The information in this Privacy Notice applies to the processing of personal data on or via our website and is intended to inform you in particular about the scope of processing, the purposes of processing, recipients, legal bases, retention periods and your rights. Personal data is any information relating to an identified or identifiable natural person, i.e. an individual (hereinafter also referred to as a ‘data subject’), including, for example, your name, address or email address. ‘Processing’ personal data means, in particular, the collection, storage, use and transmission of such data.

I. Name and Address of the data controller

The controller within the meaning of the General Data Protection Regulation (‘GDPR’) and other national data protection laws of EU Member States as well as other data protection regulations is:


KING Art GmbH 
Kleine Waagestraße 1
D-28195 Bremen
Germany

Tel. +49 (0) 421 322 76 0
Fax +49 (0) 421 322 76 20
Email: impressum@kingart-games.com 

II. Contact data of the data protection officer

You may contact our data protection officer as follows using the following contact details:


KING Art GmbH
Datenschutzbeauftragte
Kleine Waagestrasse 1
D-28195 Bremen
Email: datenschutz@kingart-games.com

III. General information data processing

1. Legal basis for the processing of personal data

In cases where we have obtained your consent to process personal data, Art. 6(1)(a) of the General Data Protection Regulation (‘GDPR’) serves as the legal basis for processing this personal data.

When processing personal data required for the performance of a contract to which the data subject is a party, Art. 6(1)(b) GDPR serves as the legal basis for such processing. This also applies to processing operations that are necessary in connection with pre-contractual activities.

In cases where it is necessary to process personal data in order to comply with a legal obligation to which we are subject, Art. 6(1)(c) GDPR serves as the legal basis for such processing.

If processing is necessary to protect a legitimate interest of ours or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh these interests, Art. 6(1)(f) GDPR serves as the legal basis for such processing.


2. Data deletion and storage time

Personal data of the data subject will be erased or blocked as soon as the purpose for which the data is stored ceases to apply. Furthermore, data may be retained for longer periods if this has been provided for by European or national legislative bodies in EU regulations, laws or other rules to which the controller is subject.

IV. Provision of the website and creation of log files

1. Description and extent of data processing
The following data is collected:

  • The IP address of the calling device, which is shortened in such a way that personal identification is no longer possible.
  • Browser type/browser version
  • Operating system in use
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request

This data is also stored in log files on our system. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

3. Purpose of data processing

The temporary retention of the IP address by the system is necessary to enable access to the website by the user’s device. To this end, the user’s IP address must be stored for the duration of the session. The data is stored in log files to ensure and improve the functionality of the website and for statistical analysis.

These purposes also include our legitimate interest in processing personal data.

4. Retention period

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collected to enable provision of the website, this will be undertaken once the respective session has ended.

Any data stored in log files will be erased within seven days at the latest. Retention beyond this period is nevertheless possible. In this case, the users’ IP addresses will be erased or modified, so that it is not possible to associate the IP address with the requesting client.

V. Essential Cookies

1. Description and extent of data processing

Cookies are small text files that are saved on the hard drive of your computer according to the web browser you use and that send certain information to the party who placed the cookie.

We use the following cookies that are necessary for the provision of our website (essential cookies):

We use so-called session cookies on our website. The purpose of these cookies is to identify your device during a visit to our website and to be able to determine the end of your visit. These cookies store a so-called session ID by means of which various requests from your browser can be assigned to a common session. This allows us to recognise your computer when you return to our website during a browser session.

When you visit our website, you can consent to the use of so-called tracking cookies via a so-called cookie banner (see section 6). If you click on ‘Accept’ on the cookie banner, a cookie with this information will be stored on your device (‘consent cookie’) so that the cookie banner will no longer be displayed on subsequent visits to our website.

If you have a user account and log in, you have the option to activate the ‘Remember login’ function. If you do so, a cookie will be set on your device that identifies you as logged in so that you do not have to log in again each time (‘login cookie’).

For security reasons, we also use a so-called XSRF token cookie, the purpose of which is to prevent cross-site request forgery attacks on our website.

In addition, Google Analytics sets cookies that are used for purposes of web analysis (see section 7).

2. Legal basis for data processing

The legal basis for setting essential cookies is Art. 6(1)(f) GDPR.

3. Purpose of data processing

Essential cookies enable the provision of our web pages and support the security of the operation of our website These purposes also include our legitimate interest in processing the relevant data.

4. Retention period, opportunity to opt out and deletion

The XSRF token session cookies are deleted two hours after you leave our site. The consent cookie and the login cookie are automatically deleted from your device after 24 months unless you delete them before that.

Cookies are stored on your device and transmitted by your device to our website. Accordingly, you have the option to deactivate, restrict or delete the transmission of cookies by changing your browser settings. If cookies are deactivated for our websites, you may no longer be able to use all functions of our website to their full extent.


