Privacy Policy

1 General remarks

Sammelkartenmarkt Limited & Co. KG collects, processes and uses your personal data in compliance with the strict German and European data protection regulations. Apart from certain particulars required to offer you our services, you may determine yourself which information to provide.

On our website we use, as far as possible, secure transmission technologies, e.g. SSL encryption. However, data transfer on the Internet, especially the communication via e-mail, may involve security gaps. A complete data protection against access of third parties is not possible.

By using the website www.cardmarket.com (hereafter: online platform), but at the latest when registering as a user, you grant your consent to the collection, processing and use of the entered personal data by the Sammelkartenmarkt Limited & Co. KG as responsible entity on their servers. Please note that the data transmitted by you as part of the use of the website are processed and saved by means of an EDP system. It is understood that we treat your personal data strictly confidentially.

Personal data, i.e. specific data about the personal or factual circumstances of a particular or identifiable natural person, are only collected as far as necessary for the performance of the contract and for the provision of contractual services. The collection of data is carried out exclusively to the extent provided by you.

The processing of personal data may consist in saving, changing, transmitting, blocking and deleting of these data. Any personal data are only saved by us as long as this is necessary for the respective specified purpose or we are obligated by law to save this information.

Already when visiting our website, your information may also be saved to the server when having access (e.g. date, time, pages visited). This data is not considered personal data, but they are anonymised, for example name of the Internet provider, type of Internet browser, pages visited on the website. These data are used for statistical purposes only and to improve our services. By accessing the site, data may also be saved on your computer. These data are called “cookies” and they facilitate the use of the website. However, you have the option to deactivate this function in your web browser. This may result in limitations when using our website.

The user’s personal data will not be transmitted to any third party. Exempt from this are only the service partners of the Sammelkartenmarkt Limited & Co. KG needed for the completion of the contractual relationship, e.g. providers of payment services (such as e.g. PayPal). In these cases, the provisions of the German Federal Data Protection Act (BDSG) will be strictly observed, the data transfer will be restricted to a minimum extent.

You shall be entitled to the right of withdrawal of the consent with effect for the future at all times and without limitations. The contact data for exercising the withdrawal may be found in the About us section of our website.

You have the right to information free of charge on your stored personal data as well as to the correction, deletion or blocking thereof, in as far as personal data are concerned for the purposes of the BDSG. In order to contact us, please use the contact data to be found in the About us section of our website.

2 Controller

Controller for the purposes of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act is

Sammelkartenmarkt Ltd. & Co. KG
Address
Nordkapstr. 4
10439 Berlin
Telephone
+49 30 34781236
E-Mail
contact@cardmarket.com

Represented by:

Sammelkartenmarkt Limited, 69 Great Hampton Street, Birmingham B18 6EW, Company Number 06245645, Company House, GB

Managing directors: Luis Torres, Dr. Matthias Knelangen, Dr. Marko Schädlich

Registration office
Amtsgericht Berlin-Charlottenburg
Registration number
HR A 39760
VAT identification number pursuant to art. 27a Value added tax act
DE256122758

Responsible for the content for the purposes of art. 55 (2) RStV (Interstate Broadcasting Treaty):

Dr. Matthias Knelangen
Nordkapstr. 4
10439 Berlin

3 Name and address of the data protection officer

The data protection officer of the controller is:

Marcel Mauritz
Nordkapstr. 4
10439 Berlin

E-Mail: privatepolicy@cardmarket.com

4 General information on data processing

  1. In general, the processing of personal data is only done to the extent necessary for the provision of a functional website including contents and services. Regular processing of data is only done upon consent of the data subject. As an exception, the processing of data is done without consent of the data subject if this is not possible for practical reasons and the processing of data is permitted by legal provisions.

  2. Art. 6 (1) point (a) GDPR serves as legal basis for the processing of personal data in so far as the consent of the data subject has been obtained for the processing of personal data.

    Art. 6 (1) point (b) GDPR serves as legal basis for the processing of personal data insofar as this is necessary for the performance of a contract to which the data subject is a contractual party. This also applies to processing necessary for the implementation of pre-contractual measures.

    Art. 6 (1) point (c) GDPR serves as legal basis for the processing of personal data insofar as the processing of personal data is necessary for the performance of a legal obligation to which the company is subject.

    Art. 6 (1) point (f) GDPR serves as legal basis for the processing of personal data insofar as this is necessary for the processing for the protection of a legitimate interest of the company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest.

