect your privacy: https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA, and it has agreed to abide by the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
7. Duration of storage
Your data shall only be used as long as such usage is necessary for the existing customer relationship, unless you have given us your consent, or we have a legitimate interest in further processing. In such cases, we shall continue to process your data until you revoke your consent, or until you object to our legitimate interests. Nevertheless, commercial-law-related and tax-law-related guidelines obligate us to store data pertaining to your address, payments and orders for a period of ten years.
8. Your rights
8.1 You have the following rights vis-a-vis us with regard to the personal data that pertains to you:
– right to information,
– right to correction or deletion,
– right to limitation of processing,
– right to object to processing,
– right to data transferability.
Please send your written request to the Grail Message Association, c/o the Grail Movement in the UK and Ireland, Suite F6 Flemington House, 110 Flemington Street, Glasgow, Scotland G21 4BF, or to the e-mail address below: firstname.lastname@example.org
8.2 You also have the right to complain to the Information Commissioner’s Office, as the UK data protection supervisory authority, about the manner in which we process your personal data.