- General Notes
- Person responsible for data processing, contact details
- Processor used, hosting of the website
- Data collection on the website, purposes and legal basis
- Data collection during the processing of sales and other inquiries
- Data collection for the provision of carving lessons
- Categories of data recipients
- Note on third country transfer (USA and other third countries)
- Existence of automated decision making/profiling
- Your rights as a data subject
1 General Notes
I point out that data transmission on the Internet in general (eg communication by e-mail) may have security gaps. A complete protection of data against access by third parties is not possible.
2 Person responsible for data processing, contact details
Data processing on this website is carried out by me as the website operator.
Contact details of the responsible person:
3 Processor used, hosting of the website
The personal data collected on this website is stored on the hoster's servers. This may include IP addresses, contact requests, meta and communication data, as well as website accesses and other data generated via a website.
The hoster is used for the purpose of fulfilling the contract with my potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of my online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). My hoster will only process your data to the extent necessary for the fulfillment of its service obligations and follow my instructions regarding this data.
Conclusion of a contract on commissioned processing:
In order to ensure data protection compliant processing, I have concluded a processing contract with my hoster.
4 Data collection on the website, purposes and legal basis
a) How is personal data collected from you?
Other data is automatically collected by the IT systems when visiting the website. This is mainly technical data (e.g. internet browser, operating system or time of page view). The collection of this data takes place automatically as soon as you use this website.
b) What do I use your data for?
Some of the data is collected to ensure functionally error-free provision of the website. Other data may be used to analyze your user behavior (see a little further below under "d) Log data").
c) Storage duration
d) Log data
Why is log data being collected?
On the basis of the log data, Strato on the one hand creates a statistical analysis, which I as the website operator can view and, if necessary, evaluate or archive.
In addition to the statistical analysis of my website, Strato also stores this data in order to optimize services and to be able to detect and defend against attacks.
The following log data is collected during this process:
Website domain (www.rosenschnitzer.de)
To detect server attacks, Strato AG stores non-anonymized IP addresses, which are stored for a maximum of seven days. After that they are anonymized. However, for data protection reasons, for me as the website operator, these IP addresses are anonymized in the log file right from the beginning. An example: 123.456.789.001 becomes anon-123-456-165-41.invalid.
- Request line
This is the path of the target address without the domain. If you, as a visitor to my site, click on a picture on my website, for example, the URL "rosenschnitzer.de/bild.jpg" is behind it. The request line is then "/image.jpg".
- Time stamp
Date and time of an access to the website
- Status code
Surely you have seen a 404 page before. This is displayed whenever a requested page or file cannot be found. 404 is the status code that tells you that the visitor tried to access a page that does not exist. The Internet Assigned Numbers Authority has defined a number of other status codes that are helpful for error analysis: 200, for example, means OK - so here the user was able to call up my page without errors.
- Size of the response body
When a website visitor goes to my site, he temporarily downloads data. This is, for example, the images and texts that he sees in his browser. The log file indicates how large this data is.
- Referer sent by the client
This field shows from which page the visitor of my website came.
User agent sent by the client
For example, information about the type and version of the browser and the operating system used by the website visitor.
You can find a more detailed explanation (in German) here:
The data is processed on the basis of legitimate interest according to Art. 6 para. 1 lit. f GDPR and stored for a maximum of 6 months at Strato. Should I terminate my contract with Strato at some point, this service provider would delete the data within 2-4 months.
e) Cookies used on the website
Generally, no tracking cookies or the like are used on my website. Only functionally necessary cookies, such as session cookies (also called session cookies/temporary cookies) could be set. Session cookies are something like the short-term memory of a browser. They are deleted after the browser is closed. The legal basis for this is the legitimate interest in providing a functional website within the meaning of Art. 6 (1) lit. f GDPR.
f) Social Media
Rather, I explicitly link to my Twitter account by providing the URL of my profile page there, just like this:
Twitter's Terms of Service (ToS) can be found here:
For more information about Twitter's privacy practices, please visit:
You can change Twitter's privacy settings in your Twitter account:
g) Hinweis zur SSL- bzw. TLS-Verschlüsselung der Webseite
5 Data collection during the processing of sales and other inquiries
a) Customer and contract data
The processing of this data is based on the legal basis of Art. 6 (1) lit. b GDPR, provided that your request is related to the performance of a contract or is necessary for the performance of pre-contractual measures. In all other cases, the processing is based on my legitimate interest in the effective processing of requests addressed to me (Art. 6 para. 1 lit. f GDPR) or based on your consent (Art. 6 para. 1 lit. a GDPR), if this consent was requested.