  3. The personal data of the data subject will be deleted or blocked as soon as the purpose of the data storage is no longer applicable. Storage beyond this purpose can be done if this is required by relevant national or European regulations. Blocking or deleting of the data is also done when a retention period prescribed by the aforementioned regulations expires unless further storage of data is required for the conclusion or performance of a contract.

5 Use of the website

  1. With each visit to the website, the system automatically records data and information from the computer system of the calling computer.

    The following data are collected:

    1. IP address
    2. Time and date of the access
    3. Time zone difference with Greenwich Mean Time (GMT)
    4. Contents of the website
    5. Access status (HTTP status)
    6. Data volume transferred
    7. Web browser
    8. Browser language and version
    9. Operating system
    10. The website from which you entered this website

    The data are saved in the log files of the system. Storage of this data together with other personal user data does not take place.

  2. The legal basis for this is art. 6 (1) point f GDPR.

  3. The collection and temporary storage of the IP address is necessary to enable the presentation of the website on your device. For this, your IP address has to be saved for the duration of your visit of the website. An analysis of these data for marketing purposes does not take place.

  4. The data are deleted when the respective session is ended. If these data are saved in log files, this is done at the latest after seven days. Storage beyond this is possible. In this case, the users’ IP addresses are deleted or alienated so that they can no longer be assigned to the calling client.

  5. The collection of data for the availability of the website and the storage of data in log files for availability of the website are absolutely necessary. Therefore, there is no possibility of appeal.

6 Registration

  1. The website offers users to register by entering personal data. For this, the data is entered into an input mask, then transmitted and saved. A transfer to a third party does not take place. The following data is collected:

    1. Name (first name, surname)
    2. Home address (street, house number, postal code, country)
    3. E-mail address
    4. Time and date of the registration

    Commercial users are also required to enter the company name, the VAT ID and the phone number.

    During the registration process the user’s consent for the processing of these data is obtained with reference to the privacy policy.

  2. The legal basis for this, upon consent of the user, is art. 6 (1) point (a) GDPR. If the registration serves the performance of a contract to which the user is a contractual party or serves the implementation of pre-contractual measures, art. 6 (1) point (b) GDPR is an additional legal basis for the processing of data.

  3. The registration of the user is required to set up a customer account. It serves to identify the user and to perform the user contract via the service.

  4. The data will be deleted as soon as it is no longer required for the fulfilment of the purpose for which they were collected. This is the case during the registration process for the performance of a contract or the implementation of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after conclusion of the contract, it may be required to save personal data of the contractual partner to meet contractual or legal obligations.

  5. Data subjects may modify at any time the user data in their user profile under www.cardmarket.com/Magic/MainPage/showMyAccount. Where the data is required for the performance of a contract or the implementation of pre-contractual measures, an advance deleting of data is only possible in so far as the deletion is not barred by contractual or legal obligations.

7 Use of the online marketplace

  1. To use the online marketplace, inventory data (e.g. names and addresses as well as contact data of users, user names of authorised users) and contract data (e.g. services used, names of contact persons, payment information) are processed as well as the IP address and the time of the respective user intervention, the user ID and the accessed URLs. This data is stored in the log files of our system. Apart from that, data of third parties entered by the user are processed.

  2. The legal basis for the processing of data upon consent of the user is art. 6 (1) point (a) GDPR. The consent is obtained upon conclusion of the contract.

    Additional legal basis for the processing of data is art. 6 (1) point (b) GDPR, as the processing of the specified data serves to perform a contract to which the user is a contractual party or to implement pre-contractual measures.

    Furthermore, processing is done to improve our services for the benefit of the analysis, optimisation and the economic operation of our website for the purposes of art. 6 (1) point (f) GDPR.

  3. Purpose of the processing

    1. of the inventory data (e.g. names and addresses as well as user contact data) and contract data (e.g. services used, names of contact persons, payment information) is the implementation of the contract as well as billing purposes.
    2. of user names and the entries of the respective users is to ensure the access authorisation of the service.
    3. of the IP address, time of the respective user intervention as well as the accessed URLs is done to optimise our services and to continually improve the user experience.
    4. of third party data entered by the user is the implementation of the contract and the provision of the contracted services.

  4. The data will be deleted as soon as they are no longer required for the fulfilment of the purpose for which they were collected. This is the case for the data collected during the registration process for the performance of a contract or the implementation of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after conclusion of the contract, it may be required to save personal data of the contractual partner to meet contractual or legal obligations (especially fiscal retention periods).

