Privacy Statement

Privacy Statement

We are delighted that you are interested in our company and our products. We take the protection of your personal data very seriously, treating your personal data confidentially in compliance with legal data protection regulations and this privacy statement. As a rule, our website can be utilised without requiring the disclosure of any personal data. We collect personal data solely if you contact us, e.g. using the contact form, by email or by phone.
We caution you that the transmission of data via the internet (e.g. in email communications) can be vulnerable to security breaches. Seamless protection of the data from third-party access is not possible.

A few words to start with:

  • The simplest way to contact us regarding any privacy concerns is by sending an email to
  • Your rights are described in detail below.
  • The General Data Protection Regulation refers to the Regulation (EU) 2016/679, which entered into force on 25 May 2018.
  • The legal regulations relating to privacy serve, as a rule, the protection of natural persons and not of legal persons. If you wish to assert rights for a legal person, however, do not hesitate to get into touch with us.
  • Note that we are obligated to provide a comprehensive privacy statement that includes case constellations that will never, or only rarely, be relevant to our situation.


G. Koepcke & Co. GmbH
Sachsenfeld 2
20097 Hamburg, Germany
Managing director: Jochen Weno, Torben Mons
Data protection officer: Kerstin Weno

Types of data that are processed:

– Master data (e.g. names, addresses)
– Contact data (e.g. email, phone numbers)
– Content data (e.g. entered texts, photos, videos)
– Usage data (e.g. accessed websites, interest in contents, access times)
– Meta/communication data (e.g. device information, IP addresses)

Categories of data subjects

Visitors to and users of the online service (in the following, we will also refer to the data subjects collectively as “users”).

Purpose of the processing

– Provision of the online service, its functions and content
– Answering contact queries and communications with users
– Security measures
– Reach measurements/marketing

Terms used

“Personal data” are any information relating to an identified or identifiable natural person (hereinafter: “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any procedure or any series of procedures executed with respect to personal data, whether with or without the aid of automated processes. This is a far-reaching term and covers practically any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Important legal grounds

As required by Art. 13 GDPR, we describe to you below the legal grounds for our data processing.
In so far as the legal grounds are not specified in the privacy statement, the following principle applies. The legal ground for obtaining statements of consent is point (a) of Art. 6 (1) and Art. 7 GDPR; the legal ground for processing for the performance of our services and execution of contractual measures and response to queries is point (b) of Art. 6 (1) GDPR; the legal ground for processing for the compliance with our legal obligations is point (c) of Art. 6 (1) GDPR; and the legal ground for processing in the pursuit of our legitimate interests is point (f) of Art. 6 (1) GDPR. In the event that processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, point (d) of Art. 6 (1) GDPR is the legal ground.

Security measures

In accordance with the requirements of Art. 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Such measures include in particular ensuring the ongoing confidentiality, integrity and availability of data by control of the physical access to the data as well as of the access relating to the data, their entry, transfer and the securing of their availability and of their separation. Moreover, we have implemented procedures that ensure the observance of the data subject’s rights, the erasure of data and response to any risks to the data. Furthermore, we take into account the protection of personal data during the development and selection of hardware, software and procedures in accordance with the principle of data protection by technical design and default settings that serve data protection (Art. 25 GDPR).

Cooperation with processors and third parties

In so far as we disclose data to other persons and companies (processors or third parties), transfer data to them or otherwise grant them access to data within the framework of our processing, this is done solely as permitted by law (e.g. when the transfer of data to third parties such as a payment service provider are necessary pursuant to point (b) of Art. 6 (1) GDPR for the performance of contractual obligations), when you have given your consent, if required by a legal obligation or in the pursuit of our legitimate interests (e.g. when using agents, web hosters etc.).
In so far as we commission third parties to process data on the basis of a co-called “processing contract”, we do so in compliance with Art. 28 GDPR.

Transfers to third countries

In so far as we disseminate data to a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or if data are disseminated within the framework of the utilisation of third-party services or disclosure or transfer of data to third parties, this takes place solely for the performance of our (pre-)contractual obligations, pursuant to your consent, in compliance with a legal obligation or in pursuit of our legitimate interests. To the extent permitted by law or contract, we process data, or have data processed, in a third country solely if the special conditions pursuant to Art. 44 et seqq. GDPR are complied with. This means that the processing takes place (for example) on the basis of special safeguards such as the officially recognised determination of a data protection level corresponding to that of the EU (e.g. as provided for the USA by the “Privacy Shield”) or compliance with officially recognised, special contractual obligations (so-called “standard contract clauses”).

Rights of the data subject

You have the right pursuant to Art. 15 GDPR to obtain confirmation as to whether personal data are being processed and to obtain information about these data and additional information and to receive a copy of these data.
Pursuant to Art. 16 GDPR, you have the right to request the completion of data concerning you or to request the rectification of inaccurate data concerning you.
Pursuant to Art. 17 GDPR, you have the right to request the erasure of data concerning you without undue delay or, alternatively, pursuant to Art. 18 GDPR, to request restriction of the processing of the data.
You have the right pursuant to Art. 20 GDPR to request that you receive the data concerning you that you have provided to us and to have the data transferred to another controller.
Moreover, you have the right pursuant to Art. 77 GDPR to lodge a complaint with a competent supervisory authority.

