GIZEH International  /  Privacy Protection

Privacy Protection

(dated: 05/2018)

We hereby inform you about the processing of personal data when using our online presence. This online privacy policy also applies to our online presences, such as our websites at and/or or our social media profiles.

Personal data means all data which relate directly to you, for example, your name, address, e-mail address, IP-address and the user behaviour.

Regarding the terms of “processing”, “controller” and “data subject”, we refer to the definitions under art. 4 of the GDPR which state the following:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (art. 4(1) of the GDPR).

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (art. 4(2) of the GDPR).

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (art. 4(7) of the GDPR).

“Processor” means natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (art. 4(8) of the GDPR).

Particularly the terms of “processing” and “personal data” are extremely broad terms so that this may include any type of data processing.

We are responsible for the processing of your data:

GIZEH Raucherbedarf GmbH
Managing Director: Christian Hinz (Vorsitzender | Chairman), Jörg Dißmann, Marcello Formica
Bunsenstr. 12
51647 Gummersbach
Tel.: +49 (0) 2261-4059-0
Fax: +49 (0) 2261-4059-305

You can contact our data protection officer at:
the above address (by letter) and by e-mail to

If you visit our online presences (our websites or social media profiles) as a (potential) customer, supplier, service provider or other visitor, the processing of your personal data will be based on statutory provisions and/or this privacy policy. All the online presences visitors are referred to as “User”.

If you access our online presences without registering or submitting information to us in any other way, we only process such personal data which you browser transfers to our servers. As far as we know, the below data will be processed which are technically required for displaying our online presence and to guarantee its stability and security:

- IP address of the accessing computer;
- date and time of the request;
- the name and URL of the file accessed;
- access status/HTTP status code;
- volume of data transferred;
- website which made the request (referrer URL);
- browser used;
- operating system.

If you provide us with other personal data, such as when registering or making queries by e-mail and/or via our contact form, we process the below data, too:

- inventory data (e. g. name, address);
- contact data (e. g. e-mail address, phone number);
- content data (e.g. text entries, photographs, videos);
- usage data (e.g. visited websites, access times);
- communication/meta data (e.g. device information, IP addresses).

When visiting our online presence, we process your personal data for the below purposes:
- provision of online offer functions and contents;
- guaranteeing smooth establishment of connection to our website;
- ensuring the comfortable use of our website;
- system security/stability and general security measures evaluation and guarantee;
- responses to contact queries and/or your messages;
- further administrative purposes;
- customer service;
- marketing/advertising.

If we, under the scope of this privacy policy, indicate no special legal basis, processing of your personal data shall be subject to the following: Art. 6(1) point a and art. 7 of the GDPR is the legal basis of obtaining consents. Art. 6(1) point b of the GDPR is the legal basis of data processing to perform our services, implement (pre-)contractual measures and respond to queries. Art. 6(1) point c of the GDPR is the legal basis of data processing to fulfil legal obligations. Art. 6(1) point d of the GDPR is the legal basis if data processing is required for data subjects’ or other natural persons’ vital interests. The data processing to protect our legitimate interests takes place on the basis of art. 6(1) point f of the GDPR, whereby our legitimate interest results from the above data processing purposes.

If we disclose, transfer or grant third parties access to your personal data in any other way when processing them, we exclusively do so based on a statutory authorisation, your consent, a statutory obligation for us or our legitimate interest. Statutory authorisations exist if data transmission is required for fulfilling contract obligations (such as with payment or shipping service providers). Legitimate interests may exist if we use data for direct advertising or fraud prevention or if you are a client of ours, but it may also exist if we commission web or e-mail hosting, cloud or other service providers. Those service providers often act as processors based on a relevant contract. They are also obliged to comply with data protection law and to guarantee this based on a contract. Art. 28 of the GDPR is the legal basis of such controller relationships.

Unless the privacy policy provides otherwise, we regularly cooperate with the below recipients:
- shipping service providers;
- e-mail hosting service providers;
- web hosting service providers;
- banks; and
- newsletter service providers.

We select the external service providers carefully. In the case of order processing relationships (art. 28 of the GDPR), these enterprises are contractually bound to our instructions and are monitored by us regularly. For more information, please refer to the below descriptions of individual services.

The legal basis of transmitting your personal data is indicated under item 04 above.

Only in exceptional cases will your personal data be transferred to third countries (that is, outside the EU/EEA) or international organisations. For more information, please refer to the below descriptions of individual services.

