The Creative Club Data Protection Policy

The requirements of the EU General Data Protection Regulation (hereafter the GDPR) apply throughout Europe. We would like to inform you about our company’s processing of personal data in accordance with this regulation (compare article 13 and 14 of the GDPR). If you have any questions or comments about this data protection policy, you can direct these to the email address provided in sections 2 and 3 at any time.

I. Overview

1. Scope of Application
2. Responsible Party
3. data protection agent
4. Data Security

II. Data Processing in Detail

1. General Information about Data Processing
2. Visit to Website/Application
3. Newsletter
4. Application
5. Customer Support
6. Order Processing
7. Tracking

III. Data Subject Rights

1. Right of Objection
2. Right to Information
3. Right of Rectification
4. Right to Deletion (“Right to Be Forgotten”)
5. Right to Restrict Processing
6. Right to Data Transferability
7. Right to Revoke Consent
8. Right to Complain

I. Overview

In this section of the data protection policy, you can find information about the scope of application, the party responsible for processing data, their data protection agent, and data security.

1. Scope of Application

Data processing within The Creative Club can be fundamentally split up into two categories: – All data necessary to carry out a contract with The Creative Club will be processed for the purposes of contractual fulfilment. If external service providers are involved in contractual implementation, e.g. logistics companies or payment service providers, your data will be passed on to these parties within the required scope. – When you visit our online presence, especially the The Creative Club online shop, various information is exchanged between your end device and our server. This may also include personal data. The information collected is used to optimise our website or display advertising in the browser on your end device among other purposes. This data protection policy applies to the following services: – Our online presence as available at stoffe.de, stoffen.net, myfabrics.co.uk, kankaita.com, tissus.net, telas.es, stofkiosken.dk, tecidos.com.pt, tyg.se, tkaniny.net, latka.cz, tessuti.com and The Creative Club.com. – Whenever one of our services (e.g. websites, subdomains, mobile applications, web services or connections to third party sites) refers to this data protection policy, regardless of how you use or view it. All of these services are referred to collectively as ‘services’.

2. Responsible Party

The person responsible for data processing – the person that decides the purposes and means of processing personal data – relating to these services is the The Creative Club Osterbrooksweg 35-45 22869 Schenefeld Deutschland Telefon: +49 40 609 459 10 E-Mail: info@thecreativeclub.com

3. data protection agent

You can contact our data protection agent as follows: Contact form: : https://www.dsextern.de/anfragen DS EXTERN GmbH Dipl.-Kfm. Marc Althaus Bredkamp 53a D-22589 Hamburg Deutschland

4. Data Security

In order to develop the measures required by article 32 of the GDPR and therefore achieve a reasonable level of protection, we have established an information security management system within our company.

II. Data Processing in Detail

In this section of the data protection policy, we will inform you in detail about the processing of personal data within the realms of our services. In order to provide a clearer overview, we have categorised this information according to certain functions within our services. During normal use of our services, various functions and therefore different processing methods may apply at the same time or one after another.

1. General Information about Data Processing

Unless otherwise specified, the following applies for all processing outlined below:

a. No Obligation to Provide

There is no contractual or statutory obligation to provide personal data. You are not obliged to submit any data.

b. Consequences of Non-Provision

If you do not provide required data (data labelled as required entries), the relevant service cannot be provided. Otherwise, non-provision shall result in our not being able to provide our services in the same form and to the same quality.

c. Consent

In various cases, you have the chance to grant us permission for further processing with regard to the processing outlined below (if preferred, for a certain portion of the data). In this case, we shall inform you separately regarding the granting of the relevant consent of all terms and the scope of the permission as well as of the purposes behind our data processing.

d. Transfer of Personal Data to Third Countries

When we transfer data to third countries, i.e. countries outside the European Union, the transfer shall always uphold statutory admissibility requirements. These admissibility requirements are regulated by articles 44-49 of the GDPR.

e. Hosting by External Service Providers

To a large extent, we process data under the involvement of hosting service providers that provide us with memory and processing capacity in their data centres and that also process personal data under our instruction and on our behalf. These service providers either process data exclusively within the EU or have guaranteed a reasonable level of data protection in accordance with the EU’s standard data protection clauses.

f. Transfer to State Authorities

We transfer personal data to state authorities (including law enforcement) if required in order to fulfil a legal obligation to which we are subject (legal grounds: article 6 paragraph 1 c) of the GDPR) or if required to exercise or defend legal claims (legal grounds: article 6 paragraph 1 f) of the GDPR).

g. Duration of Saving

We do not save your data for any longer than we need to for the relevant processing purposes. If data is no longer required for the fulfilment of contractual or statutory obligations, it is regularly deleted unless saving for a certain time period is required. Reasons for this may include:

• Fulfilling retention obligations relating to commercial and tax law
• Retaining evidence for legal disputes within the realms of statues of limitations

We are also able to retain your data for longer if you have granted your express permission to this end.

h. Data Categories

• Account data: Log-in/user name and password
• Key personal data: Title, gender, full name, date of birth
• Address data: House number and street and additional info, postal code, town/city, country
• Contact data: Telephone number(s), fax number(s), email address(es)
• Education data: Degree, university, duration
• Registration data: Information about the service for which you registered; time and technical information concerning registration, confirmation and log out; data provided by you upon registration
• Order data: Ordered products, prices, payment and delivery information
• Payment data: Account details, credit card details, information on other payment services such as PayPal
• Access data: Time and date of visit to our service; the page from which the accessing system visited our site; the use of visited pages; data for session identification (session ID); the following information about the accessing computer system: internet protocol address used (IP address), browser type and version, device type, operating system and similar technical information.
• Application data: CV, references, evidence documents, work samples, certificates, images

2. Visit to Website/Application

Here, we describe how we process your personal data when you visit our services. We would especially like to draw your attention to the fact that the transfer of access data to external content providers (see b.) is unavoidable due to the technical function of online information transfer.

a. Information on Processing

Data Categories

Intended purpose

Legal foundations

Legitimate interest if required

Duration of Saving

Access data

Establishing a connection, displaying the service’s content, discovering attacks on our site based on unusual activity, error diagnosis

Art. 6 Abs. 1 f) DSGVO

Proper function of services, security of data and business processes, preventing misuse, preventing damage caused by interference with information systems

14 days

b. Recipients of Personal Data

Recipient category

Affected data

Legal foundations of transfer

Legitimate interest if required

Service provider for hosting and application operation as well as external content providers that provide content (e.g. images, videos, embedded posts from social networks, advertising banners, fonts, update information) necessary to display the service

Access data

Order processing (article 28 of the GDPR)

Proper functioning of services, (accelerated) display of content

IT security service providers

Access data

Order processing (article 28 of the GDPR)

Preventing attacks that exploit weaknesses or gaps in security

3. Newsletter

Below, we describe what happens with your personal data in relation to a subscription to our newsletter:

a. Information on Processing

Data Categories

Intended purpose

Legal foundations

Legitimate interest if required

Duration of Saving

Email address

Verification of registration (double opt-in process), sending of newsletter

Art. 6 Abs. 1 Buchst. b) DSGVO

Duration of newsletter subscription

Key personal data

Personalising the newsletter

Article 6 paragraph 1 b) of the GDPR

Duration of newsletter subscription

Registration data

Traceability of newsletter subscription/confirmation/unsubscription

Article 6 paragraph 1 b) and f) of the GDPR

Evidence of successful newsletter subscription/confirmation/unsubscription

Duration of newsletter subscription

Newsletter user profile data

Designing the newsletter to suit individual interests

Art. 6 Abs. 1 Buchst. f) DSGVO

Improving our service, advertising purposes

Duration of newsletter subscription

b. Recipients of Personal Data

Recipient category

Affected data

Legal foundations of transfer

Legitimate interest if required

Service provider for sending newsletters

All data stated under a.

Order processing (article 28 of the GDPR)

4. Application

During an ongoing application process, we process your personal data in the following manner:

a. Information on Processing

Data Categories

Intended purpose

Legal foundations

Legitimate interest if required

Duration of Saving

Address, contact details

Identification, contact initiation, communication regarding contract initiation

Article 6 paragraph 1 b) of the GDPR

6 months

Key personal data

Identification, contact initiation, age check

Article 6 paragraph 1 b) of the GDPR

6 months

Application data

Applicant selection

Article 6 paragraph 1 b) of the GDPR

6 months

b. Recipients of Personal Data

Recipient category

Affected data

Legal foundations of transfer

Legitimate interest if required

Applicant management service providers

All data stated under a.

Order processing (article 28 of the GDPR)

5. Customer Support

Find out here how we process your personal data when you contact our customer service team:

a. Information on Processing

Data Categories

Intended purpose

Legal foundations

Legitimate interest if required

Duration of Saving

Key personal data, contact details, content of requests/complaints

Processing customer requests and user complaints

Article 6 ABS. 1 b), f)

Customer loyalty, improving our service

Processing the request

Education data

Setting up a student discount

Article 6 ABS. 1 b), f)

Duration of discount

b. Recipients of Personal Data

Recipient category

Affected data

Legal foundations of transfer

Legitimate interest if required

Contact management service providers

All data stated under a.