  5. Data subjects may modify or delete the saved data at any time. Where the data is required for the performance of a contract or the implementation of pre-contractual measures, an advance deleting of data is only possible in so far as the deletion is not barred by contractual or legal obligations. In particular, the notice periods of current contracts shall remain unaffected.

8 Comments function

  1. The website provides the possibility to commentate individual products. Using this function, the data entered into the input mask will be transmitted and saved there. These data are:

    1. Title and name (voluntary information)
    2. E-mail address
    3. Contents of the question

    Additionally the following data are recorded upon contact:

    1. IP address of the calling computer
    2. Time and date of the contact

    As soon as the question is published on the website, this is only done in an anonymised form. Otherwise, no data is passed on to a third party. The data are used exclusively for the processing of the conversation.

  2. The legal basis for the processing of data upon consent of the user is art. 6 (1) point (a) GDPR. Otherwise, the legal basis for the processing of data is art. 6 (1) point (f) GDPR.

  3. The processing of personal data from the input mask only serves to answer the commentaries on the respective product. Our legitimate interest in the processing lies in the provision of useful product information for other users. Any other personal data processed during sending serve to prevent misuse of the question form and to ensure the security of the information technology systems.

  4. The data will be deleted as soon as they are no longer required for the fulfilment of the purpose for which they were collected. This is the case for the personal data from the question form when the question has been answered completely. The additional personal data collected during sending will be deleted at the latest after seven days.

  5. The data subject may at any time withdraw consent to the processing of personal data. You can object to the storage of personal data at any time. However, in such a case the asked questions cannot be answered. Any personal data saved during the question will be deleted in this case. Insofar as there is no personal traceability by posting a question or an answer, these will remain available with the respective product.

9 Use of data via application programming interface (API)

The use of the API using a permanent Access Token enables you to access your own inventory data as well as publicly available data such as trading card prices etc. Neither you nor other users have access to each other’s’ inventory data.

Commercial developers of apps and similar application programmes are provided with an App Key. Here too, no personal data or granting of access rights to such data will be passed on at first.

However, if you log in with your data (user name and password) via a third-party app, you grant this app a temporary access (read and write), limited to 24 hours, to your own inventory data.

We are not liable for possible damages or misuse arising from the use of such third-party apps. For the terms of use and data protection regulations of such third-party apps please refer directly to the app provider.

10 Contact via e-mail or contact form

  1. The website uses contact forms which may be used for electronic contact. If used, the data entered into the input mask are transmitted and saved there. These data are:

    1. E-mail address
    2. Contents of the contact

    Additionally, the following data is collected during contact:

    1. IP address of the calling computer
    2. Time and date of the contact

    A transfer to a third party does not take place in this context. The data will be used exclusively for processing the conversation.

  2. The legal basis for the processing of data upon consent of the user is art. 6 (1) point (a) GDPR.

    The legal basis for the processing of data transmitted when sending an e-mail is art. 6 (1) point (f) GDPR.

    If the e-mail contact is aimed at concluding or performing a contract, the additional legal basis for the processing is art. 6 (1) point (b) GDPR.

  3. The processing of personal data from the input mask only serves to process the contact. In case of a contact via e-mail, this shall also constitute the required legitimate interest in the processing of data. Any other personal data processed during sending serves to prevent misuse of the contact form and to ensure the security of the information technology systems.

  4. The data will be deleted as soon as they are no longer required for the fulfilment of the purpose for which they were collected. This is the case for the personal data from the input mask of the contact form and the data transmitted via e-mail when the respective conversation with the data subject has ended. The conversation is ended if the circumstances indicate that the respective issue has been resolved conclusively. The additional personal data collected during sending will be deleted at the latest after seven days.

  5. The data subject may at any time withdraw consent to the processing of personal data. In case of a contact via e-mail, you can object to the storage of personal data at any time. However, in such a case the conversation cannot be continued. In this case, any personal data saved during contact will be deleted.

11 Use of cookies

  1. The website uses cookies. Cookies are text files, which are saved in the web browser or by the web browser on the user’s computer system. This cookie contains a distinctive string of characters which enable the clear identification of the browser upon re-entering the website. Cookies cannot transmit viruses onto the device or execute programmes.

    Cookies help to make the website more user-friendly. Some elements of the website require the identification of the calling browser even after the page was changed.