If we ourselves process or have third parties process personal data in third countries, this is only for fulfilling our (pre-)contractual obligations or it is based on your consent, a legal obligation and/or our legitimate interest. Only if the special requirements under art. 44 et seq. of the GDPR are fulfilled will your personal data be processed in third countries, unless statutory or contractual consents apply in individual cases. This means that data processing is based on special guarantees, such as an official recognition of privacy levels corresponding to this of the EU (e.g. the “EU-US Privacy Shield” for the US) or under consideration of special recognised contract obligations (particular those under the “EU Standard Contract Clauses”).

The duration of storage of your personal data is regularly measured against existing statutory storage periods (e.g. according to commercial or tax law). Unless otherwise stated, your personal data will be routinely erased after a possible relevant period has elapsed, if it is no longer required for contractual fulfilment or contract initiation, we no longer have a legitimate interest in further storage and/or you have not consented to further storage.

In Germany, special storage periods exist in the following areas amongst others:
- according to commercial law (6 years e.g. for opening balance sheets, annual financial statements, posting documents or similar)
- according to tax law (10 years for all tax law relevant document)
- according to the General Equal Treatment Act (6 months for documents of rejected applicants)

You have the following rights towards us regarding the processing of your personal data:

- right of access
- right to rectification
- right to erasure
- right to the restriction of processing
- right to data portability
- tight to object
- right to withdraw consent given
- right to lodge a complaint

The last three rights will be explained in more detail. If you have any questions, please feel free to contact us or our data protection officer whose contact data are indicated above under the section on the data controller and/or the data protection officer.

If we process your personal data based on legitimate interests in terms of art. 6(1) sent. 1 point f of the GDPR, you have the right to object to data processing at any time. This has the effect of us no longer having the right to process your personal data, unless we are able to demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms or if processing serves the assertion, exercise or defence of legal claims.

However, the right to object only applies if there are reasons resulting from your special situation or if you object to direct marketing. In the latter case, you have a general right to object, which we will implement without indication of any particular situation.

If you want to exercise your right to object, it is sufficient to send a message to our postal address or an e-mail (see also item 01).

You may revoke your consent towards us at any time. This will have the consequence that we will no longer be allowed to continue the processing of your personal data which was based on this consent.

If you want to exercise your right to object, it is sufficient to send a message to our postal address or an e-mail (see also item 01).

With regard to us processing your personal data, you have the right to lodge a complaint with the data protection supervisory authority.

On the contact form or for support queries, you provide us with your personal data (such as names and (e-mail) addresses).
To some extent, provision of your personal data is legally required (such as based on tax law provisions), but it can also be required to perform (pre-)contractual measures. If your personal data are not provided, this means that the contract will not be concluded with you or that we cannot respond to your query.

For contract execution, (pre-)contractual measures implementation and/or communication purposes, the below data must be provided:

- first and family name
- address
- e-mail address
- telephone number (where applicable for questions or responses to customer queries)
- date of birth (where applicable in the context of our age verification system to check for the legal age)

Unless this privacy policy provides otherwise, data are provided on a voluntary basis.

Prior to providing your personal data, you may also refer to our data protection officer whose contact data are listed under item 02. We will individually inform you about whether the provision of the personal data is a statutory or contractual requirement or necessary to enter into the contract, whether there is any obligation to provide the personal data, and what the consequences of not providing such personal data would be.

There is no automated decision-making, including profiling.

You may contact us by letter, fax, phone or e-mail. For our contact data, please refer to the section on the data controller.

If you contact us by e-mail or via the contact form, we will automatically store personal data which you voluntarily provided to process your query and/or to contact you; personal data will not be disclosed to third parties.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the varying probabilities and severity of the risks for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (art. 32 of the GDPR). These measures including the protection of data confidentiality, integrity and availability. We also established internal business processes to guarantee the protection of the data subjects’ rights, data erasure and reactions to data breaches and we comply with data protection law principles, such as privacy by design and privacy by default (art. 25 of the GDPR).

For security reasons and for protecting the transmission of your personal data and other confidential contents, we use encrypted transmission on our website via SSL certificates. You recognise this by your browser address line stating “https://” (instead of “http://”), by the lock icon and another colour.
In the following we provide information on technologies and/or special processing steps used for our website.

If you contact us by e-mail or by using our contact form, the personal data provided by you will be retained automatically. Such personal data which you provided on a voluntary basis will be retained for processing your query and/or contacting purposes. Personal data will not be disclosed to third parties without your consent. The legal basis for the contact form use is the first sentence of art. 6(1) point f of the GDPR.

We use cookies on our websites. These are small text files which your browser stores and installs on your end device.
Transient (or temporary) cookies will be automatically deleted when closing the browser. These include, in particular, session cookies. Such cookies store certain IDs (“session IDs”) making it possible to recognise your end device when returning to our website. This way, it is possible to store the contents of virtual shopping carts from online shops or the log-on state. Session cookies will be deleted as soon as you log out or close your browser.