VI. Web analysis by Google Analytics

1. Scope of data processing

We use the web analysis tool Google Analytics for purposes of tailoring the design of our website. Google Analytics creates usage profiles based on pseudonyms. Permanent cookies are stored on your device and read by us for this purpose. This permits us to recognise returning visitors and tally them as such.

2. Legal basis for processing personal data

Data processing is based on your consent in accordance with Art. 6(1)(a) GDPR provided that you have given your consent via our banner. The data transfer to a third country is based on Art. 49(1)(a) GDPR. 

3. Purpose of data processing

Processing users’ data via Google Analytics enables us to analyse the surfing behaviour of our users. We are able to compile information about the use of the individual elements of our website by evaluating collected data. This helps us to continuously improve our website and its user-friendliness. These purposes also include our legitimate interest in processing personal data. The interest of users in protecting their personal data is given due consideration through the anonymisation of IP addresses.

4. Retention period and opportunity to opt out

Cookies are stored on the user’s device and transmitted by it to our website. Therefore, as a user, you have full control of the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your web browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our websites, you may no longer be able to use all functions of our website to their full extent.

You may withdraw your consent to the data collection described above at any time with future effect by using the Google Analytics Opt-out Browser Add-on found at: http://tools.google.com/dlpage/gaoptout?hl=de.

You can also prevent Google Analytics from collecting this data by clicking on this [link]. This sets an opt-out cookie which prevents any future collection of your data when visiting this website. This opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again.

Additional information about Google’s terms of use and Privacy Policy is available at:


5. Data recipients transfer to third countries

Google Ireland Limited and Google LLC. (USA) support us as processors according to Art. 28 GDPR. The data processing can therefore also take place outside the EU or EEA. With regard to Google LLC, no adequate level of data protection can be assumed due to the processing in the USA. There is a risk that authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. Please take this into account if you decide to give your consent to the use of Google Analytics.

VII. Google reCAPTCHA

We use the Google reCaptcha service to determine whether a person or a computer is making specific entries in our contact form. Google uses the following data to determine whether you are a person or a computer: IP address of the device in use, the website of ours you are visiting and on which the Captcha is embedded, the date and duration of your visit, identification data for the browser and operating system type used, Google account if you are logged in to Google, mouse movements on the reCaptcha surfaces as well as tasks in which you have to identify images. The legal basis for the data processing described above is Art. 6(1)(f) of the General Data Protection Regulation (weighing of interests, based on our interest in ensuring the security of our website).


VII. Google reCAPTCHA

We embed videos on our website that are not stored on our servers. Initially, we only display locally stored preview images of the videos in order to ensure that accessing our web pages with embedded videos does not automatically lead to downloading content from third-party provider YouTube/Google. This does not provide any information to the third-party provider.

Contents from the third-party provider are downloaded only after clicking on the preview image. This informs the third-party provider that you have accessed our site and they are provided technically required usage data in this context. We have no influence over subsequent data processing by the third-party provider. YouTube/Google is based in the United States. There is a risk that authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. Please take this into account if you decide to give your consent to the use of YouTube. By clicking on the preview image, you are providing us consent to download content from the third-party provider.

Embedding is based on your consent in accordance with Art. 6(1)(a) GDPR provided that you have given your consent by clicking on the preview image. The data transfer to a third country is based on Art. 49(1)(a) GDPR. Please do not click on other preview images if you do not want similar downloads on other pages.


VIX. Contacting us by eail, contact form or phone

1. Description and scope of data processing

You can contact us via the email address provided on our website. In this case, the user’s personal data transmitted along with the email will be collected.

Our website also provides a contact form that you can use to send us support requests related to our products.

We collect the following details using this form:

  •  Email address
  •  Product
  •  Platform
  •  Preferred language

This is supplemented by any other data you include in your specific message.

You may also contact us via the telephone numbers we have provided. If you contact us by telephone, we usually collect all data you provide us in the form of conversation note, or data that is automatically transmitted with your call. This includes your name, your request and your telephone number.


2. Legal basis for data processing

The legal basis for processing data transferred in the course of contacting us by email, contact form or telephone is Art. 6(1)(f) GDPR. If the intent of contacting us is to enter into a contract or is within the scope of an existing contractual relationship, this creates an additional legal basis for its processing in accordance with Art. 6(1)(b) GDPR.


3. Purpose of data processing

We process personal data in such cases solely for the purpose of processing your enquiry. This likewise comprises the required legitimate interest in processing such data.


4. Rentention period

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data sent by email or contact form, or that is transmitted in the context of a telephone call, this is the case when the respective conversation with you has ended. The conversation has ended when it can be inferred from the circumstances that the matter at hand has been conclusively resolved.

If, in the course of communication, data is created that we are obliged to retain or store on the basis of tax, commercial or other regulations, it will only be deleted after the expiry of the respective legal retention or storage periods. The legal basis for storage in such cases is Art. 6(1)(c) GDPR.