    Transient cookies are deleted automatically when the session is closed. These include e.g. session cookies which save the so-called session ID and by means of which the different web inquiries can be allocated to the joint session. This allows for the device to be recognised in a new session.

    Persistent cookies are deleted automatically after a prescribed retention period, which may be different for each cookie. The corresponding settings may be deleted at any time in the settings of the web browser.

    Cookies save the following data:

    1. Log-in information

    2. Language settings

    3. Entered search terms

    4. Number of website calls

    5. Use of different function of the website

  2. The legal basis for this is art. 6 (1) point (f) GDPR.

  3. The purpose of the use of technically necessary cookies is to simplify the use of websites for the user. Some functions of the website cannot be offered without the use of cookies. For this, it is necessary that the browser be recognised after a change of page.

    The user data collected by technically necessary cookies are not used to create user profiles.

  4. Cookies are saved on the user’s computer and are transmitted from there to our website. Hence, you as user also have full control over how cookies are used. By changing the settings in your web browser, you can deactivate or limit the transmission of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

12 Google analytics

  1. The website uses “Google Analytics”, a web analytics service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter referred to as: “Google”). Google uses cookies, text files which are saved on your device and which enable an analysis of the website use. The information about the use of this website generated by the cookie are usually transmitted to a Google server in the USA and saved there. If an anonymisation of the IP address to be transmitted by the cookie is activated on the website by the extension “_anonymizeIp()” (hereafter referred to as: IP anonymisation”), the IP address will be shortened beforehand by Google within the member states of the European Union or other signatory states of the Agreement on the European Economic Area. The full IP address will be transmitted to a Google server in the USA and shortened there only in exceptional cases. Google will use this information on behalf of the controller to evaluate the website use, to compile reports about website use and to perform further services connected to website and Internet use. During this process, pseudonymous user profiles may be created from the processed data. The IP address transmitted using Google Analytics will not be merged with other Google data.

    The website uses Google Analytics only with the activated IP anonymisation as described above. This means that Google will process your IP address only in the shortened form. Therefore, a personal traceability can be excluded.

  2. The legal basis for the processing is the legitimate interest in the analysis, optimisation and the economic operation of the website for the purposes of art. 6 (1) point (f) GDPR.

  3. The website uses Google Analytics in order to analyse the website use and to continually improve different functions and offers as well as the user experience. Using statistical analysis of the user behaviour, the offer can be improved and designed to be more interesting for the user. Herein also lies the legitimate interest in the processing of the above data by Google.

  4. The storage of cookies generated by Google Analytics may be blocked by adjusting the corresponding settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website. If you wish to block the collection of data generated by the cookie and related to the user behaviour (including your IP address), you may download and install the web browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout.

    In order to oblige Google to process the transmitted data only as instructed and to comply with the data protection regulations, the controller has concluded a processing contract with Google.

    In the exceptional cases where personal data have been transmitted to the USA, Google has submitted to the Privacy Shield Agreement between the European Union and the USA and has been certified. Hence, Google is obliged to comply with the standards and regulations of the European Data Protection Law. Further information may be found under the following link: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

    Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Further information on data use by Google, on settings and appeal options as well as on privacy policy may be found on the following Google websites:

    1. User conditions:
      http://www.google.com/analytics/terms/
    2. Overview on privacy policy:
      http://www.google.com/intl/de/analytics/learn/privacy.html
    3. Privacy statement:
      https://www.google.com/intl/de/policies/privacy/
    4. Data use by Google upon your use of our partners’ websites or apps:
      https://www.google.com/intl/de/policies/privacy/partners/
    5. Data use for advertising purposes:
      https://www.google.com/policies/technologies/ads/
    6. Settings on personalised advertising by Google:
      http://www.google.de/settings/ads

    For an alternative to the browser add-on or for browsers on mobile devices, please click this link opt out, in order to block the future collecting by Google Analytics on this website. This will file an opt-out cookie on your device. If you delete your cookies, you have to click the link again.

    For users who visit our website from the People’s Republic of China (PRC), it is possible to use the services of Site Monitor of the provider Miaozhen Ltd, Beijing, PRC with servers in the PRC instead of Google Analytics for the same purpose and subject to the same restrictions. In order to deactivate Site Monitor, visit http://i.miaozhen.com.cookie_opt.html.