The data you send to me via contact requests will remain with me until you request me to delete it, you revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after processing your request has been completed). Mandatory legal provisions - in particular (for example, tax or commercial law) statutory retention periods - remain unaffected.
b) Payment services and shipping
The processing of sales usually takes place either via advance payment by bank transfer or via the payment service PayPal. PayPal is offered by the following payment service provider: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal").
If you make a purchase from me, your payment data (eg name, payment amount, account details, credit card number) will be processed by me or my payment service provider for the purpose of payment processing. The same applies if you make a payment in advance by bank transfer via a credit institution.
If a sale takes place via PayPal, the respective contract and data protection provisions of the payment service provider apply to this transaction. The use of PayPal is based on Art. 6 para. 1 lit. b GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (Art. 6 para. 1 lit. f GDPR). Insofar as your consent is requested for certain actions, Art. 6 para. 1 lit. a GDPR is the legal basis for data processing. Consent can be revoked at any time for the future.
Furthermore, a transfer of your data when purchasing my workpieces to a shipping company for the purpose of sending the purchased piece. In all cases, I strictly observe the legal requirements, the scope of data transmission is limited to a minimum (name, address for delivery). I pass on this data for the fulfillment of the concluded purchase contract (Art. 6 para. 1 lit. c GDPR).
c) Legal or contractual requirements for the provision of personal data, necessity for the conclusion of the contract, obligation to provide the personal data, possible consequences of non-provision
Please note that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. information on the contractual partner in the case of a sale). Sometimes it may be necessary for the conclusion of a contract that the customer provides me with personal data, which must subsequently be processed by me. For example, the data subject is obliged to provide me with personal data if he or she wishes to purchase a workpiece from me, thus concluding a purchase contract with me. Failure to provide the personal data would mean that the contract could not be concluded.
6 Data collection for the provision of carving lessons
- Email address
- If necessary, payment data, as far as payment does not occur in cash
- If the course is to take place after arrangement away from the participant, the address.
7 Categories of data recipients
The basis for data processing is Art. 6 (1) lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.
In this regard, tax and commercial law retention periods are taken into account by me (legal basis n. Art. 6 para. 1 lit. c GDPR). By order of the competent authorities, I must provide information about this data (inventory data) in individual cases, insofar as this is necessary for the purposes of criminal prosecution, to avert danger, to fulfill the statutory tasks of the constitutional protection authorities or the Military Counter-Intelligence Service or to enforce intellectual property rights.
8 Note on third country transfer (USa and other third countries)
My service provider and website hoster Strato AG uses subcontractors to provide the service to me. These subcontractors are also contractually bound to data protection in the sense of the GDPR in accordance with the order processing agreement concluded between me and Strato. The list of Strato subcontractors can be found on the website (in German language) here:
For Twitter as well as for PayPal, the data transfer to the USA is based on the standard contractual clauses of the EU Commission.
Details regarding Twitter can be found here:
Twitter's Terms of Service (ToS) can be found here:
For more information about Twitter's privacy practices, please visit:
9 Existence of automated decision making/profiling
Automated decision-making/profiling in the sense of Art. 22 GDPR does not take place.
10 Your rights as data subject
If your personal data is processed, you are entitled to various rights as a data subject of this data processing according to the European General Data Protection Regulation (GDPR). These are briefly explained below.
a) Information, deletion and rectification
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if necessary, a right to correction or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact me at any time.
b) Right to restriction of processing
If you dispute the accuracy of your personal data stored by me, I usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data. If the processing of your personal data happened/is happening unlawfully, you can request the restriction of the data processing instead of the deletion. If I no longer need your personal data, but you wish to use it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of the deletion. If you have lodged an objection pursuant to Art. 21 para.1 GDPR, a balancing of your and my interests must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State.
c) Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
d) Revocation of your consent to the data processing
e) Right to object to data collection in special cases, direct marketing
If you object, I will no longer process your personal data unless I can demonstrate legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims (objection under Article 21 para. 1 GDPR).
If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. If you object due to direct advertising, I will no longer use your personal data for this purpose (objection according to Art. 21 para. 2 GDPR).
f) Right to lodge a complaint at the competent supervisory authority
The data protection supervisory authority responsible for my small business is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Version 1 – May 2021