Right of withdrawal of consent

You have the right pursuant to Art. 7 (3) GDPR to withdraw at any time your consent, effective for the future.

Right to object

You may object at any time to the future processing of data concerning you pursuant to Art. 21 GDPR. In particular, you may object to processing for the purposes of direct advertising. Cookies and right to object to direct advertising “Cookies” are small files that are stored on users’ computers. Various types of information can be stored in the cookies. The primary purpose of a cookie is to store the information about a user (or about the device on which the cookie is stored) during or even after his or her visit to an online site.
Cookies that are erased when a user leaves an online site and closes his or her browser are known as temporary cookies or “session cookies” or “transient cookies”. A cookie of this type may, for instance, store the content of a shopping cart in an online shop or the login status of the user.
Cookies that remain stored even after the browser is closed are known as “permanent” or “persistent” cookies. For instance, login status may still be stored when users return to the site after several days. Similarly, users’ interests may be stored in this type of cookie and used to measure reach or for marketing purposes. “Third-party cookies” refer to cookies that are offered by providers other than the controller operating the online service (otherwise, when the cookies come only from the controller, they are known as “first-party cookies”).
We can use temporary and permanent cookies and explain this use in our privacy statement.
If users do not wish to allow the storage of cookies on their computers, they are requested to disable the appropriate option in the system settings of their browsers. Stored cookies can be erased in the browser’s system settings. The blocking of cookies may lead to restrictions in the functions of this online service.
General objections to the use of cookies for purposes of online marketing can be declared for a large number of different services, especially in the case of tracking, via the US site or the EU site Moreover, the storage of cookies can be prevented by blocking them in the browser’s settings. Please note that it is possible that you will in this case not be able to use all the functions of this online service.

Erasure of data

The data we have processed are erased or their processing is restricted pursuant to the provisions of Art. 17 and 18 GDPR. In so far as this privacy statement does not contain explicit information, the data stored with us are erased as soon as they are no longer necessary for the intended purpose and there are no legal retention obligations prohibiting their erasure. In so far as the data are not erased because they are necessary for other and lawful purposes, their processing is restricted. This means that the data are blocked and are not processed for other purposes. This applies, for example, to data that must be archived pursuant to commercial or tax law requirements.
According to statutory requirements in Germany, data are archived in particular for 10 years pursuant to Section 147 (1) AO [Tax Code], Section 257 (1) nos. 1 and 4, (4) HGB [Commercial Code] (ledgers, records, management reports, accounting vouchers, commercial ledgers, documents relevant for taxation purposes etc.) and for 6 years pursuant to Section 257 (1) nos. 2 and 3, (4) HGB (commercial letters).
Pursuant to statutory requirements in Austria, data are archived in particular for 7 years pursuant to Section 132 (1) BAO [Federal Tax Code] (accounting documents, vouchers/invoices, accounts, vouchers, business papers, statements of income and expenditures etc.), for 22 years for documents related to land and for 10 years for documents related to electronically performed services, telecommunications, radio and television services performed for non-entrepreneurs in EU member states and for which services of the Mini-OneStop-Shop (MOSS) are used.

Administration, financial accounting, office organisation, contact management

We process data within the framework of administrative tasks and the organisation of our business, financial accounting and compliance with legal obligations such as archiving. In doing so, we process the same data that we process within the framework of performance of our contractual services. The legal grounds for the processing are point (c) of Art. 6 (1) GDPR and point (f) of Art. 6 (1) GDPR.
Customers, potential clients, business partners and website visitors are affected by the processing. The purpose of, and our interest in, the processing are in the administration, financial accounting, office organisation and archiving of data (i.e. tasks that serve the continuation of our business activities, the conduct of our tasks and the performance of our services). The erasure of the data relating to contractual performance and contractual communication corresponds to the tasks stipulated for these processing activities.
In this respect, we disclose or transfer data to tax authorities, consultants (such as tax accountants or auditors) and to other billing offices and payment services providers.
Furthermore, we store information about suppliers, event organisers and other business partners (e.g. for the purpose of establishing contact at a later time) in the pursuit of our business interests.
We always store these data, most of which are related to companies, permanently.

Establishing contact

When we are contacted (e.g. by contact form, email, phone or possibly via social media), the user’s data are processed for the purpose of handling and responding to the contact query pursuant to point (b) of Art. 6 (1) (within the framework of contractual/pre-contractual relationships) and point (f) of Art. 6 (1) GDPR (other queries). The user’s data may be stored in a customer relationship management system (“CRM system”) or comparable query organisation.
We erase the queries as soon as they are no longer necessary. We review the necessity every two years; in addition, legal retention obligations apply.

Prepared using the data protection generator of Dr Thomas Schwenke, lawyer
Last revised: 04/06/2018