13 Bing Ads

  1. The website uses “Bings Ads”, an advertising service of “Microsoft” of Microsoft Corp., One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”). In the process, Microsoft files a cookie on your device, provided that you have entered our website via a Microsoft Bing ad. Both Microsoft and controller are able to know that someone clicked on the ad, was redirected to our website and has reached a predetermined target page (conversion site). During this process, only the total number is recorded of users who have clicked on a Bing ad and were then redirected to the conversion site. Microsoft collects, processes and uses information via the cookie to create user profiles using pseudonyms.

  2. In this case, art. 6 (1) point (f) GDPR serves as legal basis.

  3. The use of Bing Ads serves to analyse user behaviour and to show advertisements. No personal information on the identity of the user is processed.

  4. If this is not desired, the required filing of cookies may be refused – e.g. by setting your browser to generally deactivate the automatic filing of cookies. Additionally, you may prevent the recording of data generated by the cookie and related to the use of the website as well as the processing of this data by Microsoft by objecting to the data use under the following link: http://choice.microsoft.com/opt-out. Find further information on data protection and on the used cookies at Microsoft and Bing Ads on the Microsoft website: https://privacy.microsoft.com/privacystatement.

    Consent may be withdrawn here: opt out. Please note that if you delete your cookies, this cookie will also be deleted automatically.

14 Facebook Pixel

  1. The website uses “Facebook Pixel” (hereafter referred to as: “Pixel”), an analysis programme of the social network “Facebook.com” of the Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (hereafter referred to as: “Facebook”) in order to track users’ behaviour after they have clicked on a Facebook ad. The recorded data is collected anonymously and serves analysis for market research purposes. Facebook can connect this data to an existing Facebook account and use it for their own advertising purposes according to the Facebook data use policy.

    The user can enable Facebook as well as their partners to place ads on and off Facebook. Furthermore, cookies may be saved to your computer for these purposes.

  2. The legal basis for the processing is the legitimate interest in the analysis, optimisation and economic operation of the website for the purposes of art. 6 (1) point (f) GDPR.

  3. The website uses Pixel for marketing and optimisation purposes, particularly to place relevant and interesting ads, to improve reports on campaign performance or to avoid that the same ads are viewed several times. This is also the legitimate interest in the processing of the above data.

  4. The installation of cookies may be blocked by deleting existing cookies and deactivating the storage of cookies in the settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website.

    Consent may be withdrawn here:

    https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

    Additionally, Facebook has submitted to the Privacy Shield Agreement between the European Union and the USA and has been certified. Hence, Facebook is obliged to comply with the standards and regulations of the European Data Protection Law. Further information may be found under the following link:

    https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC

    Information of the third-party provider: Facebook Ireland Ltd. 4 Grand Canal Square , Grand Canal Harbour, Dublin 4, IRELAND, Fax: +0016505435325. Further information on data use by Facebook, on settings and appeal options as well as on privacy policy may be found on the following Facebook websites:

    https://www.facebook.com/about/privacy/

15 Facebook Connect

  1. The website uses „Facebook Connect“ (hereafter referred to as „Connect“), an analysis programme of the social network „Facebook.com“ of Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (hereafter referred to as: „Facebook“) to enable a registration or login via Facebook rather than a direct registration on the website.

    By clicking Facebook Connect the user is redirected from Facebook to the website to register there or log in. The following data are transmitted via this link:

    1. Facebook name
    2. Facebook profile and cover photo
    3. Facebook cover photo
    4. E-mail address entered in Facebook
    5. Facebook ID
    6. Facebook friend list
    7. Facebook likes
    8. Date of birth
    9. Gender
    10. Country
    11. Language

  2. The legal basis for the processing is the performance of a contract for the purposes of art. 6 (1) point (b) GDPR

  3. The website uses Connect to set up, provide and personalise the user account. Personal data on the utilisation of the website (user data) are only collected, processed and used insofar as this is necessary for the facilitation or billing of the user’s utilisation of the service.

  4. The collected data will be deleted upon conclusion or termination of the contract. Legal retention periods shall remain unaffected.

16 Twitter Analytics

  1. The website uses “Twitter Analytics”, a web analysis service of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (in the following short: “Twitter“). Twitter uses cookies, small text files which are saved on the device and which enable an analysis of the website use. The information generated by the cookie about the use of the website are generally transmitted to a Twitter server in the USA and saved there. Twitter uses this information to analyse on behalf of the controller the use of the website, to compile reports about website use and to provide further services related to the use of the website and the Internet. This may be used to create pseudonymous user profiles using the processed data. The IP address transmitted using Twitter Analytics will not be merged by with other data Twitter.