Persistent (permanent) cookies will be automatically deleted after a given period which differs depending on the cookie. This way, it is possible to store user information for penetration analyses and/or marketing purposes and log-on statuses for longer periods.

In the case of both temporary and permanent cookies, there is a difference between first-party and third-party cookies: the former are placed by the data controller, the latter by third-party providers.

You can delete cookies at any time by changing your browser security settings and also reject the acceptance of third-party cookies. If you want to generally object to cookies being used for online marketing purposes, you can do this for different services and/or providers, such as at, a US website, or, a European website. Please consider that this may lead to some functions on our website no longer being available to you.
On our website, we may use temporary, permanent, first-party and third-party cookies to identify you with subsequent visits if you have an account with us (otherwise, you would have to log on again for every visit). Under this privacy policy, you will be provided with additional information in this regard.

The legal basis for the cookie use is the first sentence of art. 6(1) point f of the GDPR.

You may subscribe to our newsletter for which you must grant your express consent. Our newsletter regularly informs you about our products, our company and/or special offers. For more details, please refer to the consent declaration.
After subscription to our newsletter, we will send an e-mail to the address given by you requesting you to click on the activation link which you received. If you fail to confirm subscription within 72 hours, your data will be blocked and automatically erased after three weeks. We also store your IP address, the time of subscription and, if applicable, the time of confirmation. This “double opt-in process” has the purpose of evidencing your subscription and, if applicable, clarifying possible misuse of your personal data.

We only need your email address for delivering our newsletter. Hence, this is the only information you must provide. More, separately marked data can be specified voluntarily and will only be used for personal address. Having received your confirmation, we process your email address and, if applicable, other voluntary data only to deliver and manage our newsletter.

The legal basis of managing and sending the newsletter as well as related success measuring is art. 6(1) sent. 1 point a and art. 7 of the GDPR in conjunction with sec. 7 para. 2 no. 3 of the German Act Against Unfair Competition [UWG] and/or it is based on statutory permissions acc. to sec. 7 para. 3 of the above Act. Subscription process logging will be based on our legitimate interest in, amongst other things, evidence production (art. 6(1) point f of the GDPR).

You can withdraw your consent to newsletter delivery at any time with future effect simply by clicking on the unsubscription link included in each newsletter or be sending an e-mail (see item 01).

The newsletter is delivered by a service provider. In our case, this is XQueue (provider: XQueue GmbH, Christian-Pleß-Str. 11-13, 63069 Offenbach a. M.). For the XQueue privacy policy, please refer to If applicable, XQueue uses your data in a pseudonymised form to enhance their own services, such as technical delivery optimisation, mail contents display or statistical purposes. However, XQueue will not use your data to contact you or to transfer them to third parties. XQueue is a German newsletter service provider carefully selected in terms of GDPR and BDSG [German Data Protection Act] provisions. No personal data collected in connection with the newsletter service will be disclosed to third parties. XQueue is commissioned based on our legitimate interests in terms of art. 6(1) point f of the GDPR and a processing contract in terms of art. 28(3) sent. 1 of the GDPR.

When delivering our newsletter, we analyse your user behaviour. For this purpose, the newsletters include web beacons and/or tracking pixels (“one-pixel image files”) which are stored on our website and/or, if applicable, on the website of our newsletter service provider. They will be called off from these websites whenever you open the newsletter, a process which includes the collection of technical information (as to you browser or system), your IP address and the time of access.

The collected data are exclusively collected in pseudonymised form, i.e. they are not assigned to your other data and can not be directly linked to a particular individual.

This information is used for technical service enhancement and, if applicable, offer customisation.
You may object to tracking at any time by clicking on the separate link provided in each e-mail or send us a separate e-mail. Information will be stored for as long as you subscribed to the newsletter. After subscription, we store data only for statistical purposes and on an anonymised basis.

We also point out that tracking is impossible if your default e-mail programme settings deactivate the display of images. However, this means that our newsletter will not be completely displayed and you might not be able to use all the functions.

If you consented to receiving our newsletter, your consent is based on the below wording:

“I want to regularly receive information and offers from GIZEH Raucherbedarf GmbH by e-mail. My email address will only be used for sending the newsletter and not be disclosed to third parties. I may revoke my consent to email address use for advertising purposes at any time with future effect by clicking on the “Unsubscribe” link included in each newsletter”.

We have the below social media profiles to contact users who are active on these networks and to inform them about our services. When accessing any networks, the relevant operators’ general terms and conditions and privacy policies shall apply. Unless otherwise indicated in our privacy policy, we shall process the data of users only if they contact us via social networks, that is, if they write comments in our online presence or send us messages.
Our social media profiles:
- Facebook
- Youtube
- Instagram
- Pinterest