Order processing (article 28 of the GDPR)

6. Order Processing

The following outlines how we process your personal data when you place an order with us

a. Information on Processing

Data Categories

Intended purpose

Legal foundations

Legitimate interest if required

Duration of Saving

Key personal data, address data, contact details, order data, payment data

Processing the order

Article 6 ABS. 1 b), f)

10 years

Key personal data, address data, contact details, payment data

Setting up a user account if guest check-out not preferred

Article 6 paragraph 1 a)

At the user’s request upon deletion of the user account

b. Recipients of Personal Data

Recipient category

Affected data

Legal foundations of transfer

Legitimate interest if required

Service provider for hosting and application operation

Key personal data, address data, contact details, order data, payment data

Order processing (article 28 of the GDPR)

Payment service provider

Key personal data, payment data

Order processing (article 28 of the GDPR)

Shipping company

Key personal data, addresses, contact data

Order processing (article 28 of the GDPR)

7. Tracking

Below, we describe how your personal data is processed using tracking technologies to analyse and optimise our services as well as for promotional purposes. The description of the tracking process also includes information on how you can contest or prevent data processing. Please note that any “opt out” decision regarding processing is generally saved in the form of cookies. If you use our services via a new end device or a different browser, or if you delete the cookies saved to your browser, you will have to opt out again. These tracking processes only process personal data in pseudonymised form. No connection is made with a specific, identified natural entity, i.e. the data is not combined with information about the person behind the pseudonym.

a. Tracking to analyse and optimise our services and their use as well as measure the success of advertising campaigns and optimise the display of advertising

(1) Purposes of processing Analysing user behaviour using tracking lets us review the effectiveness of our services, optimise them and adapt them to suit user needs as well as rectify errors. Furthermore, it also facilitates the establishing of key values regarding the use of our services (reach, usage intensity, user behaviour) in a statistical manner – based on uniform standard processes, providing us with comparable values across the market. Tracking to measure the success of advertising campaigns serves to optimise our advertising in the future and let advertisers also suitably optimise their advertisements. Tracking to optimise the display of advertising intends to show users advertising to suit their interests, increasing the success of advertising and therefore advertising income.   (2) Legal foundations For services that explain the behaviour of affected parties on the internet and for the creation of user profiles, informed consent in the sense of the GDPR is required. (3) Individual tracking processes used

a. Information on Processing

Description of service

Function

Option to opt out

Data transfer outside the EU?

If necessary, adequacy decision (article 45 of the GDPR)

If necessary, suitable guarantees (article 46 of the GDPR)

Google Analytics

Web analysis

tools.google.com/dlpage/gaoptout?hl=de)

No

If you would like to opt out of interest-based advertising, you can also go to https://www.youronlinechoices.com, click on ‘Preference Management’ and follow the instructions to prevent the use of data for interest-based advertising by all or a selection of the service providers listed there. You will continue to receive non-interest-based advertising.

III. Data Subject Rights

1. Right of Objection

If we process your personal data to carry out direct advertising, you have the right to object to the processing of personal data affecting you for the purposes of such advertising at any time with effect for the future; this applies to profiling if this is used in relation to such direct advertising.

Based on grounds resulting from your unique situation, you also have the right to object to the processing of personal data affecting you taking place in accordance with article 6 paragraph 1 e) or f) of the GDPR at any time with effect for the future; this also applies to profiling supported by these provisions. You can exercise your right to object free of charge. You can reach us using the contact details provided under I.2.

2. Right to Information

You have the right to know whether we process personal data affecting you, what personal data this is, and other information in accordance with article 15 of the GDPR.

3. Right of Rectification

You have the right to demand that we correct incorrect personal data affecting you (article 16 of the GDPR). Taking the purpose of processing into account, you have the right to demand that incomplete personal data be completed – even in the form of a supplementary explanation.

4. Right to Deletion (“Right to Be Forgotten”)

You have the right to demand that we immediately delete all personal data affecting you immediately, insofar as one of the reasons in article 17 paragraph 1 of the GDPR applies and processing is not necessary for one of the purposes outlined in article 17 paragraph 3 of the GDPR.

5. Right to Restrict Processing

You have the right to demand the limitation of the processing of your personal data if one of the requirements outlined in article 18 paragraph 1 a) to d) of the GDPR applies.

6. Right to Data Transferability

You have the right to receive personal data affecting you as provided by you in a structured, standard machine-readable format. Furthermore, you have the right to transfer this data to another responsible authority without hindrance from us, or to have it transferred directly by us insofar as is technically possible. This should always be the case if data processing is based on consent or a contract and the data is processed automatically. This does not apply to data only received in paper form.

7. Right to Revoke Consent

If processing is based on consent issued by you, you have the right to revoke your consent at any time. The lawfulness of any processing up to the point of revocation shall remain unaffected.

8. Right to Complain

You have the right to complain to a supervisory body.