  2. The legal basis for the processing is the legitimate interest in the analysis, optimisation and economic operation of the website for the purposes of art. 6 (1) point (f) GDPR.

  3. The website uses Twitter Analytics in order to analyse the website use and to continually improve different functions and offers as well as the user experience. Using statistical analysis of the user behaviour, the offer can be improved and designed to be more interesting for the user. Herein also lies the legitimate interest in the processing of the above data by Twitter.

  4. The storage of cookies generated by Twitter Analytics may be blocked by adjusting the corresponding settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website.

    In order to oblige Twitter to process the transmitted data only as instructed and to comply with the data protection regulations, the controller has concluded a processing contract with Twitter.

    In the exceptional cases where personal data have been transmitted to the USA, Twitter has submitted to the Privacy Shield Agreement between the European Union and the USA and has been certified. Hence, Twitter is obliged to comply with the standards and regulations of the European Data Protection Law. Further information may be found under the following link: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO

    Further information on data us by Twitter, on settings and appeal options as well as on privacy policy may be found on the following Twitter websites:

    1. User conditions:
      https://twitter.com/de/tos#current

    2. Overview on privacy policy:
      https://twitter.com/privacy

17 Twitter Ads

  1. The website uses “Twitter Ads”, an advertising service of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (in the following short: “Twitter”) in order to track users’ behaviour after they have viewed or clicked on a Twitter ad. The recorded data is collected anonymously and serves analysis for market research purposes. Twitter can connect this data to an existing Twitter account and use it for their own advertising purposes according to the Twitter data use policy.

    The user can enable Twitter as well as their partners to place ads on and off Twitter. Furthermore, cookies may be saved to your computer for these purposes.

  2. The legal basis for the processing is the legitimate interest in the analysis, optimisation and economic operation of the website for the purposes of art. 6 (1) point (f) GDPR.

  3. The website uses Twitter Ads for marketing and optimisation purposes, particularly to place relevant and interesting ads, to improve reports on campaign performance or to avoid that the same ads are viewed several times. This is also the legitimate interest in the processing of the above data.

  4. The installation of cookies may be blocked by deleting existing cookies and deactivating the storage of cookies in the settings of the web browser. Please note that in this case you may not be able to make full use of all features of the website.

    If users do not wish Twitter to allocate the data collected via the website directly to the Twitter account, users need to log out of Twitter before visiting our website. You can completely block loading the Twitter plugin using Add-ons, e.g. with the script blocker „NoScript“ (https://noscript.net/).

    Further information on data use by Twitter, on settings and appeal options as well as on privacy policy may be found on the following Twitter websites:

    1. User conditions:
      https://twitter.com/de/tos#current

    2. Overview on privacy policy:
      https://twitter.com/privacy

    3. Privacy statement:
      https://policies.google.com/privacy.

18 Reddit Conversion Tracking

On our website, the “Reddit Conversion Pixel” is used, an analysis service of the Reddit Inc., 520 Third Street, Suite 305, San Francisco, CA 94107, United States. This tool files a cookie on your PC if you get to our website via a Reddit ad. This cookie does not serve any personal traceability. If you visit our website, it will be identifiable to us as well as to Reddit that you clicked on the corresponding ad and were redirected to our website.

Using the data obtained by conversion cookies, conversion statistics are compiled for us. This way, we will know the total number of users who responded to our ad and were redirected to one of our pages equipped with a Reddit pixel. During this procedure, we do not receive any information allowing us to identify you personally as user. If you oppose this tracking procedure, you may deactivate the storage of cookies via your Internet browser. If needed, use the help function of your browser for further information. Detailed information on Reddit’s privacy policy may be found at https://www.reddit.com/help/privacypolicy/.

Consent may be withdrawn here: opt out. Please note that if you delete your cookies, this cookie will also be deleted automatically.

19 Use of YouTube Plugins

Our website contains at least one YouTube plugin, property of Google Inc., based in San Bruno, California, USA. As soon as you visit one of our sites furnished with a YouTube plugin, a connection to the YouTube servers will be established. During this process, the YouTube server is told which specific page of our website you have visited. If you are logged in to your YouTube account, you will enable YouTube to allocate your surfing behaviour directly to your personal profile. You may block this possible allocation by logging out of your account beforehand. You will find further information on the collection and use of your data by YouTube in their privacy policy at: https://www.google.com/intl/de/policies/privacy/.