X. Registration/customer account

1. Description and scope of data processing

We offer users the option to create a customer account on our website subject to the provision of personal data. In this context, data is entered via an input form, transmitted to us and stored. The following data is collected during the registration process:

  • First and last name
  • Email address
  • Country
  • Password

The following data is also stored at the time of registration:

  • The date and time of registration

Additional customer data is stored in the customer account, e.g. the user’s games, player tag and the order history. In addition, the customer has the option to store shipping addresses in the customer account. The customer can see which data is stored in the customer account in each case using the menu heading ‘Settings’ in their customer account and can also supplement, delete or modify the data using these settings.


2. Legal basis for data processing

The legal basis for processing data in this context is Art. 6(1)(b) GDPR.


3. Purpose of data processing

Personal data is processed in the context of opening and using the user account in order to provide the user with the corresponding features of the user account and thus facilitates performance of the corresponding agreement with the user.


4. Retention period

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. This is usually when the customer account is deleted with regard to data stored in the customer account. We will also delete customer accounts if they are inactive for a period of 12 months, i.e. if there has been no login during this period.

If data is created with regard to a customer account that we are obliged to retain or store on the basis of tax, commercial or other regulations, it will only be deleted after the expiry of the respective legal retention or storage periods. The legal basis for storage in such cases is Art. 6(1)(c) GDPR.


XI. Newsletter

1. Description, scope and purpose of data processing

You also have the option to subscribe to our newsletter when registering for a customer account. We will also use your email address and name to send you information and advertising about our games, promotions and events by email.


2. Legal basis for data processing

The legal basis for data processing in this context is your consent pursuant to Art. 6(1)(a) GDPR.


3. Retention period and withdrawal of your consent

You can choose to unsubscribe from our newsletter at any time and thus withdraw your consent, for example by using the corresponding settings in your customer account or using the corresponding links available at the end of each newsletter.

We will no longer use your data to send our newsletter if you withdraw your consent. However, we will store your email address and proof of your consent for a period of three years starting at the end of the year in which we last sent you our newsletter before you withdrew your consent, so that we can verify your consent in the event of a dispute. We will then delete this data unless we need it for other purposes listed in this Privacy Notice, for example because you still have a customer account with us.


XII. Orders in our online shop

1. Description and scope of data processing

When you place orders in our online shop, we collect the data that is apparent from the required form fields and the order itself, including:

  • Salutation
  • Contact person
  • Address
  • Email address
  • Subject and price of the order

2. Legal basis for data processing

The legal basis for processing this data is Art. 6(1)(b) and (f) GDPR.


3. Purpose of data processing

We use the data from the respective order for purposes of executing and invoicing the order. If you have a customer account, we also use the data to make your games and order history available to you. These purposes also include our legitimate interest in processing personal data.


4. Data sharing and collection by payment service providers

In order to perform the contract, we share your data with the shipping company we have commissioned to perform delivery to the extent necessary for the delivery of merchandise you have ordered.

The selected payment service providers collect required payment data themselves in the course of processing payments.  Accordingly, this is governed by the privacy notice of the respective payment service provider. External payment services have been integrated into our shop in such a way that a connection to the respective service provider’s servers is only created when you select the respective service as a means of payment during the ordering process.


5. Retention period and deletion

Data in your customer account, including your order history, will be stored by us until your customer account is deleted.

We use data from your orders for the execution and invoicing of your order outside of your customer account. After the execution, invoicing and payment of an order, we still store the data concerned as long as we are obliged to do so on the basis of applicable tax, commercial or other regulations. This data will be deleted only after the expiry of such periods. The legal basis for storage in such cases is Art. 6(1)(c) GDPR.


XIII. Categories of recipients of personal data

We make use of various service providers, including host providers and email providers, for the provision of our website, and contact options we offer. They process data stored by them exclusively on our behalf within the European Union as processors in accordance with Art. 28 GDPR.

XIV. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you are entitled to the following rights in relation to the controller (if applicable, subject to satisfaction of additional requirements set out in the relevant regulations):

  • The right of access under Art. 15 GDPR
  • The right to rectification under Art. 16 GDPR
  • The right to erasure (‘right to be forgotten’) under Art. 17 GDPR
  • The right to restrict processing under Art. 18 GDPR
  • The right to notification under Art. 19 GDPR
  • The right to data portability under Art. 20 GDPR
  • The right to object under Art. 21 GDPR
  • The right not to be subject to automated decision-making under Art. 22 GDPR
  • The right to withdraw consent to the processing of personal data in accordance with Art. 7(3) GDPR

Please contact us using the contact details set out above if you wish to exercise any of these rights.

Notwithstanding any other administrative or judicial legal remedy, you also have the right to lodge a complaint with the competent supervisory authority if you are of the opinion that the processing of your personal data breaches the GDPR.