20 Use of Instagram Plugins

Our website uses among others the plugins of the social network Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA (“Instagram“). The Instagram plugin may be recognised by the “Instagram” button on our website. The plugins appear in the form of the Instagram logo, for example as an “Instagram camera”. An overview of the Instagram plugins and their looks may be found here:

http://blog.instagram.com/post/36222022872/introducing-instagram-badges

If you visit our website containing such a plugin, your browser will establish a direct connection to the Instagram servers. The contents of the Instagram plugin will be transmitted directly to your browser and will be integrated into the website. Thereby, Instagram receives the information that your browser has accessed the corresponding page of our website, even if you do not have an Instagram profile or are currently not logged in to Instagram. This information (including your IP address) will be transmitted directly from your browser to an Instagram server in the USA and saved there.

If you are logged in to Instagram, Instagram can allocate your visit to our website directly to your Instagram account. If you interact with the plugins, e.g. by pushing the “Instagram” button, this information will also be transmitted directly to the Instagram server and saved there. This information will also be published to your Instagram account and shown to your contacts.

Purpose and extent of the data collection and the further processing and use of the data by Instagram as well as your related rights and the settings available for the protection of your privacy may be found in Instagram’s privacy policy https://help.instagram.com/155833707900388/

If you do not wish Instagram to allocate the data collected via our website directly to your Instagram account, you need to log out of Instagram before visiting our website. You can completely block loading the Instagram plugin using add-ons, e.g. with the script blocker „NoScript“ (https://noscript.net/).

21 Google (Invisible) reCAPTCHA

  1. The website uses “Google reCAPTCHA”, a Turing test by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter referred to as: “Google”). Google checks whether the data entries on the website are made by a person or an automated programme. For this, user behaviour is analysed using different attributes. The analysis starts automatically upon entering the website. For the analysis, reCAPTCHA analyses various information (e.g. IP address, time spent on the website or mouse movements by the user). The data collected in the analysis are transmitted to Google.

    The reCAPTCHA analyses are running completely in the background. Website visitors are not notified that an analysis takes place.

  2. The legal basis for the processing is art. 6 (1) point f GDPR

  3. The controller has the legitimate interest that the website be protected against improper automated spying and SPAM.

  4. For further information on Google reCAPTCHA as well as on Google’s privacy policy go to the following links:

    1. https://www.google.com/intl/de/policies/privacy/

    2. https://www.google.com/recaptcha/intro/android.html

22 Encrypted data transfer

When logging in (“Login”) or establishing a contact all data is transmitted via an encrypted connection using SSL/TLS technology. The SSL certificate required for this, which has been installed on the server, has been issued by an independent organisation. An encrypted connection may be recognised by the change in the address bar of the browser from http:// to https://.

As soon as the encrypted SSL/TLS connection has been established, your entries transmitted to the shop can no longer be read by a third party.

23 Applicant data

As a rule, your data will be automatically deleted three months after the application procedure. In addition, you may request the deletion of your data at any time via e-mail to jobs@cardmarket.com. Please note, in this case, that you are withdrawing from all ongoing application procedures.

24 Rights of the data subject

If personal data is processed, the users are “data subjects” for the purposes of the GDPR and are entitled to the following rights towards the controller:

  1. Right of access

    The data subject may demand a confirmation from the controller on whether personal data is processed.

    If such a processing takes place, the following information may be requested from the controller:

    1. the purposes for which personal data are processed;
    2. the categories of personal data which are processed;
    3. the recipient or categories of recipients to whom the respective data have been disclosed or will be disclosed;
    4. the envisaged period for storing personal data or, if specific information is not available, the criteria used to determine that period;
    5. the existence of a right to rectification or deletion of personal data, of a right to restriction of processing by the controller or right of appeal against this processing;
    6. the existence of the right to lodge a complaint with a supervisory authority;
    7. any available information about the source of the data where personal data are not collected from the data subject;
    8. the existence of automated decision-making, including profiling, referred to in art. 22 (1; 4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such data processing for the data subject.

    The data subject shall have the right to information about whether personal data are transmitted to a third country or an international organisation. In this context, the data subject may request information on the appropriate safeguards pursuant to art. 46 GDPR relating to the transmission.

  2. Right to rectification

    The data subject shall have the right to rectification and/or completion of data against the controller if the processed personal data are inaccurate or incomplete. The controller has to correct these data immediately.

  3. Right to restriction of processing

    The restriction of processing of personal data may be requested if one of the following conditions applies:

    1. the accuracy of the personal data is contested for a period enabling the controller to verify the accuracy of the personal data;
    2. the processing is unlawful and the deletion of personal data is opposed and the restriction of their use is requested instead;
    3. the controller no longer needs the personal data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims, or
    4. the processing has been objected pursuant to art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

    Where the processing of personal data has been restricted, such data shall – with the exception of storage – only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

    Where the restriction of the processing has been restricted under the above conditions, the data subject shall be informed by the controller before restriction is lifted.

  4. Right to deletion

    Obligation to deletion

    The data subject shall have the right to request from the controller the deletion of personal data without undue delay and the controller shall have the obligation to delete these data without undue delay where one of the following grounds apply:

    1. the personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed.
    2. the consent is withdrawn on which the processing is based pursuant to point (a) art. 6 (1) or point (a) art. 9 (2) GDPR and where there is no other legal basis for the processing.
    3. the processing is objected to pursuant to art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the processing is objected to pursuant to art. 21 (2) GDPR.
    4. the personal data have been unlawfully processed.
    5. the personal data have to be deleted to comply with a legal obligation according to Union or Member State law to which the controller is subject.
    6. the personal data have been collected in relation to the offer of information society services referred to in art. 8 (1) GDPR.

    Information to third parties

    Where the controller has made the personal data public and is obliged pursuant to art. 17 (1) GDPR to delete these data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the deletion of any links to, or copies or replications of, those personal data.

    Exceptions

    The right to deletion shall not apply to the extent that processing is necessary

    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interests in the area of public health pursuant to points (h) and (i) of art. 9 (2) and art. 9 (3) GDPR;
    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to art. 89 (1) GDPR in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
    5. for the establishment, the exercise or defence of legal claims.

  5. Right to notification

    Where a right to rectification, deletion or restriction of the processing is claimed against the controller, the controller shall be obliged to communicate this rectification or deletion of data or the restriction of the processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

    The data subject shall have the right against the controller to be informed about those recipients.

  6. Right to data portability

    The data subject shall have the right to receive the personal data provided to the controller in a structured, commonly used and machine-readable format. The data subject shall also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    1. the processing is based on consent pursuant to point (a) of art. 6 (1) GDPR or point (a) art. 9 (2) GDPR or on a contract pursuant to point (b) art. 6 (1) GDPR and
    2. the processing is carried out by automated means.

    In exercising this right, the data subject shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons shall remain unaffected by this.

    The right to data portability shall not apply for a processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  7. Right to object

    The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data based on point (e) or (f) art. 6 (1) GDPR; including profiling based on those provisions.

    The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

    Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such marketing; this includes profiling to the extent that it is related to such direct marketing.

    Where processing for direct marketing purposes was objected to, the personal data shall no longer be processed for such purposes.

    The data subject shall have the possibility, in the context of the use of information society services – notwithstanding Directive 2002/58/EG – to exercise your right to object by automated means using technical specifications.

  8. Right to withdraw declaration of consent to the data protection law

    The data subject shall have the right to withdraw the declaration of consent to the data protection law at any time. The withdrawal of consent shall not affect the lawfulness of the processing which has taken place based on the consent before its withdrawal.

  9. Automated individual decision-making, including profiling

    The data subject shall have the right not to be subject to a decision based on automated processing - including profiling – which produces legal effects concerning the data subject or similarly significantly affects them. This shall not apply if the decision:

    1. is necessary for entering into or performance of a contract between the data subject and the controller,
    2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms as well as legitimate interests, or
    3. is based on the data subject’s explicit consent.

    However, these decisions shall not be based on special categories of personal data referred to in art. 9 (1) GDPR, unless point (a) or (g) of art. 9 (2) apply and suitable measures to safeguard the rights and freedoms and legitimate interests are in place.

    In the cases referred to in points (1) and (3) the controller shall implement suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

  10. Right to lodge a complaint with a supervisory authority

    Without prejudice to any other administrative or judicial remedy all data subjects shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if it is considered that the processing of data infringes the GDPR.

    The supervisory authority to which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 GDPR.

End of the Privacy Statement

Save/ print privacy statement as PDF

If you do not have a PDF reader installed to show or print the private policy, you can download the file for free e.g. under www. adobe.com.

cardPreview